11

Suppose there is a web property that has some sort of reward system or commodity that its users desire. It could be reputation on Stack Exchange-like sites, rank badges on message boards, or add-on features that are unlocked over time.

I have often seen forms with a "password strength meter" -- as the user enters their password, the bar changes from red to yellow to green to indicate how strong their password choice is. But I have never seen a combination of these two concepts.

Why don't we reward users who pick strong passwords by giving them more rep upfront, or bestowing badges, or unlocking exclusive features? I imagine publicly-viewable badges might not be the smartest move; if there was a bronze badge that could be taken to mean "this user chose the second-weakest complexity" that would divulge way too much info to a potential attacker. (A cursory glance at a user's public profile would reveal which accounts had the weakest passwords, and they'd focus their efforts on the lower-hanging fruit.)

Has anybody ever tried this? Did it work?

EDIT: Would it change anything if the benefit was not publicly advertised? For example, if a bank gave a slightly higher savings account interest rate to users that opted to use an MFA token?

smitelli
  • 2,035
  • 3
  • 15
  • 19
  • 19
    I'd hazard a guess badges would only highlight the users that did NOT choose strong passwords - making their accounts targets. – Prinsig Apr 22 '15 at 12:55
  • @Prinsig Yeah, badges would be a huge giveaway. I guess rep could be too -- if you came across a user with low overall rep, even though it doesn't specifically spell it out, you could infer that they must not have a strong password. – smitelli Apr 22 '15 at 13:10
  • 6
    Some MMOs do something similar. For instance, in Blizzard's World of Warcraft, the user is rewarded with in-game goodies (purely aesthetic) for attaching a 2FA authenticator to their account. – Stephane Apr 22 '15 at 14:28
  • 15
    How about rewarding strong passwords by not making them change it every three months? – Random832 Apr 22 '15 at 16:40
  • 1
    To add to @Stephane 's comment: some MMO's offer in-game currency/goods for chosing strong passwords/changing passwords regularly. – TZakrevskiy Apr 22 '15 at 17:25
  • Frankly, it's not the web/service's job to make the user choose something more secure. If your password policy allows for weaker passwords, then you must allow the weaker passwords. The web/service can encourage and inform, but not do the risk assessment for each person. – schroeder Apr 22 '15 at 18:42
  • 2
    Related new SE site: [gamification.se] – unor Apr 22 '15 at 18:55
  • 1
    Strong passwords are their own reward – jqa Apr 22 '15 at 19:23
  • Would you then take away the rewards when a user changes their password to something "weaker" in your eyes? – user2813274 Apr 22 '15 at 22:17
  • From a purely business perspective you have to weigh a minuscule reputational risk of a user having a weak password that you haven't forbidden and that subsequently has their account compromised against the additional expense of creating and maintaining additional features. I suspect that for most businesses it's just not worth the extra expense. – Ben Apr 22 '15 at 23:25
  • 1
    [Some banks](http://ibkb.interactivebrokers.com/node/1131) do incentivize customers to use multi-factor authentication by lifting limitations. – pkaeding Apr 23 '15 at 05:00

7 Answers7

28

We don't know how to measure the strength of a password, by looking at the password. Of course, there are many tools that purport to be "password strength meters" and give you a nice green colour. However, they are all baloney and do not give you the "true" strength; instead, what the password strength meter tells you is: "assuming the attacker is a chimpanzee, then your password is good".

So while a "red" value from the meter is an interesting information (it tells you: "your password is so poor that even a chimpanzee could break it"), concentrating on getting a "green" result will not get you far. It will, in all generality, make you immune to chimpanzee hackers.

In fact, password strength meters, and even more your proposed badge system, are toxic: they encourage users to find "witty" passwords that go out of the couple of "password rules" embedded in the password meter system. This trains users into trying to reach password security through wit and cunning, the exact opposite of what they should do. Password strength comes from randomness. Randomness cannot be measured from the output.

