Banks should stop forcing customers to create long, alphanumeric passwords because they can't protect against today's threats, according to AT&T computing researcher William Cheswick.
Speaking at AusCERT 2008 on the Gold Coast this week, Cheswick told delegates to stop inflicting staff and consumers with old-fashioned rules on password management, including advising consumers not to write them down or imposing strict rules about what characters can be used.
Requiring passwords to be at least seven characters long, but not more than 15, that are case sensitive with at least one number but no spaces, is simply "arcane password fascism", said Cheswick.
"The problem is of course is that people violate [these rules]. They're going to write it down ... they have to get their jobs done," he said.
"It is simply poor engineering to expect people to create and remember passwords that computers cannot guess and in a reasonable amount of time."
"My biggest complaint is that we're insisting on very strong passwords, but we're not getting strong security for those passwords," Cheswick told ZDNet.com.au after his keynote.
Many password rules imposed on staff and consumers today were drawn from a standard written in the 1980s, called Federal Information Processing Standards (FIPS) 112 — the US standard for password usage.
"The rules that people made those up under — we don't face those threats today," he told ZDNet.com.au. "There wasn't much of an Internet, you didn't have Russian spies trying to ex-filtrate your data. There were different kinds of attacks," he added.
As a result, Cheswick believes banks should relax the rules on passwords for customers, since they typically have to remember several passwords to manage their daily affairs — and for simplicity's sake, often use the same password across several systems.
"For the guys at the bank, they can ease up on their rules a lot. Why can they ease up on their rules? Because you don't need a strong password. Why don't you need a strong password? Because you're only making a few guesses," he said.
Typically after three incorrect guesses an ATM will destroy the card and failed attempts to log-in to an online bank account often produces a similar result. However, Cheswick said password stealing keyloggers pose a new problem, which only reinforces why writing down passwords is not such a threat today — that rule was created when someone physically looking over your shoulder was a greater threat than malware installed on a computer.
Cheswick encouraged the move by Australian banks to adopt two-factor authentication technologies.
"When it counts, you should use two-factor authentication — something you have and something you know. A third factor is usually something you are, which is biometrics, which is ok, but I'm not a fan of it," he said.
For people that have trouble remembering passwords, Cheswick recommended using the same password across several accounts, and writing them down, adding however, that accounts should be graded according to low, medium and high levels of security.
"I have a password I don't care about. You log into the New York Times, and they want you to have a password, and I don't care if someone steals my New York Times' password. There's one password I use for all those accounts. Then there are the accounts that are important to me such as Amazon.com, but if you got them, then you wouldn't be able to drain my bank account ... it's not the end of the world. Then there's bank accounts, and stock account management, where if you got in you might be able to leave me a pauper. But even then you only get three or four chances," he said.