Academic Tech Departments Must Mandate Stronger Passwords
By Steve Cunningham
It's been difficult to avoid the recent news stories about stolen and decrypted IDs and passwords. LinkedIn, eHarmony.com, and Gawker.com have famously lost control of users' passwords in the past few months. Even Apple has been hit, as several million Apple IDs are still circulating on the Internet. The pity is that many of these passwords were encrypted (technically they were hashed), but given the powerful GPU-based "rigs" the hackers have at their disposal today, the decryption game moves much faster than in the recent past.
Still, what most of these events have in common is that the password system we use for authenticating users represents a throwback to the days when the Internet was a much safer place than it has since become. Users tend to choose passwords that are short and can be found in any dictionary (hence the "dictionary attack" method of guessing to gain access). Simply appending a capital letter or number to either end of the pronounceable word or family member's name does little to harden it as a password. I recently experienced this when a friend's site was hacked with spam comments. Her admin password was 8tinkerbell8, and evidently succumbed easily. Once in, the attacker disabled the anti-spam measures and began dropping links to sites selling cheap designer handbags. I changed the password to a much stronger random string, restarted the site, and re-logged in. The spammy comments stopped coming, although the spammer continued to knock on the door for some time, trying word after word in a vain attempt to regain access. The software was not successful, since the password was a random string of sixteen letters, numbers, and symbols.
Users pick simple passwords because they're easy to remember. Worse yet, they tend to re-use the same password on multiple sites, making it even easier for hackers to compromise the users' accounts. In fact, about a quarter of LinkedIn users whose credentials were stolen also had accounts on eHarmony.com that used the same credentials, and those too were hacked. It gets worse; the case of one Mat Honen, fully described in a recent issue of Wired magazine, included a hacked Twitter account, an inaccessible Gmail account, and a laptop whose entire contents were erased. This unfortunate string of events was made possible with some re-used credentials, linked identities between Gmail, Twitter, and Apple, and a little social engineering. Surely these pitfalls exist in academia, where system-wide passwords often require passwords with a minimum of characters and complexity. Before I understood the consequences, I used a re-use trick for years; when required to change my password to something new, I did, then immediately changed it again (yes, back to the original password). While that little maneuver has been blocked, precious little keeps me from entering an eight character word with nothing more than one capital letter and one number. In today's environment, that is hardly adequate.
If one asks why it is not required that users enter unique and complex passwords, the answer usually is that users hate complex passwords that can't easily be remembered or must be written down. They also hate having to change passwords, although research indicates that given a long, complex password the semi-annual password change exercise would be nearly superfluous.
Unfortunately this situation trades security for convenience. Academic IT departments will continue to play the cat-and-mouse game with hackers so long as users demand passwords they can recall easily. This would be the case even with more effective credentials, but it is likely the problem would be much smaller than it is currently.
There are, however, other methods that can be employed to make the creaky password system more secure. Among these is what's called multi-factor authentication, in which a user must present credentials that represent something they know (their password) and something they have (a smart phone which either generates or receives a text message of numbers that must be correctly entered to gain authentication). Organizations like Google and PayPal already offer two-factor authentication, and Facebook is rumored to be introducing it in the near future. There will be the same chorus about inconvenience, but users may well adapt. When the alternative is having their identity revealed, perhaps stolen, and their academic records rifled, one might expect to see a greater effort to strengthen the password system, regardless of the inconvenience.
Steve Cunningham is an assistant professor of practice at USC’s Thorton School of Music.