August 24th, 2011 at 12:39 UTC by Joseph Bonneau
Last week, in retaliation against the heavy-handed response to planned protests against the BART metro system in California, the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.
Examining archived versions of the myBART website confirms that, from its launch in 2001 until at least 2006, users were not allowed to select their own passwords, receiving a random password by email after signing up. Assigning users random passwords is very unusual on the web-in our 2010 survey we observed this at only 1 out of 150 sites. Indeed, myBART underwent a 2008 redesign and now users may choose any password they wish. Unfortunately, myBART still emails passwords in the clear if they are forgotten, requiring them to store passwords un-hashed in their database.
The data leaked by Anonymous appears to contain only accounts created during the era of randomly-assigned passwords (only about 2,000 of an estimated 50,000 were leaked). They represent a contiguous range of sequential user IDs, and the proportion of random passwords doesn’t change significantly for higher user ID numbers (presumably created later). We can conclude that about two thirds of users have kept their randomly-assigned password, and the other third actively changed it to something else.
It’s possible that more users would change at a more frequently-used site. myBART accounts mainly served to manage mailing list preferences, and it’s likely that some users rarely or never logged in. Past research indicates that users don’t like random passwords for commonly-used accounts, and are much more likely to write them down. In the myBART case, they were effectively written down for users, in that they received the password via email.
Still, it’s encouraging that at least some users accepted the randomly-assigned passwords. The format used (2 digits plus up to 8 lower-case characters) theoretically requires 44 bits of work to guess. The developers appear to have used some library (not the common tools pwgen or gpw) to generate easier-to-remember strings, as the distribution of letters is highly-non-random, but the min-entropy is still about 19 bits, which is sufficient to prevent online attacks. Even weak random passwords like these are much more resistant to guessing attacks than most user-chosen passwords.
Perhaps more importantly, by using random passwords, myBART prevented itself from leaking (most of) its users’ passwords which may have been re-used at other sites. Considering their failure to hash passwords, it’s not clear security was the main motivation for assigning random passwords at myBART. Yet this may actually be a good paradigm to investigate further. Given the ease of webmail searching and the increasing availability of browser password caches, randomly-assigned passwords recorded in one’s webmail may actually be a good approach for low-security, infrequently accessed web accounts.