The Password Thicket: Technical and Market Failures in Human Authentication on the Web
Date: June 2010
Publication: WEIS '10: The 9th Workshop on the Economics of Information Security
Source 1: http://weis2010.econinfosec.org/papers/session3/weis2010_bonneau.pdf
Source 2: http://www.cl.cam.ac.uk/~jcb82/doc/BP10-WEIS-password_thicket.pdf
We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general co-occurrence of more-secure and less-secure implementation choices, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with more-secure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication.
Do you have additional information to contribute regarding this research paper? If so, please email email@example.com with the details.