Home > All, Security Issues > Password theory is good – password practice is poor

Password theory is good – password practice is poor

November 25, 2013 Leave a comment Go to comments

There’s nothing wrong with passwords. At least there’s nothing wrong with the theory of passwords.

You have a locked room. The only way into the room is through a single door. The only way through the door is with a single key. You have the only key. What’s wrong with that?

Throughout this article we’ll talk about locked rooms and keys. The locked rooms are your accounts, mostly on the internet; and they contain your valuable personal data. The keys are your passwords to those accounts. You should have a separate key for each locked room. If you have a single key for multiple rooms and you lose that key or it is stolen, the finder can get into all of your rooms.

So, just like any key to any room, we have a responsibility to keep it or them safe if we want to keep our property safe. We need to make sure they cannot be guessed; that we do not leave them lying around for others to find; that we make it as difficult as possible for hackers to steal them directly from our desktop computers (anti-virus, firewalls and above all else, common sense); and that we do not make copies and use the same key for multiple rooms (we need a different key for every different room).

The problem is that we hear about new password thefts almost every day. Some of them happen because of earlier password thefts. As soon as your password is stolen, you are no longer the only person who can get into your locked room. Any person who has your password, the key to your locked room, can steal all of your personal, private and valuable information. Here’s a selection of thefts, basically just what I can remember – there’s many, many more – from this year alone:

spacer

Adobe 150,000,000 https://kevtownsend.wordpress.com/2013/11/14/adobe-you-really-cocked-up-on-this-one/
Apple 275,000 http://www.theguardian.com/technology/2013/jul/22/apple-developer-site-hacked
Cupid Media 42,000,000 http://www.infosecurity-magazine.com/view/35767/42-million-passwords-compromised-as-hackers-aim-at-cupid-online-dating/
Drupal 1,000,000 http://www.infosecurity-magazine.com/view/32697/drupal-hit-by-massive-data-breach
Evernote 50,000,000 http://www.infosecurity-magazine.com/view/31023/evernote-hacked-50-million-passwords-reset
Living Social 50,000,000 http://www.infosecurity-magazine.com/view/32087/50-million-livingsocial-passwords-stolen
LoyaltyBuild 1,500,000 http://www.infosecurity-magazine.com/view/35604/irish-data-center-breach-hits-15-million-european-consumers
MacRumors 860,000 http://www.infosecurity-magazine.com/view/35592/macrumors-breached-860k-passwords-potentially-compromised/
Morningstar 182,000 http://www.infosecurity-magazine.com/view/33348/morningstar-provides-some-information-about-breach
Nintendo 24,000 http://www.infosecurity-magazine.com/view/33342/thousands-of-club-nintendo-accounts-compromised
Racing Post unknown http://www.infosecurity-magazine.com/view/35814/racing-post-breached-users-passwords-stolen/
Scribd c300,000 http://www.nbcnews.com/technology/scribd-hack-exposes-thousands-users-1B9239618
Twitter 250,000 http://www.wired.co.uk/news/archive/2013-02/02/twitter-hacked
UbiSoft up to 58,000,000 http://www.infosecurity-magazine.com/view/33248/ubisoft-maker-of-assassins-creed-and-ghost-recon-breached
Ubuntu 1,800,000 http://www.infosecurity-magazine.com/view/33556/ubuntu-forum-hacked-18-million-accounts-compromised
vBulletin 900,000 http://www.infosecurity-magazine.com/view/35718/is-there-a-vbulletin-zeroday-out-there/
Yahoo 450,000 http://www.infosecurity-magazine.com/view/26976/yahoo-confirms-what-everyone-already-knew-about-password-breach

spacer

Criminals get passwords either by knowing them (because they are given them, or they are insufficiently hidden), or they guess them. In the first case they use social-engineering psychology to persuade the user to hand them over (more information on social engineering here, and spear-phishing here), or they find them unhidden by the user. In the latter case they guess the most common passwords, or use automated dictionaries to try every possibility until the right password (key) for a known account (locked room) is found.

