In my last article, What Poker Regulators and Players Must Learn About Computer Security, I provided an overview of some security issues that affect the online poker industry and stated that as online poker moves toward full regulation in the United States, basic security needs to be improved.
This time, I want to address a fundamental issue that, if weak, could cause a user’s account to become compromised: passwords. If you are like me, you have passwords for everything: poker accounts, forum accounts, bank accounts ― the list is endless. The problem is that passwords by themselves are not an effective solution. Passwords can be cracked, even if encrypted and they are subject to brute-force attacks. In most cases, they are easily guessed. This is especially true when online poker sites do not require password complexity, do not have account lockout enabled, and are weak overall.
While conducting research over the summer, I discovered that the majority of the poker sites did not enforce strong password policies. The information in the following table is a little dated, but it still provides a good indication of the password trend in the industry.
As seen in this small sample, the requirements are not that strong. In fact, the Cake Poker Network was the only site with requirements that met established best practices. That is not to say there are no other sites with strong requirements: PokerStars is one. Due to the current climate, I did not have an opportunity to verify sites that do not accept U.S. players. In regulated environments – such as Payment Card Industry (PCI), Federal Information Security Management Act (FISMA) and International Organization for Standardization (ISO), there are standards that must be met related to password management. These include password complexity, lockout, and expiration, to name a few. Why is this important? The following figure demonstrates how easy it is to “brute-force” a password.
In this example, a known password of a test account is used for demonstration purposes, so it is easily guessed. However, with account lockout not enabled, this same technique could be applied to accounts with more complex passwords. Since the account will not be locked out after a specified number of unsuccessful attempts, it is only a matter of time before it is guessed. Of course, having weak passwords is only part of the puzzle ― valid user names are still needed. Luckily, for the most part, the user name to log in is the screen name of the users you are playing against. Or, you could just use a site like Poker Table Ratings to target winning players.
This issue with passwords is not unique to the poker industry and to be fair, many of the sites do offer alternatives to password authentication. Some type of multi-factor authentication such as RSA token is available at many sites. While no solution is 100% secure , multi-factor authentication is something that I recommend. The problem is that many of these password alternatives require the user to pay for them. To avoid the cost, many users will just use the default password mechanism for authentication.
So, what can you do to better protect yourself if you have to use password-only authentication? The answer is to use a strong complex password (containing at least 14 characters, alpha-numeric, with special characters), even if sites do not require it. Change your password frequently (at least every 30 days). Do not use the same password across multiple sites or for other purposes. None of these suggestions are new and you should use the same approach with all your other passwords. I would like to see sites offer alternatives to passwords by default, require the login ID to be different than the screen name, enforce account lockout, enforce password expiration, and only allow users to log in from specific geographic locations (for example, an account in the U.S. normally does not need to log in from China.)
While I do not believe that the information in this posting is a surprise to the majority of players, it will hopefully make you think the next time you are prompted to choose a password. I do believe that when poker is regulated in the U.S., password standards and controls will need to be strengthened and required. The next article will discuss how to use virtualization to protect yourself from phishing and other attacks that could be used to capture your password and other sensitive information.