New and Noteworthy in Passwords and Authentication for 11/09/09

By Ben Gross
in

The Electric Alchemy security consulting firm has an interesting post about Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR describing their experiences running Elcomsoft’s Distributed Password Recovery tool across 100 Amazon Elastic Computing Cloud (EC2) instances. The goal was to crack the passwords of several files in the old PGP ZIP format. The results clearly show that the cost of recovering relatively simple passwords that are all lower case and less than 10 letters, has become affordable. Longer and more complex passwords with mixed case and symbols are still prohibitive to recover. The graphs make it easy to see that small amounts of additional complexity dramatically increase the difficulty of recovering the password. Electric Alchemy posted a follow up as Cracking Passwords in the Cloud Q&A.

In his post, Twitter, OAuth and Passwords – Oh My!, Terence Eden describes a potential risk with OAuth if a user changes their password on a service such as Twitter, but still has active OAuth tokens that are not invalidated. He proposes a scenario where a user believes he has lost control of his password and changes it, but does not realize that an attacker has also authorized other services to access the Twitter account and still has access. The OAuth developers point out that this is not a design flaw as typically users would not want to invalidate all of their OAuth tokens, but that they should check to make sure if they have personally authorized all the services linked to that OAuth site. The resulting discussion in comments and related posts is interesting. I do believe that when a user changes a password on a site, the service should all of their active OAuth tokens for inspection along with an interface to invalidate them at the same time in case the attacker created new OAuth-based authorizations. Eden’s points out a more complex problem where the attacker might have authorized an OAuth token for a service that the user has already previously authorized.

The article 30 years of failure: the username/password combination by John Timmer in Ars Technica describes a recent study published in the 2009 Proceedings of the Human Factors and Ergonomics Society Hoonakker et. al. The study included two rounds of focus groups and a survey given to the employees of a large organization that asked about password habits. They received 836 responses that illustrated a litany of problems users have associated with remembering and managing passwords. The results are not surprising, but detailed breakdown in the analysis is valuable for determining the scope of the problem. The authors indicate the tradeoffs between security and usability are significant and that we need to find ways to make it easier for users to maintain good security practices. The paper includes a nice overview of previous research and current options for improving the situation.

Published November 9, 2009