BLOG@CACM
Computing Applications BLOG@CACM

Passwords Getting Painful, Computing Still Blissful

The Communications Web site, http://cacm.acm.org, features more than a dozen bloggers in the BLOG@CACM community. In each issue of Communications, we'll publish selected posts or excerpts.

twitter
Follow us on Twitter at http://twitter.com/blogCACM

http://cacm.acm.org/blogs/blog-cacm

Jason Hong wonders how anyone can follow the mounting complexity of password rules, and Daniel Reed ponders the attractions of computing.
Posted
  1. Jason Hong "Password Policies are Getting Out of Control"
  2. Daniel Reed "Why We Compute"
  3. Lessons from Astronomy
  4. Computing the Future
  5. Authors
BLOG@CACM logo

http://cacm.acm.org/blogs/blog-cacm/123889-password-policies-are-getting-out-of-control/fulltext
Aug. 23, 2011

Something I learned a long time ago is that one person’s inefficiency is someone else’s bottom line. This simple observation explains a lot of the big problems we are facing worldwide. Rather than getting into a discussion of those thorny political topics, however, I want to use this observation as a starting point for discussing something that plagues us all: password policies.

In fact, I think I have found the most difficult password policy in existence today. It was a U.S. government website, of course. Here were the password policies the site had in place:

Password Rules:

  • Minimum 8 characters;
  • Must contain at least 1 capital letter;
  • Must contain at least 1 lowercase letter;
  • Must contain at least 1 number;
  • Must contain at least 1 special character;
  • Cannot contain consecutive characters (abc or cba);
  • Cannot contain repeating characters (aa, bb, cc);
  • Cannot contain the same character more than twice;
  • Entered password must be different from last 10 passwords used; and
  • Cannot be changed within 24 hours.

It actually took me about a dozen tries to create a password that covered all of this criteria, plus was something I had a chance of remembering. Here are examples of passwords that failed:

  • My_P@$$w0rd (failed because of repeating characters)
  • !USg0v8 (failed because too short)
  • $tuPidP@55 (failed because repeating characters)

I tried a few randomly generated passwords, guaranteed to be strong, which also failed some required criteria.

Of course, this password expires after 60 days (on a site that I only need to use every 90 days, no less). And when it did expire, it only took me an extra 15 minutes to figure out who to call to reset the password, plus a 13-minute hold, before my password was finally reset.

Makes one wonder how much real security is actually being offered with such measures, especially given the costs of staffing a helpdesk and the wasted time to end users of having to get their passwords reset.

Why do websites have such stringent password policies?

It all comes back to the opening statement: your inefficiency is someone else’s bottom line. In many organizations, there is an individual whose role is to keep computing systems secure. They are the people who get yelled at when things go wrong and whose job is on the line. In extreme cases, it becomes fully rational behavior to keep increasing security, no matter what the cost is for end users, regardless of whether it is effective or not in practice. (Replace the words "computing systems" with "air travel" and we have a decent explanation for the challenges that TSA faces.)

A 2010 paper by Dinei Florencio and Cormac Herley, two researchers at Microsoft Research, presented an analysis of password policies of 75 different websites. They found that, almost counterintuitively, "[s]ome of the largest, highest value, and most attacked sites on the Internet such as Paypal, Amazon, and Fidelity Investments allow relatively weak passwords," primarily because these websites earn revenue by having people login.

In contrast, it was government and university sites that tended to have stricter (and less usable) policies. They explained these results by arguing that "[t]he reason lies not in greater security requirements, but in greater insulation from the consequences of poor usability. Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive."

Unfortunately, there are not a lot of ways forward here. Passwords are cheap and pervasive, and are not going away anytime soon. Forcing all members of Congress and all generals to personally experience the joy of using these websites themselves also is not realistic, even if highly desirable.

