On password security

I was talking with Kelly today about passwords, and how they are a fundamentally weak form of security. Supposedly, we are all meant to have different passwords for every site, so that one database being compromised by an external hacker or malicious insider won’t lead to our email and other sites being at risk. Also, we are supposed to use long and complex passwords with case-changes, numbers, punctuation, etc. (Think ‘e4!Xy59NoI2’) Together, these two requirements far exceed the capability of most human beings.

The real solution is to back up passwords with something else, so that they don’t need to be so strong. This is called two-factor authentication, and it could include something like a smart card that people carry and slot into computers along with a password so as to authenticate themselves. This is already used in cars. Inside the key or newer cars is a little chip with a radio antenna. When you try to use the key to start the car, a radio message is broadcast by the car. The chip detects it, does a bit of thinking to generate a response that authenticates the key, and re-broadcasts it. Using both the physical profile of the key and the radio challenge-response authentication system, attacks based on picking locks or freezing and cracking the cylinder inside them can be circumvented. The system obviously isn’t impossible to foil, but it is substantially more difficult in relation to the additional cost.

In the computer context, such two-factor authentication could take other forms: for instance, a little card that listens to a series of tones from an external source (over the phone, or from a computer), passes them through an algorithm and emits a series of tones in response to authenticate. This is just doing with audio what a smart card does with electricity. Ideally, the second factor would be like a credit card, in that you could have it cancelled and re-issued in the event that it is lost or stolen, immediately disabling the missing unit.

Until such a system emerges, it seems sensible to have tiers of passwords. I have two really weak passwords for things that I sometimes share with close friends. Then, I have a password for low-risk sites where there is no real harm that can come from my account being compromised. Then, I have a cascade of ever-stronger passwords. Something like LiveJournal has a pretty strong password, because it would be a pain if somebody took it over. The general vulnerabilities of passwords are:

  1. Someone could guess it (either manually or with a brute force attack)
  2. Someone could watch you type it in
  3. Someone could install a hardware or software keystroke logger on a machine where you enter it
  4. Someone could break into a database that contains it, then try using it on other sites you use
  5. Someone could extract it from a program on your computer that stores them in an insecure way (like Windows screen-saver passwords, which can be learned using a simple program)

Most of these require physical access to a machine that you use. I would guess that the most common of these is number four. Given that most people use the same password for everything, some underhanded employee at your ISP or webmail provider could probably grab it pretty easily, as well as information on other sites you use. (Hashing algorithms are one way this risk can be mitigated, on the server side, but that’s a discussion for another day).

At the top level, there are things that demand a really strong password: for instance, webmaster control accounts or anything connected to money. For these, I use random alphanumeric strings of the maximum permitted length, never re-using one and changing them every month or so.

Obviously, I cannot remember these for several banks and websites. As such, I write them down and guard them. I am much better at guarding little bits of paper than at remembering random strings of data. I regularly carry around little bits of paper worth tens of Pounds, and little bits of plastic worth thousands of Pounds, if only until disabled. Indeed, I have been guarding bits of paper for well over a decade.

Author: Milan

In the spring of 2005, I graduated from the University of British Columbia with a degree in International Relations and a general focus in the area of environmental politics. In the fall of 2005, I began reading for an M.Phil in IR at Wadham College, Oxford. Outside school, I am very interested in photography, writing, and the outdoors. I am writing this blog to keep in touch with friends and family around the world, provide a more personal view of graduate student life in Oxford, and pass on some lessons I've learned here.

29 thoughts on “On password security”

  1. Three prisoners in the gulag get to talking about why they are there. “I am here because I always got to work five minutes late, and they charged me with sabotage,” says the first. “I am here because I kept getting to work five minutes early, and they charged me with spying,” says the second. “I am here because I got to work on time every day,” says the third, “and they charged me with owning a western watch.”

  2. A man dies and goes to hell. There he discovers that he has a choice: he can go to capitalist hell or to communist hell. Naturally, he wants to compare the two, so he goes over to capitalist hell. There outside the door is the devil, who looks a bit like Ronald Reagan. “What’s it like in there?” asks the visitor. “Well,” the devil replies, “in capitalist hell, they flay you alive, then they boil you in oil and then they cut you up into small pieces with sharp knives.”

    “That’s terrible!” he gasps. “I’m going to check out communist hell!” He goes over to communist hell, where he discovers a huge queue of people waiting to get in. He waits in line. Eventually he gets to the front and there at the door to communist hell is a little old man who looks a bit like Karl Marx. “I’m still in the free world, Karl,” he says, “and before I come in, I want to know what it’s like in there.”

    “In communist hell,” says Marx impatiently, “they flay you alive, then they boil you in oil, and then they cut you up into small pieces with sharp knives.”

