Tag Archives: security

On Passwords (Usability and Security)

Passwords have barely evolved since the early days of computing and are taken for granted in our daily online-lives. It’s time for change, says usability expert Jakob Nielsen, who believes password masking goes against basic usability principles and should be stopped (via Kottke).

Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

Most websites […] mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. [However], there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

Nielsen suggests that password fields should be plaintext by default, with a checkbox available for when a user would like to turn masking on. Ignoring the usability issue of adding a new and unexpected item to a form, and ignoring the social ramifications of such a change (explicitly displaying lack of trust by turning masking on around friends), do lengthy, supposedly ‘strong’ passwords increase online security anyway? (pdf, via Schneier)

Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a “three strikes” type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat.

Secret questions aren’t much better, either.

Using Spammers to Solve AI Problems

With spammers having already written software to match humans at solving some CAPTCHAs, many are predicting the end of the CAPTCHA. Not so, says Luis von Ahn (developer of the reCAPTCHA system) in a New Scientist article that asks why not set the spammers further AI tasks that they can solve inadvertently.

Software that can solve any text-based CAPTCHA will be as much a milestone for artificial intelligence as it will be a problem for online security. […]

“If [the spammers] are really able to write a programme to read distorted text, great – they have solved an AI problem,” says von Ahn. The criminal underworld has created a kind of X prize for OCR.

That bonus for artificial intelligence will come at no more than a short-term cost for security groups. They can simply switch for an alternative CAPTCHA system – based on images, for example – presenting the eager spamming community with a new AI problem to crack.

via Richard Holden