Most websites include a limit on the number of failed access attempts allowed within a predetermined period. This means multiple attempts to guess the right password while online are almost certain to fail. That is why criminals steal password databases from websites – so that they can try millions of automated guesses offline without being interrupted. The purpose is still to find the key to gain entry to your locked room, and to steal everything of value within it.

But there’s an easy solution: use complex passwords that cannot be manually guessed, and electronically hide them so that automated guessing still won’t work.

There are two methods for ‘electronically hiding’ text: encryption and hashing. Encryption involves converting text into an apparently meaningless jumble of characters in a manner that can only be unjumbled if you have the secret decryption key – which can be the same as (symmetric encryption) or different to (asymmetric encryption) – the encrypting key for your password. Encryption, by definition, comes with the ability to decrypt – the ability to return the jumble back to the original text. Hashing is different. Hashing is one-way only. Hashing converts the original text into a meaningless jumble that cannot be de-hashed back to the original.

Hashing is the right solution for websites to hide their users’ passwords. It means that even the website doesn’t need to know the password, only the hash, which they cannot return to the original password key. With this method passwords need never and should never be stored by websites.

When you create a new account you are asked to provide a password. That password is hashed, paired with your user ID (often, but not necessarily, your email address), associated with your account, and stored. Whenever you want to access your account, you again enter your password. It is hashed again. If your user ID and the new hash result match with something stored, you are allowed access to the associated account.

Hint: if you forget your password, distrust a website that is able to send you your old password by email – it shouldn’t have your password. The ‘correct’ procedure is to guide you to a place where you can create a new password.

So, the effective use of passwords is a partnership. User’s need to create good passwords and keep them safe, while internet companies need to store them safely and securely. It is my contention that done properly, this will be enough.

Alternatives to the simple password
Before we go too far on the strengths and weaknesses of passwords, we should mention the alternatives.

Passwords are designed to provide user authentication – to prove that Joe Smith really is not just any Joe Smith, but the right Joe Smith. In security terms, authentication is often described by the number of factors it uses – with the implication and a degree of validity that the more factors used, the more secure the authentication. (Personally, I do not believe that is necessarily true.) ‘Factors’ in this sense are things you know (like a password), things you have (like a token), things you are (like a biometric), and so on. The two most commonly used additional factors today are soft tokens and biometrics.

Soft token 2FA
An example of the most commonly used two-factor user authentication is the separate token sent out-of-band to the user’s mobile phone. This is a one-off code. Now you could say that ‘the thing that is owned’ is the separate code, or the phone that it is received on. Either way, the user now requires something he knows (password) and something he owns (phone/token).

I have two problems with this. Firstly, whenever you introduce complexity into security, you also introduce weakness – the phone and the communication sending it can both be attacked separately. The second issue is that this complexity makes it harder to use – and users do not want any more difficulty. If 2FA is an option, most users opt to ignore it. That in itself is not an issue, because we’re back where we started. But the fact that there **is** a 2FA option can mean that users take less care, whether they opt for 2FA or not, simply because it is clear that the vendor is taking more care. There is a danger that 2FA can cause a false sense of security.

Biometric authentication
Biometrics is getting a lot of publicity. Governments use facial biometrics for surveillance and passports; law enforcement uses fingerprints for criminal recognition; and Apple uses finger scans for opening the new iPhone.

I have three concerns. Firstly, nearly all biometrics can be forged. It took researchers just days to break through Apple’s iPhone finger scan. Secondly, what do you do if your biometric is compromised? If your password is compromised, you create or request a new password. What do you do if your iris, or your voice, or your thumbprint is compromised? And thirdly, it’s that old false sense of security – people using biometrics tend to think they are more secure than they actually are.

My contention, which I shall try to demonstrate below, is that passwords – used correctly – are adequate on their own. All we have to do is use them correctly.

Creating secure passwords and keeping them safe
Criminals get into locked rooms by guessing the password key.