    “But… but that’s the same as capitalist hell!” protests the visitor, “Why such a long queue?”

    “Well,” sighs Marx, “Sometimes we’re out of oil, sometimes we don’t have knives, sometimes no hot water…”

  4. The Problem with Password Masking
    By Bruce Schneier

    It’s time to show most passwords in clear text as users type them. Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

    Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

    More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

  5. The Pros and Cons of Password Masking

    Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong.

    I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

    The cost is accuracy. When users don’t get visual feedback from what they’re typing, they’re more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization.

  6. Strong Web Passwords
    By Bruce Schneier

    ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a “three strikes” type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat If a larger credential space is needed it appears better to increase the strength of the user ID’s rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal betterfor users. For small institutions there appears little reason to require strong passwords for online accounts.

  7. Apple Keyboard Firmware Hack Demonstrated

    “Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device’s firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. … The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently.”

  8. Changing Passwords

    How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer’s or bank’s password expiration policy: people who finally memorized their current password and are realizing they’ll have to write down their new password. How could that possibly be more secure, they want to know.

    The answer depends on what the password is used for.

    The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-to-remember — and easy-to-guess — passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.

    The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year’s worth of benefit out of it. After that, it’s useless.

    This becomes less important when the credential contains a biometric — even a photograph — or is verified online. It’s much less important for a credit card or passport to have an expiration date, now that they’re not so much bearer documents as just pointers to a database. If, for example, the credit card database knows when a card is no longer valid, there’s no reason to put an expiration date on the card. But the expiration date does mean that a forgery is only good for a limited length of time.

    Passwords are no different. If a hacker gets your password either by guessing or stealing it, he can access your network as long as your password is valid. If you have to update your password every quarter, that significantly limits the utility of that password to the attacker.

  9. So in general: you don’t need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you’ve shared a computer with, change them all.

    Two final points. One, this advice is for login passwords. There’s no reason to change any password that is a key to an encrypted file. Just keep the same password as long as you keep the file, unless you suspect it’s been compromised. And two, it’s far more important to choose a good password for the sites that matter — don’t worry about sites you don’t care about that nonetheless demand that you register and choose a password — in the first place than it is to change it. So if you have to worry about something, worry about that. And write your passwords down, or use a program like PasswordSafe.

  10. Advanced sign-in security for your Google account
    2/10/2011 08:30:00 AM

    Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic “Mugged in London” scam) that demonstrate why it’s important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.

    Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we’ve developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you’re the real owner of your account. Now it’s time to offer the same advanced protection to all of our users.

  11. Security Considerations in 1Password

    Secure Passwords Keep You Safer

    AccessData sells another program, Forensic Toolkit, that, among other things, scans a hard drive for every printable character string. It looks in documents, in the Registry, in e-mail, in swap files, in deleted space on the hard drive … everywhere. And it creates a dictionary from that, and feeds it into PRTK.

    And PRTK breaks more than 50 percent of passwords from this dictionary alone.

    What’s happening is that the Windows operating system’s memory management leaves data all over the place in the normal course of operations. You’ll type your password into a program, and it gets stored in memory somewhere. Windows swaps the page out to disk, and it becomes the tail end of some file. It gets moved to some far out portion of your hard drive, and there it’ll sit forever. Linux and Mac OS aren’t any better in this regard.

    I should point out that none of this has anything to do with the encryption algorithm or the key length. A weak 40-bit algorithm doesn’t make this attack easier, and a strong 256-bit algorithm doesn’t make it harder. These attacks simulate the process of the user entering the password into the computer, so the size of the resultant key is never an issue.

    For years, I have said that the easiest way to break a cryptographic product is almost never by breaking the algorithm, that almost invariably there is a programming error that allows you to bypass the mathematics and break the product. A similar thing is going on here. The easiest way to guess a password isn’t to guess it at all, but to exploit the inherent insecurity in the underlying operating system.

  12. SecurID >> March 2011 system compromise

    On March 17, 2011, RSA announced that they had been victims of “an extremely sophisticated cyber attack”. Concerns were raised specifically in reference to the SecurID system, saying that “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation.” However, their formal SEC 8K submission indicates that they do not believe the breach will have a “material impact on its financial results.” The extent of the compromise and the associated risk to customers will not be known until further details have been released.

  14. LinkedIn passwords ‘leaked by hackers’

    http://www.bbc.com/news/technology-18338956

    Social networking website LinkedIn is investigating claims that over six million of its users’ passwords have been leaked onto the internet.

    Hackers posted a file containing encrypted passwords onto a Russian web forum.

    They have invited the hacking community to help with decryption.

    LinkedIn Password Hashes Leaked Online

    http://it.slashdot.org/story/12/06/06/1335228/linkedin-password-hashes-leaked-online

    A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is ‘guessing it’s some sort of exploit on their web interface, but there’s no way to know.’ We will have to wait for LinkedIn to report back to be sure what exactly has happened.” An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.

