Thursday, January 22, 2009

Why Web Sites Need Stronger Passwords Now

There is a new trend in Internet crime: criminals breaking into web sites by guessing passwords, then installing cross-site scripting (XSS) exploits on the compromised web site’s pages. That in itself is nothing new, but the process has been automated somehow, so that apparently millions of web sites have been broken into in recent weeks. This forces a change in the way we handle web site passwords. It also calls for a change in web browsers.

It is more important than ever for a web site to have a strong password. The password of a web site should not be a single word or an obvious combination of two words. We can say now, it should also not be a combination of words that appear on the web site.

Just three years ago, we were encouraging people to form strong passwords by combining two unrelated words, as an improvement over single-word passwords. That strategy can still work, but it does not form a strong password if the words, or the combination of them, is obvious. A single word is too obvious because there are only a million words in common use on the Internet. A break-in program can try a million passwords in a blink of an eye. Yet if you think of an ordinary company or musician web site, it has fewer than 30,000 distinct words. These words form fewer than a million pairs of words, so the combination is still too obvious to use as a password.

So many web site passwords have been compromised that some web hosts have gone to the trouble of resetting all passwords. In truth, it would be hard to find out if someone had broken into your site. You would find out only if someone happened to notice the small and sometimes temporary changes in the web code, changes that would not be visible in the web pages themselves. And so the old suggestion of changing passwords periodically still applies — even for web sites on which the pages themselves barely change from year to year.

Web browsers could go a long way toward stopping this problem by giving users the option of disabling cross-site scripting, a practice of including on a web page in one domain a JavaScript routine or Flash application stored in another domain name. Cross-site scripting is a problem because it means you can’t make the Web secure by securing one domain at a time. Yet cross-site scripting is routinely used to place objects such as advertisements on web pages. I use it, or something like it, to place YouTube movies on this blog. The attempts at XSS blockers so far have had limited success because they have tried to distinguish between legitimate scripts and XSS exploits that are meant to damage a web page in order to gain access to user data. There are, however, browser add-ons to block all scripts. It shouldn’t be that much harder to block all scripts that don’t come from the same domain as the web page or from a list of known good domains provided by the user. And I think you could make a case that that should be the default behavior of a web browser.