What could work is a password generator, that uses randomness to suggest a password to users when they choose it. Then they may get the badge if they elect to use that password. If they make another choice, in the privacy of their mind (where randomness is hard to obtain, unfortunately), then they don't get the badge.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • The suggested password idea reminds me of [this question](http://security.stackexchange.com/questions/85934/why-does-the-user-pick-the-password). – smitelli Apr 22 '15 at 14:58
  • It is unreasonable to ask users to remember a random password (especially one for every website). The use of password managers is rare, not easily encouragable and certainly not enforceable. This thus leads users to save or print their passwords which depending on the environment and other factors causes more problem than a "weak" password not written down. – Andreas Bonini Apr 22 '15 at 16:56
  • 8
    Well, I don't _require_ users to remember a random password. I suggest it, and I reward them if they do. Writing down passwords is not bad idea, as long as they keep the paper in a safe place (their wallet is not a bad place for that). The real benefit from such a system is not that the password is random; it is that the user will have a distinct password on every site, and passwords for one site cannot be inferred from passwords for the same user on another site. As long as the system enlists user cooperation, and does not try to enforce things, it may work. – Tom Leek Apr 22 '15 at 17:37
10

A few reasons:

  • It would leak information about which accounts have weaker passwords. Even if not publicly accessible, if an attacker got access to password hashes and the password strength indicator value was also retrieved they could eliminate the cracking of the harder passwords from their attack.
  • "Password strength" is not really a metric. The strength of a password is based on the entropy pool from which to create the password. admixquit might be a random phrase of 9 lower case letters, in which case it has an entropy of 42 bits. Or it could be two dicewords, giving only 25 bits of entropy. The password juancarlitos is 12 characters long, and using these methods this makes it "stronger" than admixquit (with both variations of generating - Diceware or random letters). However juancarlitos is found around position 200,009 on the RockYou word list making password guessing easy. Who decides what qualifies as "strong"?
  • Some users as uncomfortable with long passwords. This may encourage users to set a complex password and get the reward only to have to then reset it to the same password they use on all other systems because they've forgotten it. This defeats the whole object of having the reward in the first place.
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
2

Setting up a system as you describe would be an information leak which would tell an attacker which users to attack, so would be a bad idea on that reason alone.

Also, it's not necessary. If you want users to choose strong passwords all you need to do is set length and complexity requirements.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • 2
    I'm on a personal crusade to raise awareness that length != complexity. I think that as an industry we should be forgetting about length requirements, and moving towards entropy-based policies. zxcvbn is a fun password strength meter with this idea: https://apps.cygnius.net/passtest/ – Mike Ounsworth Apr 22 '15 at 13:14
  • 1
    @MikeOunsworth: +1 for the link, seems a useful project even if I do not get how it could honestly flag as NOT acceptable long passphrases ranked 4/4 calculated as taking centuries to be cracked... Anyway [here](https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase) and [there](https://security.stackexchange.com/questions/72781/security-of-pronounceable-passwords/72822#72822) are other discussion relevant for your "crusade" ;). – WhiteWinterWolf Apr 22 '15 at 13:32
  • 1
    @GZBK thanks for links. I agree that length _generally_ make passwords stronger, but doesn't always. For example "password" is actually easier to guess than "passwo". Whereas higher entropy _does_ mean stronger password (assuming you have a good entropy estimator). I'm also fed up with websites (esp. banks. wtf banks...) who reject "correcthorsebatterystaple" as being 1/4, but happily accept "1234Aa.." as 4/4 – Mike Ounsworth Apr 22 '15 at 13:42
  • 2
    Your crusade is misguided. Complexity does NOT translate as a very important increase of entropy in practice. Most systems use a very crude measure of entropy because they fail to model the passwords *actually* being used in practice. For instance your site proposes that adding a space between words in a XKCD passphrase dramatically decreases its entropy, whilst a spaceless format would be as easy to bruteforce. Why the difference in entropy then? We don't have enough data about password reuse to properly model all substitutions, more research is needed. – Steve Dodier-Lazaro Apr 22 '15 at 13:43
  • Besides, the real deal with passwords is memorability: is it easier to remember a long and simple password than a short and complex one? And then, how does memorability overall affect password reuse, and then how does password reuse affect security? Because let's not fool ourselves, the main issue you're facing as a service provider is getting your whole db stolen, and contributing to compromising thousands of accounts on other services because you couldn't be bothered to properly hash and salt your passwords. – Steve Dodier-Lazaro Apr 22 '15 at 13:44
2