In the long term, we need more ways of getting the incentives of all stakeholders better aligned. Putting helpdesk costs and information security costs under the same budget and under the same person is a good start, as it would force people to think more about the relative costs and benefits of a security policy. Having customer satisfaction be part of the performance metrics for information security folks would also help. In the meanwhile, until usability thinking and holistic thinking become more pervasive in computer security, the rest of us will just have to keep suffering the pains of stricter password policies.

Back to Top

Daniel Reed "Why We Compute"

http://cacm.acm.org/blogs/blog-cacm/126408-why-we-compute/fulltext
Sept. 2, 2011

Why do we, as researchers and practitioners, have this deep and abiding love of computing? Why do we compute?

Superficially, the question seems as innocuous as asking why the sky is blue or the grass is green. However, like both of those childhood questions, the simplicity belies the subtlety beneath. Just ask someone about Raleigh scattering or the quantum efficiency of photosynthesis if you doubt that simple questions can unearth complexity.

At its most basic, computing is simply automated symbol manipulation. Indeed, the abstract Turing machine does nothing more than manipulates symbols on a strip of tape using a table of rules. More deceptively, the rules seem simpler than some board games. Though vacuously true, the description misses the point that symbol manipulation under those rules captures what we now call the Church-Turing thesis.

However, as deep and as beautiful as the notion of computability really is, I doubt it is the only reason most of us are so endlessly fascinated by this malleable thing we call computing. Rather, I suspect it is a deeper, more primal yearning, one that underlies all of science and engineering and that unites us in a common cause. It is the insatiable desire to know and understand.

Back to Top

Lessons from Astronomy

When I stood atop Mauna Kea, looking at the array of telescopes perched there, I was again struck by our innate curiosity. Operated by a diverse array of international partnerships and built on Mauna Kea at great expense, they are there because we care about some fundamental questions. What is the evolutionary history and future of the universe? What are dark matter and dark energy? Why is there anything at all?

Answers to these questions are not likely to address our current economic woes, improve health care, or address our environmental challenges. We care about the answers, nevertheless.

As I pondered the twilight my thoughts turned to Edwin Hubble, who first showed that some of those faint smudges in the sky were "island universes"—galaxies like our own. The universe was a far bigger place than we had heretofore imagined. As Hubble observed about this quest to understand:

From our home on the Earth, we look out into the distances and strive to imagine the sort of world into which we are born. Today we have reached far out into Space. Our immediate neighborhood we know rather intimately. But with increasing distance our knowledge fades, and fades rapidly, until at the last dim horizon we search among ghostly errors of observations for landmarks that are scarcely more substantial. The search will continue. The urge is older than history. It is not satisfied and it will not be suppressed.

Hubble’s comment was about the observational difficulties of distance estimation and the challenges associated with identifying standard candles. However, it could just as easily have been a meditation on computing, for we are driven by our own insatiable desires for better algorithms, more flexible and reliable software, new sensors and data analytics tools, and by ever larger and more faster computers.

Back to Top

Computing the Future

Why do we compute? I suspect it is for at least two, related reasons, neither relating to publication counts, tenure, wealth, or fame. The first is the ability to give life to the algorithmic instantiation of an idea, to see it dance and move across our displays and devices. We have all felt the exhilaration when the idea takes shape in code, then begins to execute, sometimes surprising us in its unexpected behavior and complexity. Computing’s analogue of deus ex machina brings psychic satisfaction.

The second reason is that computing is an intellectual amplifier, extending our nominal reach and abilities. I discussed the power of computing to enable and enhance exploration in a previous blog entry. It is why those of us in computational science continually seek better algorithms and faster computer systems. From terascale to petascale and the global race to exascale, it is a quest for greater fidelity, higher resolution, and finer time scales. The same deep yearning drives astronomers to seek higher resolution detectors and larger telescope apertures. We are all chasing searching the ghostly signals for landmarks.

It is our ability to apply our ideas and their embodiment in code to a dizzying array of problems—from the prosaic to the profound—that attracts and compels us. It is why we compute. Hubble was right. We compute because we want to know and understand. The urge is deep and unsatisfied. It cannot be denied.

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More