Two interesting studies of password strength were published in the past couple of months. Microsoft researchers Dinei Florêncio and Cormac Herley published “Where Do Security Policies Come From?”, in which they examine password policies of 75 different Web sites in order to understand the diversity of password requirements on those sites. Joseph Bonneau and Sören Preibusch, researchers at the University of Cambridge, published “The Password Thicket: Technical and Market Failures in Human Authentication on the Web,” in which they examined 150 web sites with free user accounts that require passwords in order to understand technical variations in password implementations.

National Institute of Standards and Technology (NIST) Special Publication SP 800-63-1 discusses password strength in terms of “guessing entropy.” This is the degree of difficulty that an attacker would have in guessing a password and impersonating a user. NIST recommends different password strengths for Level 2 authentication, depending on how long a user may keep a password before changing it and how long a user must wait after three failures before trying again. For example, if a web site’s policy is to permit re-try after one minute and to allow users to keep their passwords for five years, a password would need 37 bits of entropy to qualify as Level 2. However, if a password must be changed every 90 days and a user must wait a full day before trying to log in after three failures, a 22-bit password would provide Level 2 assurance level.

The Microsoft researchers found that password strength varies for different types of sites. They found median password policy strength of 19.9 bits for dot-com sites, 31 bits for banks and other financial institutions, 43.7 for dot-edu sites, and 47.6 for dot-gov sites.  Since many sites examined by the researchers also permit e-mail accounts as user names, the only thing between the attacker and account compromise is the password. The authors attribute the differences in password strength to different competitive pressures on different types of sites. Dot-com sites must compete for customers and want to keep usability high, so they reduce login complexity. Banks, dot-edu and dot-gov sites, by contrast, do not face similar pressures, and in many cases their users have no choice about dealing with them. As a result, such sites are willing to require complex passwords even when such policies lead to somewhat lower usability.

Researchers at Cambridge focus on a somewhat different aspect of password authentication. They note that in spite of security concerns, many users still choose passwords that are easy to guess, write down their passwords and share them with others. They also re-use their passwords on multiple sites (average of five sites per password), and sometimes use the same passwords on sites that do not house sensitive or personal information, like content sites, and ones that do, like financial services sites. The authors believe that what they call low-security sites, i.e., ones that do not house sensitive personal or financial information, use password login as a way to collect marketing information about users or a way to establish a trusted relationship with users, but by doing this they are creating more complexity that users are not able to manage effectively. Since low-security sites do not bear the consequences of password compromise at high-security sites, they have no incentive to implement strong security protections for passwords. In fact, compromise of passwords at low-security sites has led to account compromises at high-security sites, and this dynamic is not changing. The authors are not optimistic either about a change in security practices at low-security sites without some sort of regulatory mandate, or about the willingness of low-security sites to adopt federated identity protocols, which might reduce their ability to gather marketing information.

There is, of course, another approach to password management that would reduce concerns about guessable or shared passwords. Sites that house or provide access to sensitive personal or financial information could implement two-factor authentication with a modality that uses one-time passcodes. This would greatly reduce the sites’ vulnerability to password attacks, particularly attacks involving large numbers of compromised passwords, because guessed or shared passwords will not enable account access without the possession of one-time passcodes.

And what about reduced usability? Although two-factor authentication protocols are becoming more user-friendly, they are and will remain more complex than usernames and passwords. Nevertheless, when users understand that without adequate security they face loss of personal or financial information that might be as traumatic as the loss of a job and would require significant effort to fix, they might welcome spending a little extra time at login.