Firstly, what is a strong password? The astonishing majority of websites use meters based on the maximum achievable entropy of a character space, rather than on the entropy of passwords actually created by users. Strength meters fail to incite users to create actually random passwords, and they fail to capture the fact that users routinely reuse passwords (for a very good reason: they have too many to remember).

Secondly, why would we want to continue forcing users to pick strong, unique passwords themselves? Authentication as it is implemented currently is broken. It requires too much effort as you scale it to the number of authentication encounters a person makes per day (see the NIST password fatigue study to get an idea of the scale of authentication events in the workplace alone).

Most researchers and industrials working on authentication fail to understand this basic fact, and as a result we have no evidence about what is the best course of action for website developers. Still, federated identity systems such as OAuth2 or OpenID should be used, to let users rely on e.g. their GMail credentials to log in. Many websites have no rationale for even asking users to remember yet another password, and should certainly not consume more user attention than strictly necessary for their security operations.

If you need more convincing of why it's a bad idea to force or even encourage users to increase their efforts on password creation, read:

Anthony Geoghegan
  • 189
  • 8
Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • A surprising number of password meters consider "Password1!" to be an exceptionally strong password: 8+ characters, with upper-case, lower-case, numbers, and symbols. – Mark Apr 22 '15 at 22:03
  • 1
    Which is why password strength requirements are so damaging to usability. They often turn up enforcing slight entropy gains at the cost of high typing and recall efforts. Multiply across all the credentials you have to use, and you exponentially increase effort. Adams and Sasse in 99 already found that information workers had too many passwords to remember, and it surely hasn't gotten better. – Steve Dodier-Lazaro Apr 23 '15 at 08:11
2

The same reason people don't get rewards for paying child-support or showing up for work, it's something that you are supposed to do. You don't get kudos for doing things you are supposed to do. Chris Rock did a nice presentation on this subject.

omgimdrunk
  • 121
  • 1
  • 5
    I get a paycheck for showing up for work! If i didn't get that, I would probably stop going! ;) – smitelli Apr 22 '15 at 15:22
  • I believe that would fall under a contractual trade agreement, rewards should be unexpected. But I see your point. – omgimdrunk Apr 22 '15 at 16:05
1

Most websites/services would struggle to offer an incentive for a user having a strong password. Of course, badges and rep on sites such as *.stackexchange but otherwise i don't see what could really be offered?

This is of course ignoring the leaking of information, or target painting for the users without stronger passwords. I am unsure as to whether or not it would constitute a DPA breach in the UK - i will consult our DPA officer and ask. (Edit: This is in no way a DPA breach as no personal data is involved)

I don't think that a carrot and stick approach works in regards to password complexity, until a user has been stung that is.

Aaron Dobbing
  • 473
  • 3
  • 13
1

Although the argument that security itself should be enough of a reward is a fair one, there are some companies out there that already do this. For example Mailchimp (who I have no affiliation with apart from being a customer) have been giving 10% discount since March 2013 if you enable 2FA on your account (and before that it was 2% since February 2012).

They've obviously decided as a company that it lowers the risk to them (if a spammer got hold of your Mailchimp account it could put a big dent in their reputation and deliver-ability) so they're financially rewarding you accordingly for it.

Matthew Steeples
  • 221
  • 1
  • 5