Breaking our password hash habit: Why the sharing of users’ password choices for defensive analysis is an underprovisioned social good, and what we can do to encourage it.
Workshop on the Economics of Information Security |
Attackers only get better at guessing the passwords users will create under a given set of password composition constraints. They learn more about users’ password-selection behaviors each time they compromise a passsword, regardless of whether they obtain the password by breaching a password database, installing a key logger, phishing, or by guessing. Defensive analysis of user-chosen passwords could similarly identify predictable password-selection behaviors and help us to prevent users from choosing predictable passwords. Alas, attempts to perform such analysis have been stunted by requirements to encrypt passwords irreversibly and by the indignation shown for those who would try to analyze the passwords their users choose. We argue that encrypting passwords irreversibly has done more harm than good, providing a minimal short-term reduction in risk as opposed to reversible encryption, but imposing a severe cost on our ability to improve password defenses for the long term. As encrypting passwords is of little value if users continue to choose passwords that are easily guessed, our collective choice to blind ourselves to our users’ passwords has made us collectively less secure. We argue that passwords should be encrypted so as to allow for oﬄine defensive analysis. While we believe there’s a strong case to be made that the social beneﬁts of defensive password analysis outweigh the risks, the individual cost/beneﬁt tradeoﬀ discourages users and ﬁrms from contributing passwords for defensive analysis. When choosing a password, an individual may beneﬁt from analyses based on others’ prior contributions, but does not beneﬁt from contributing the password she chooses. However, she bears the risk should the password she has chosen is compromised as a result of contributing. This makes making free-riding on others’ password contributions the security-optimizing strategy for her as an individual. To solve this free rider problem, we propose that systems that help to prevent users from choosing weak passwords (informed by prior users’ passwords choices), require that those using the system contribute their newly-chosen passwords in return.