Have you noticed banks are in the habit of requiring you to follow a ‘formula’ when coining your password? For example, PNC bank requires users to have not less than 8 characters for their passwords which must include a mix of; numbers; letters; caps; and symbols. It is understandable that this is a way of protecting users’ financial information; preventing unauthorized transactions; and ultimately preventing malicious access to the bank’s network resources. But, is shifting this onus to user’s enough?
I found the writings of Dinei Florencio and others (2016) very interesting where they examine the efficacy of tactics for defending password-protected networks from guessing attacks. Such tactics, of course, includes the requirement of users to coin stringent passwords based on a pre-defined formula. D Florencio and others explained three key insights worthy of note on the realm of stringent password composition.
First, the thinking, which has long been accepted, that requiring online account users to compose stringent passwords make their account safer is actually a myth. This is because that is actually not how cyber-attack works. Second, in some instances, a difficult-to-guess password do not reduce the probability of a successful guessing attack. Actually, in a big portion of the cyber-attack, they make no difference at all. Third, online account administrators should mainly focus on users with weak passwords which are easy to guess. This is because the attacker can easily compromise such account and gain access to the network resources. Therefore, improving other passwords would deny the attacker very little.
The authors took an extra step to differentiate online and offline guessing attacks. The former occurs when the attacker makes guesses against the defender’s server by pretending to be an authorized account user. On the other hand, the later occurs when the attacker uses some hardware and software resources equipped with graphical processing units (GPUs) built for such hash user password guesses.
However, the writers concluded that the effort of securing user accounts and network resources should be handled mainly by the system administrator who is usually responsible for eliminating online and offline attacks altogether. The administrator could use a mechanism known as the Hardware Security Modules (HSMs). Where properly used, HSMs can eliminate the risk of hash file leaking and decryption key leaking.
Hence, requiring users the task of composing stringent passwords is a waste of users’ time and energy. Banks should create that impression to users, so they understand that coining a ‘stringent’ password might prevent unauthorized access in casual settings, but wouldn’t where more sophisticated and technical attempts are made by experienced malicious cyber attackers.
We from across the globe are closely watching the US elections as we too get affected by actions of the sitting President. Pls go out and vote for who will honestly make a difference. Florinda Sullivan Tortosa