When Gawker was breached in 2010, researchers found that the ten most popular passwords were

  1. 123456
  2. password
  3. 12345678
  4. lifehack [LifeHacker is a Gawker publication]
  5. qwerty
  6. abc123
  7. 111111
  8. monkey
  9. consumer
  10. 12345

When LinkedIn was breached in 2012, researchers discovered that the ten most popular passwords were:

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football

How long do you think it would take to guess passwords like these?

Of course, if the passwords are all held in a single database without any form of electronic jumbling, then a password thief doesn’t need to guess anything because he’s got them written down in front of him. So the websites store the passwords ‘hashed’.

Now the criminals have to start guessing. To help this process, they use computers and specialized dictionaries called rainbow tables. Rainbow tables are effectively long lists of precomputed hash outputs together with the original input text that was used.

Stolen password hashes are then simply compared to the rainbow tables. If the hash output is found, then the password is known – that is, the password has been cracked.

So when you consider a new password, you should also consider how they are cracked with rainbow tables. Any word that appears in a dictionary will be in the tables. Any number up to at least 999,999,999 will be in the tables. All conceivable combinations of letters up to a certain length, and all conceivable combination of letters and numbers up to a certain length, will appear in the tables. In short, if you use a password made up of any combination of letters and numbers up to, say, seven characters, and that password is stolen, you should consider it already cracked and available to the criminals.

This will include some of the commonly recommended methods for coming up with passwords – such as initial letters from quotations. “into the valley of death rode the six hundred” could provide ‘itvodrt600’. That looks like a strong password – but you should assume that it’s in a rainbow table somewhere.

The way to avoid rainbow tables is to use a very long password that mixes uppercase, lowercase, numbers, special characters and punctuation marks. The problem then becomes one of usability – passwords that are difficult to guess are even more difficult to remember.

The best way to produce, store locally and safely, and use strong passwords is to use a reputable and recommended password manager. I’m not going to recommend any myself – you must research that on your own. But the one I use generates passwords for me such as

%wc;I’,;Gp*CfQr9FUFpZYm|

I consider that to be reasonably secure against most tables.

The responsibility of the website
The fact remains that if the vendor doesn’t keep passwords hashed, then it really doesn’t matter how complex I make them.

So if it is incumbent on me to generate strong passwords, then it is equally incumbent on the website to store them securely. That means hashing them.

Actually, it means more than that. It means using a strong hashing algorithm (not all are equally good); it means using a slow algorithm (some were designed for speed when computers were slow, with the unintended consequence of making cracking faster and therefore easier); and they should be salted. Salting is the addition of additional random characters to the user’s password. Basically, salt makes the password even harder to crack – it turns a medium strength password into a strong password.

This is standard best-practice. Unfortunately, too many websites do not conform to best practice. In the last few weeks we have heard:

  • Adobe did not hash its passwords; it encrypted them (better than nothing, but not as good as hashing) It also stored users’ password hints next to the encrypted passwords in plain text – making it, in some cases, obvious what the password was.
  • LoyaltyBuild stored users’ credit card numbers unencrypted and with the cards’ CVV numbers.
  • Cupid Media stored its users’ passwords in plaintext.

What is the point of coming up with a long, complicated, unguessable password if the website just hands it to the criminals on a plate?

Conclusions and recommendations
For password access to locked rooms to work, they need to be strong (from the user) and hashed and salted by the website. Clearly that frequently doesn’t happen; and that’s why we have rampant identity theft.

Since it doesn’t happen voluntarily, we need a new code of practice backed by regulation if necessary. Much of it will fall on the website; but that’s a small price to pay for a secure and trusted internet.

Firstly, websites should require a minimum strength password from their users – so strong, in fact, that it becomes easier to use a password manager than to try to make them up.

Secondly, users must learn not to reuse the same password on multiple sites. Security audits must confirm this as part of staff awareness training, and schoolchildren need it to be taught in schools.

Thirdly, websites must be required, by law if necessary, to make it clear how they protect their users. Inadequate password security could then be shunned by users and ridiculed by professionals.

With these three basic developments, password-protected access will do the job it was designed to do: locked rooms will stay locked, personal and private.

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s