Date: Thu, 17 May 2018 12:55:25 +0200 From: Solar Designer <solar@...nwall.com> To: passwords@...ts.openwall.com Subject: Re: Keeping old passwords Not taking sides (being a user of various Internet-based services and also consulting service providers I'm actually on both sides), but to explain some trade-offs involved: On Wed, May 16, 2018 at 07:16:13PM -0400, Denny O'Breham wrote: > If someone chooses a 4-character password, you can tell him his > password is not safe. But if he wants to keep it, let him. If you > suspect suspicious activities, you can tell the user. But don't lock > him out of his account and ask him to jump through all sort of hoops > to regain access. That's how I would have wanted it from my perspective as a user, too. But from perspective of a company like Google, they also have to care about the ecosystem and indeed about themselves. A 4-character password without limiting online password cracking attacks could result in spam being sent through the account. If protocols such as SMTP AUTH are supported, this will happen even without the attacker targeting the specific provider - the SMTP servers will be found through mass scans of the Internet, then weak passwords probed. (I've seen that happen on much smaller e-mail servers of Openwall clients. We had to mass-change/block all of the extremely weak passwords just to stop the re-occurring problems of spam being relayed through the servers. It's user-friendlier, and has lower customer support cost, to disallow such passwords being set in the first place than to block access later on.) When spam starts being relayed, it obviously hurts the ecosystem and the company providing the service and their other users (as the servers' IP addresses start getting blacklisted). And then there's phishing, which may also abuse users' address books for extra efficiency. This hurts not so much the person with the weak password (although they may later find they "borrowed money" from a friend), but their contacts. This is finally provider-specific, but Gmail is large enough for it to also be targeted explicitly. (And I've heard of this happening.) Now, they could allow moderately weak passwords (perhaps not e.g. "123456", as that's a ~1% chance of unauthorized login from first try) and combine that with detection of suspicious activity - but then they'd have to actually lock the account upon some rather low threshold of messages sent or whatever, and this would go against our other preference that they also don't lock the user out. So it's a trade-off between stronger authentication (uncommon password and/or 2FA) and detection of and response to suspicious activity. If you allow weaker authentication, you have to use those more subjective behavior clues more aggressively, and vice versa. Given this trade-off, personally I prefer to use an uncommon password over the provider being more suspicious about my activity. If a provider does allow weak passwords, then to explore this trade-off they'd have to somehow tag accounts with more-common-than-threshold passwords, which makes eventual offline password cracking (if the database leaks) even easier (targeting just those salts first). This is another reason to disallow weak passwords (except maybe those set prior to introduction/hardening of the password policy, where a tough decision would have to be made about tagging those accounts as having lower threshold for suspicion, which also makes them even more of a target for offline attacks). Finally, unfortunately (from my perspective as a user) not every provider would actually credit my uncommon passwords towards being less suspicious about my activity. This is in part them not exploring this trade-off yet (I guess some providers do and some don't), and in part it's because of other risks (from the provider's perspective) of the account getting compromised anyway (password reuse elsewhere, compromised user's computer, etc.) Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.