    Your LinkedIn Password

    http://www.metafilter.com/116678/Your-LinkedIn-Password

    LinkedIn has spilled 6.5 million unsalted SHA-1 password hashes.

    Unsalted SHA-1 is vulnerable to rainbow table attacks, meaning the plaintext should be cracked shortly. Email addresses were probably leaked along with the password hashes.

    Anyone with a LinkedIn account should probably change any important passwords that share much in common with their LinkedIn password.

    Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson’s Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks.

    Qualys researcher Francois Pesce used open source password cracker John the Ripper to try to crack SHA-1 hashes of leaked LinkedIn passwords. He ran the John the Ripper default command on a small default password dictionary of less than 4,000 words. The program then switched to incremental mode based on statistical analysis of known password structures, which generated more probable passwords. The results? After 4 hours, approximately 900,000 passwords had been cracked. Francois then ran numerous iterations, incorporating older dictionaries to uncover less common passwords and ended up cracking a total of 2,000,000 passwords.

    http://it.slashdot.org/story/12/06/11/130239/lessons-learned-from-cracking-2m-linkedin-passwords

    There have been a bunch of stories about employers demanding passwords to social networking sites, like Facebook, from prospective employees, and several states have passed laws prohibiting this practice.

    This is the first story I’ve seen of a country doing this at its borders. The country is Israel, and they’re asking for passwords to e-mail accounts.

    https://www.schneier.com/blog/archives/2012/06/israel_demandin.html

  15. Dan Goodin’s Ars piece on the state of password security is a must-read overview of the way that the password cracking landscape has changed in surprising ways. It’s not just that computers have gotten faster — it’s the confluence of several factors, including: more sites that require passwords, which encourages password re-use; sites that use weak password hashing, unsalted hashing, or no hashing at all; and titanic dumps of real-world passwords that provide insight into how users choose their passwords. Put them all together and you get a situation like the LinkedIn dump, where 90 percent of the encrypted passwords were extracted in short order — and where many of those passwords could be used to take over other user accounts, thanks to password re-use.

  17. Kill the Password: Why a String of Characters Can’t Protect Us Anymore

    No matter how complex, no matter how unique, your passwords can no longer protect you.

    Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

  18. A presentation at the Passwords^12 Conference in Oslo, Norway (slides available here), has moved the goalposts, again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs and communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric.

    Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.

  19. Password life expectancy down to seconds

    The time an end-user spends devising a password this year will be longer than the life expectancy of that password, according to Deloitte Canada.

    The research organization said Monday that 90% of user-generated passwords would be relevant for mere seconds under pressure from hackers. Those passwords include so-called strong passwords, which are typically eight characters or more.

    Deloitte attributed the vulnerabilities to many of the same issues that have plagued passwords over the years – including re-use of passwords on multiple accounts and obvious passwords patterns. For years, “password” and “123456” have been two of the top passwords favored by end-users.

    In addition, hacking tools are getting more powerful using both hardware and software techniques to crack credentials. Also, “crowd-hacking” techniques that marry thousands of machines and being used to brute-force passwords.

  20. Google Prepares to Leave the Password Behind

    Tech juggernaut Google seems to be preparing to move away from passwords, which have long been a weak point of digital security, in favor of dedicated devices. But first it just has to convince the rest of the Internet to go along with their scheme.

    According to Wired, next month’s edition of the journal IEEE Security & Privacy Magazine will carry a report by Google’s VP of security Eric Grosse and engineer Mayank Upadhyay that outline their vision for a world without passwords.

    The authors reportedly describe a scenario where a single device is used to seamlessly confirm users’ identity. In their experiments, Grosse and Upadhyay used a tiny cryptographic USB card called a YubiKey with a modified version of Google Chrome. However, they hope to take the technology wireless and perhaps integrate with devices users already have—such as mobile phones.

  24. The UK intelligence agency responsible for vast amounts of snooping, as exposed by the Snowden revelations, has released new password guidelines.

    GCHQ and the Centre for the Protection of National Infrastructure have released a report entitled “Password guidance: simplifying your approach”, which suggests that complex passwords are no longer recommended.

    The agency instead recommends using passwords made from three random words, using password managers and jettisoning overly complex password rules in favour of systems capable of detecting unauthorised activity.

    The suggestions seem sensible at face value, allowing users to remember passwords and not forcing them to reuse complex strings of letters, numbers and special characters for many services because they can only remember one or two.

    However, some will be sceptical about trusting the advice of the intelligence agency of a government which has pushed for backdoors within software and the weakening of encryption used to protect user data for surveillance purposes.

    http://www.theguardian.com/technology/2015/sep/11/gchq-password-advice

    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *