Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. In a requirement workshop, the representative of the customer support department suggests when a user logged in with the wrong password, the system shall display a message, “Invalid password. please login again.” It is because users are frequently calling for customer support to reset the password but insist they didn’t type the password wrong. As a security professional, which of the following should you suggest first?
A. Use a semantic passphrase
B. Automate the reset password process
C. Revise the message to guide the reattempts of login
D. Lower the requirement of password length
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Revise the message to guide the reattempts of login.
The message can be revised properly to guide customers to reattempt logins to reduce support requests. However, the suggestion from the representative of the customer support department is not a good idea, because “an error message referring to an incorrect password will encourage brute force attack attempts.” [Donald Oba]
The revised error message should not disclose it’s an invalid password.
A passphrase is a string of characters similar to a password but that has unique meaning to the user. Passphrases are often basic sentences modified to simplify memorization.
Here’s an example: “I passed the CISSP exam” can be converted to the following passphrase: “IP@ $ $ edTheCISSPEx@ m.” Using a passphrase has several benefits.
It is difficult to crack a passphrase using a brute-force tool, and it encourages the use of a lengthy string with numerous characters but it is still easy to remember.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley.
Considering that the entropy of written English is less than 1.1 bits per character, passphrases can be relatively weak.
Two bits of entropy: In the case of two fair coin tosses, the information entropy in bits is the base-2 logarithm of the number of possible outcomes; with two coins there are four possible outcomes, and two bits of entropy. Generally, information entropy is the average amount of information conveyed by an event, when considering all possible outcomes.
General Problem Solving Process
The following is a general problem-solving process:
- Define The Problem
- Analyze The Problem
- Propose Alternative Solutions
- Select The Best Solution
- Implement the Solution
The problem statement is:
Users are frequently calling for customer support to reset the password but insist they didn’t type the password wrong.
Users thought they didn’t type the password wrong and the login still failed, so they reported to the customer service and asked for support.
- “B. Automate the reset password process” reduces the workload of customer support staff, but it doesn’t solve the problem completely and it would recur every day.
- “D. Lower the requirement of password length” may have the system more vulnerable and subject to password attacks.
The root cause should be analyzed. So, the possibility that the user’s password has been cracked should be considered. Besides, “an error message referring to an incorrect password will encourage brute force attack attempts.” [Donald Oba]
“C. Revise the message to guide the reattempts of login” is better than other options and should be recommended first.