Thursday, April 30, 2009

How to guarantee bad passwords

Getting users to choose good passwords and not write them down is always a challenge. It's a tradeoff - if you make the requirements too loose, then an attacker can guess the password. Make it too complex, and users have to write them down. The rules should be proportional to the sensitivity of the data that's accessible - read-only access to a newspaper shouldn't require as strong a password as financial or health information.

In the "too loose" category, the extreme case I've run into was a web site used for storing personnel information - which should have had relatively strong requirements - that required a two character password. No quality restrictions, no frequency of changes, nothing. Bad choice.

Today, I ran into the other end of the spectrum. A site that requires passwords that:
* have a minimum length of 9 characters
* must contain two upper and two lower case characters
* must contain two digits and two special characters
* must be different from the last 9 passwords you've used
* must not contain a single quote

But the kicker: passwords may not contain any word of two letters or more. That's apparently determined (as best as I can tell through trial and error) by comparing every substring to a dictionary. So a password like 97to$%ABC isn't acceptable, because "to" is a word. And 3-5zq?jbeLN isn't valid either, because "be" is a word. Presumably a1b2c3d4e5** would be a valid password, though. (I didn't try that one.)

Oh, and the password expires every 60 days, so just about when you've come up with something that matches their criteria, it's time to change again.

Now granted this site has some sensitive information, but wouldn't it make more sense to use certificate-based authentication, which is far harder to attack in a brute force manner than passwords? (Assuming, that is, that you're not using certificates with MD5 signatures.)

I'd bet that 90% of their users have the passwords written down.

Social Security card requirements

To get paid by an employer in the US, the employee and employer are required to fill out an I-9, which requires that the employee provide various forms of ID. In addition, employers are generally required to use the eVerify system to do an online employee check – that the Social Security Number provided actually belongs to the employee.

This is about an employer who decided to go beyond the law, and is not only violating the law but also causing themselves extra work.

I work roughly one day a year for Fairfax County (Virginia) as a pollworker, for which I’m paid $100. I obviously don’t do it for the money. Even though I presented a passport as proof of citizenship (a requirement for being a pollworker, and legally adequate for the I-9), this year they decided to demand that pollworkers also provide a copy of Social Security Cards – even though for many of us, they’re clearly labeled “not valid for identification”. I refused to provide mine – it’s not a legal requirement, but rather their policy. And I said if they didn’t want to pay me, they don’t have to. [Incidentally, no employer has ever asked me to provide a Social Security card – of course I have to provide the SSN, but that’s a different requirement.]

Last week, I got a call from the county’s payroll department. It seems that eVerify kicked me out as a mismatch – my Social Security record includes my middle name, and I used my middle initial on the pollworker form, or vice versa. So they’re spending an hour of someone’s time (not to mention annoying me) to validate my SSN, so they can determine whether I have a legal right to work – even though they’ve already determined that, by virtue of my passport.

I suggested that if the verification doesn’t match, they don’t have to pay me. But Virginia law requires them to pay pollworkers. Further, the law gives only a few reasons for refusing to allow someone to be a pollworker, and refusal to provide a Social Security card isn’t one of them (about the only reasons for refusing someone are if they’re not a citizen of the US, not a resident of Virginia, or a convicted felon).

The county employee also said that “only” ½ of 1% of people failed e-Verify. Given that being a pollworker is a job that (almost?) no one does for the money, one would expect that every single verification failure is an error – unlike in other jobs where there’s a certain fraction of illegal workers. So in a “real world” environment – say a grocery store, where the motivation for fake credentials is much higher – the rate of mismatches is probably ten times higher.

My conclusion: eVerify is a huge waste of money and will have a negative impact in the long run, because the ratio of false positives (people who are incorrectly tagged as being unauthorized to work) is so high it will cause organizations to become complacent and ignore the TRUE positives.
Postscript: After writing this blog entry but before posting it, I met some people from the Social Security Administration who confirmed my understanding that there’s no legal requirement for presenting a Social Security card as a condition to work.