A lack of consistent password security standards damages web security, according to researchers from Cambridge University.
Websites suffer from uneven implementation of password technologies, according to researchers Joseph Bonneau and Sören Preibusch. This security inconsistency problem is compounded by people reusing passwords across multiple sites, as compromise on a weak site could undermine stronger authentication mechanisms on different sites.
The researchers presented an empirical study, which sampled sample of 150 websites, at the WEIS security conference on Monday.
Read this
Know the enemy: today's top 10 security threats
The more you know about the likely avenues of cybercrime attack, the better you can protect yourself against them, says Alan Calder
"Many poor [password implementation] practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks," wrote the researchers.
Websites with few security incentives, such as content websites, had the worst password security, while websites that included financial transactions had better security, the researchers found.
People have little incentive to remember multiple passwords, meaning that any successful compromise of passwords for weak-security sites will put stronger ones at risk, said the researchers.
Professor Ross Anderson of Cambridge University said that password authentication needs adequate standards. "Most sites reinvent the wheel, and most of them do it badly," wrote Anderson in a Monday blog post.
Talkback
Not only do people have little incentive to remember multiple passwords, the very nature of alphanumeric passwords makes them impractical for people to remember. Authentication methods need to be both strong and *easy for people to use* in order to be secure. Relying on alphanumeric passwords for logins is antiquated and ineffective. Websites need to consider other authentication methods. One such alternative is to use “graphical passwords” to augment or even replace traditional alphanumeric passwords.
The human brain is better able to remember experiences, images and emotions, than strings of letters, numbers and symbols. Image recognition or recall can be used to replace alphanumeric passwords or even be used in conjunction with alphanumeric passwords to create one-time access codes that are more secure and while at the same time being easier for the user to remember. Confident Technologies is one company working on these types of image-based authentication solutions: www.confidenttechnologies.com. Other methods that can be used to augment passwords and make website logins more secure include out-of-band authentication (such as the user’s mobile phone, which many people carry with them all the time).