Password Management for Multiple Accounts Some Security and Usability Considerations Mike Just DIMACS Workshop on Usable Privacy and Security Software 7 July 2004 Public Works and Travaux publics et Government Services Services gouvernementaux Canada Canada Canada Agenda • Introduction • Background – Password for One Account • Passwords for Multiple Accounts • Further Thoughts 2 Introduction • Premise – Passwords are too secure already • Several conditions lead to an unusable or intolerable environment for users • Password conditions • For a single password • Password rules, length, … • For multiple passwords across several accounts • Distinctiveness requirement/recommendation • How usability be improved while retaining an acceptable level of risk? 3 Password for One Account • Usability Considerations • Password length, e.g. 4-8 characters • Password construction, e.g. 1 letter, 1 number, … • Password entering, e.g. allowed attempts • Password management, e.g. update • Attack considerations • Offline attacks • Online attacks 4 Password for One Account • Offline attack • Encryption of password images • Distribution of password images, cf. Ford/Kaliski • Online attacks • Password rules • Account lockout • Reverse Turing Tests (CAPTCHA) • But, you also have to consider • Social engineering (e.g. phishing) attacks or other attacks directed at the user (and not the account system) 5 Password for One Account • Enhance with “something you have” • One-time passwords • Hard tokens, e.g. SecurID, SmartCard • In most cases, this requires a different “something you have” for each account • Typically issued and managed through the information provider • Compounds password usability issues across each account 6 Passwords for Multiple Accounts • Consider a user with multiple accounts, each requiring password authentication • Traditional wisdom dictates a distinct password for each account • Is this necessary? Why or why not? 7 Passwords for Multiple Accounts • This is often a recommendation, as opposed to a mandatory requirement • Different accounts managed by different authorities • Distinct versus independent passwords • • Difficult to enforce independent passwords; see above Even with the same authority, password values not typically compared 8 Passwords for Multiple Accounts • When might the same password be used at different accounts? • • A risk management decision Some considerations 1. Type of attack(s) 2. Typical behaviour of account user 3. Account security or risk 4. Additional authentication factors 9 Passwords for Multiple Accounts – Type of Attack(s) • Consider online attacks • Though social engineering attacks remain a concern • Random versus targeted attacks • • Random: An attack to compromise any account Targeted: An attack to compromise a specific account • Targeted attacks might be discouraged with a number of security measures • • Account lockout after some number of login attempts Login monitoring systems to detect persistent failed attempts against one account 10 Passwords for Multiple Accounts – Type of Attack(s) • Assuming that random attacks occur most often…the likelihood of extending the attack to other account systems (for the same compromised user) may be low • • • Is there much motivation to attack that same user at a different account system? The attacker would have to know of the location of other account systems where the same user is registered The attacker would have to know of the account names • So, password re-use might be ok in some cases 11 Passwords for Multiple Accounts – User Behaviour • A “separation” between multiple accounts based upon user behaviour 1. Consistently accessing accounts from different locations • Often forced today, e.g. no personal account access from work 2. Distinct account identifiers • Create account separation, but also confusion 3. Physical and digital separation of account information regarding multiple accounts • Can reduce risk of multiple account compromise 12 Passwords for Multiple Accounts – Account Security or Risk • Often cited reason for distinct passwords • Work account versus magazine subscription • Don’t create a “weak link” by using a password for a high risk account, at an account that may not have similar security protections • Previous conditions may help reduce this risk 13 Passwords for Multiple Accounts – Addn’l Authentication Factors • Multiple authentication factors should be independent • Compromise of one should not increase likelihood of other • Similarly, using the same password across multiple accounts, with different secondary authentication factors, introduces additional risk • Compromising a password at account A, and token for account B, shouldn’t allow compromise of either account • But, if the password for A and B are the same… • However, such additional risk may be tolerable 14 Passwords for Multiple Accounts – Summary • Some potential for password re-use • Attack type • • User behaviour • • • Increase protection against targeted attacks Separate behavioural patterns and records Account security or risk • Ensure separation amongst different account risk groups • But, based on factors above, this might be lessened somewhat Additional authentication factors • Reduce potential burden in case of additional factor 15 Further Thoughts • What about the necessity of password updates? • • • Multiple passwords over time, as opposed to space Memorize new, forget old Are other protections sufficient, e.g. “Last login time:” • What about the necessity of strict password rules? • • • 1 uppercase, 1 special character, … Can risks of random or targeted online attacks be sufficiently mitigated? Do additional factors allow for leniency? 16 Contact Information Mike Just Public Works and Government Services Canada (PWGSC) mike.just@pwgsc.gc.ca +1–613–952–6031 Carleton University School of Computer Science http://www.scs.carleton.ca/~just/ 17