Don't blame users for dumb passwords

The Sony breach, among others, revealed the unsurprising fact that users choose weak passwords. So why do providers allow them?

Following the breach of Sony Pictures, the hackers at LulzSec posted a partial file containing the passwords of tens of thousands of users. For Sony Pictures, the allegedly unencrypted password file was an embarrassment. For users of its websites, the leak was an annoyance. But for password researchers, the breach is another data point for analysis.

No wonder then that researchers have hashed, crunched, and otherwise squeezed out a number of conclusions from the file.

Of course, the top conclusion is that users pick bad passwords. In his analysis of the file, security blogger Troy Hunt found that half of the passwords were seven characters or less. In addition, 36 percent of the passwords were included in a password dictionary of commonly used passwords.

Another conclusion: People commonly reuse passwords. Hunt compared the Sony Pictures password file to another password file stolen from the news site Gawker and found 88 email addresses that matched. In two-thirds of those cases, the users used the same password.

Meeting the requirements of using strong -- in other words, long or complex -- passwords and making each one unique is a tall order, so much so that most users have given up and choose easy-to-remember passwords and use them on multiple sites.

"If we acknowledge that passwords of significant length and uniqueness are important, you need to have a password manager," Hunt says. "Because, unless you are a savant, you can't remember that much."

Yet in discussing the breach with other password experts, a different conclusion repeatedly reared its head: Providers, not users, are to blame for bad passwords.

While users can select strong passwords and control their reuse, the only gatekeeper that can force the requirement of password strength is the provider. User have some control over their own fates, but the online service provider has more, says Per Thorsheim, a researcher who has organized two conferences on the subject of passwords. After all, it's the service provider that sets the policy of what is an acceptable password.

"To me, it's simple psychology: If the system accepts my choice of password, then it must be good enough," Thorsheim says. "I expect the service provider to be better at security in their own system than I could possibly be."

Moreover, in almost every case in which password researchers have obtained information on users' choices of passwords, the breach occurred because of the provider's poor security, not the user's choice of a bad password. In the more egregious cases, such as Sony Pictures, the password file was stored in plain text, without encryption. When that happens, it no longer matters what type of password a user chose, says Cormac Herley, a principal researcher with Microsoft Research.

"In none of these cases is password strength the reason the breach occurred," Herley says. "People with super, super weak passwords and people with super, super strong passwords had exactly the same fate."

This story, "Don't blame users for dumb passwords," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.