14

I've been looking for ways to improve security and security awareness for both internal and external clients and I happened upon the idea of generating a one-time, random "password suggestion" on the registration and password-change screens, similar to the following:

Password Suggestion

Assuming that:

  • The password is generated by indexing all 5-8 letter words in a Scrabble dictionary (about 70,000 words net total) and using a crypto RNG service to choose random indexes;
  • The page is viewed over an SSL connection;
  • The password is a nonce, i.e. the server doesn't actually save it anywhere;
  • Users are not actually assigned this password - they can still create their own, for example if they're sitting at a public terminal.

Is this a good idea or a bad one? I personally like the idea but I'm concerned that my enthusiasm and optimism as a developer might be overshadowing some unintended negative side-effects of a scheme like this.

Should I go ahead with this? Are there ways that it could be improved and/or other things I need to look out for?

Aaronaught
  • 363
  • 3
  • 10
  • 2
    This is related to this discussion on [short complex passwords or long dictionary passphrases](http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/6096#6096). Although it was initiated by a web comic it has some valuable information. – Hendrik Brummermann Sep 25 '11 at 16:30
  • @HendrikBrummermann: Yes, it's that kind of passphrase, although I'm using a full dictionary (64 vs. 44 bits of entropy for 4 words, which is markedly better than even a completely random 10-character password of charset size 72). Pretty sure the passwords have good enough complexity, more concerned about possible problems with the method of generating them, unanticipated user reactions, weak links in the chain, that sort of thing. – Aaronaught Sep 25 '11 at 17:00

2 Answers2

12

For security, this is very good. You're recommending about 64 bits of entropy in the password, which is far more than 99.9999% users will come up on their own. And not storing the plaintext password is obviously good for security.

For usability, this is mostly ok, but there's a big hole: a lot of users will use that password, neglect to write it down anywhere, and promptly forget it. Copy, paste, forget. So you'll have to use your password reset procedure often, which means it'll have to be lightweight, which likely means it'll be pretty insecure.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • I suppose my naïve hope is that users who know they aren't able/willing to memorize it will just use their own. Still, even if they don't, that might still be a good thing if it means they don't use their "master password" to register with us. Fortunately for us, we can use the exact same information for registration and reset (information on a physical bill, no security question BS), so it's actually not that big a deal for us, it's just an inconvenience to the user. – Aaronaught Sep 25 '11 at 18:13
3

The use of a phrase instead of a single word is a good idea.

However, I find it bad security practice to, as a user, use a password that someone proposes I use. I wouldn't be comfortable with a system that does that. Also, if I were designing a system, I wouldn't want it to educate its users to use passwords proposed by others. A bit paranoia maybe, but "security hygene" is bad enough as it is...

I'd rather have the system propose an example, and forbid the user to use the example.

chris
  • 3,000
  • 14
  • 22
  • 3
    While I agree with the general sentiment, there is no security problem with having the server select the password that I will use. The problem here is one of memorization. I'm unconvinced about not educating users to use passwords proposed by others (yes, the subtlety that this is a problem except if it's the server that's picking the password is not one that users will cotton on to). If left to their own devices, many users will pick either `password123` or their girlfriend's name, so proposing a password is a step up. – Gilles 'SO- stop being evil' Sep 26 '11 at 18:54
  • 1
    Interesting points but I'm not sure I understand the basis for them. Why would this make you uncomfortable? And why wouldn't you want a system to educate its users as such? – Aaronaught Sep 26 '11 at 20:23
  • @Aaronaught I believe chris is correct. More important than a single mechanism is user education for the most general case. The most general case being: making the base of your security a secret that someone/something else gives you through a web page. There is no way for an average user to discriminate between a good secret delivered in a web page versus a bad secret delivered in a web page. For phishing etc. we want the user to distrust the web page/e-mail and fall back to a more secure channel. – this.josh Sep 27 '11 at 01:07
  • @this.josh: I'm still not following. What does phishing have to do with a password chosen upon registration? Let's say that this did somehow manage to convince users to register with whatever weak password is given to them; is that worse than having them choose their own weak password for that site - or worse, the same weak password for all sites they use? Furthermore, isn't this already exactly what happens when a user resets his/her password, but without the insecure e-mail channel? – Aaronaught Sep 27 '11 at 01:31
  • @Aaronaught the idea is that you don't want to teach users in general to let others decide their passwords for them. – chris Sep 27 '11 at 07:02
  • @Gilles I agree with the problem, I just don't think proposing passwords is a good idea (for the above reasons). There are other ways to stimulate strong passwords such as checking the entropy on the passwords they choose, running them against a simple cracker like pam_cracklib does. – chris Sep 27 '11 at 07:24
  • *Why* don't we want to teach users that? It is of course not as secure as the user choosing their own unique, strong password for every site, but it definitely *is* more secure than the current status quo of users using the *same, weak* password everywhere. I'm also using a password strength meter - which, by the way, was no small feat in itself because almost every algorithm is based on the antiquated notion of short, hard-to-remember passwords with a large charset - but I don't really see how telling them their password sucks is going to teach them how to create better ones. – Aaronaught Sep 27 '11 at 14:31
  • @Aaronaught It is indeed more secure than the status quo, but imho introduces a new problem: you teach users that it is okay to have other people choose their passwords for them. I don't see how that can *not* sound dangerous. They might even start accepting password suggestions from email. I think there is a solution that is better than the status quo, but doesn't involve teaching dangerous ideas to users: showing them examples, but not letting them copy/paste those. – chris Sep 27 '11 at 14:49
  • @Aaronaught To go short: by teaching them that it is OK to let others choose their passwords for them, they might start accepting those suggestions from different sources. Better teach them that a password is something YOU come up with and hold SECRET. It's written readable on your screen for crying out loud (shouldersurfing anyone?). – chris Sep 27 '11 at 14:51
  • I guess we'll have to agree to disagree here. To me the problems with your proposed method are far more glaring the (IMO unlikely) slippery slope you're implying. For one, many users *will* try to use the example or make minor changes to it (disable copy/paste, they'll just retype it), and doesn't teach them how to generate *random* passphrases (which is the main reason why they're secure). Might as well just feed them a link to diceware and hope and pray that they'll use it (hint: they won't). – Aaronaught Sep 27 '11 at 14:54
  • If everybody else was generating secure passwords then it *would* be OK to let them choose, as far as I can tell. Since hardly anybody else is generating passwords *at all* (except on password reset, which is almost invariably sent over e-mail in clear text), it's kind of a moot point, isn't it? Oh well. I get what you're saying, so no need to belabor the point. Thanks again for your answer. – Aaronaught Sep 27 '11 at 14:56
  • @ chris Good point about suggesting passwords. Not only would this teach users to accept a password chosen for them (though that would be fine when it's done offline, on a website you can't be sure). Another thing is the "security hygiene" you're talking about, I think the phrase you're looking for is that it adds another attack vector (or perhaps multiple). The password is displayed and perhaps even transferred. Plus, ( @gilles ) if there is a wrong way to do something, someone eventually will (i.e. generate a password server-side instead of client-side, then transmit it insecurely). – Luc Apr 03 '13 at 20:12
  • @Luc If the user chooses the password, the password is transmitted to the server. There's no additional risk in this respect if the server chooses the password. The increase in attack surface is tiny: the server has to handle the password correctly in any case. – Gilles 'SO- stop being evil' Apr 03 '13 at 20:23