Password-based authentication doomed by inherent flaws
The password-based authentication model is plagued by weaknesses in theory and, as demonstrated by countless hacked accounts, in practice as well. The time for ubiquitous two-factor authentication and password managers is now.
Authentication in computing – the process by which the identity of users is verified – has long relied on passwords as the primary (and often the only) mechanism for account holders to identify themselves. Even the most casual computer users are familiar with the process: when you power on your device or visit certain websites, you often need to enter credentials (i.e., usernames and passwords) to access your files and utilize your account capabilities, and you assume that you are the only one who knows your passwords. In an ideal world, knowledge of passwords would be restricted to the rightful account holders and therefore the entry of valid credentials would be assumed to verify the identity of the user in question. As such, this authentication model seems simple and reliable enough. However, thousands of individuals have had their money and identities stolen, credit cards used, private files accessed, and private emails viewed because the reliability of password authentication failed them. We are going to examine why the practice of logging in to computers and websites with passwords is prone to violation, how these weaknesses are exploited, and what can be done to lower the risks facing our user accounts.
- The problems with passwords
- Multi-factor authentication
- Password managers
- Recommendations for password requirements
- Archive of infamous password hacks
- Further reference
- Recommended reading
The problems with passwords
User verification by passwords is sound only if your passwords are known by you alone, and they cannot be acquired by others without monumental effort. Theoretically, if you are the only one who knows the password to your Gmail account and you adhere to prudent password guidelines by keeping the password strictly private and nearly impossible to guess, then you could reasonably be assured that your Gmail account was safe from prying eyes. Unfortunately, as detailed below there are simply too many ways for passwords to fall into the wrong hands, and even experienced security professionals have fallen victim to password violation.
Problem #1: Ease of sharing
Simply put, passwords are too easy to share. Although they are intended to be known by only the rightful users, passwords are often shared with others for the sake of of some convenience. These situations can occur when account holders are in a position where they cannot access computing resources, so they contact others who are better situated to provide assistance. For example, imagine a situation in which you have a file which contains your vacation itinerary. You leave for your trip only to realize that you left your itinerary on your work PC. In order to complete your vacation as intended, you phone a co-worker and ask him to log in to your computer and email the file to your personal email account. In order to accomplish this, you give him your network password. You get your schedule, but you have disclosed your password to another individual who can now access your files, read your emails, impersonate you, or give your password to others. Long story short: the sharing of passwords among friends, family members, co-workers, and couples is a recipe for trouble.
Problem #2: Theft of passwords
Even users who endeavor to keep their passwords private are still at risk of password theft, which occurs when people with malicious intent steal your passwords using various means: some very technical, others stunningly simple.
One way to steal passwords is sniffing data traffic on unencrypted wireless networks: wireless users who enter their credentials into websites that do not obscure authentication transactions (with encryption such as SSL) can have their passwords recorded by sniffing software on a device running a sniffer program such as Wireshark or Cain & Abel. Remember that when you are connected to one of those “open” wireless networks, all data transfers you make (the websites you visit, the emails and messages you send, etc.) can be easily captured and viewed by others unless your communication stream is cryptographically obscured.
Another threat which users face is the possibility of keystroke loggers installed on their devices. If another individual (such as a personal enemy, a feuding colleague or a jealous romantic partner) gets access to your computer, he can install hardware- or software-based keystroke loggers which will record all the keystrokes you enter on your keyboard. This threat is even more serious with publicly shared PCs and kiosks, such as those in hotels and airports. You should avoid logging into web services on devices which you do not own unless a serious situation warrants it. Fully updated antivirus or “endpoint security” applications are a decent way to help prevent the covert installation of software-based key loggers on your own computing devices.
Third, if a hacker runs a packet sniffer or breaches a server which processes user logons, he can acquire password hashes, copy them to his machine, and run offline attacks against them to reveal the associated passwords. This process, called password cracking, can be carried out in various manners. One method for extracting passwords from hashes is the dictionary attack, which uses all words in a dictionary or a given text file. Another cracking method is known as a hybrid attack, which builds extends the dictionary method by adding numeric and symbolic characters to dictionary words. Hybrid attacks can attempt several variations, such as using common substitutions of characters and numbers for letters (e.g., p@ssw0rd). The brute force method generates all possible passwords up to a certain length and their associated hashes. Short, non-complex passwords do not withstand the brute force technique for long but the real danger of this type of attack is the fact that, given enough time and computing power, brute force attacks on password hashes are always guaranteed to succeed, especially since advances in technology such as ever increasing CPU speeds are further aiding password crackers.
Lastly, it is not much of a challenge for motivated hackers to trick users into voluntarily revealing their passwords by utilizing social engineering techniques which can be performed through nefarious software (such as fake login pages included in phishing scams) or even phone calls. The sad truth is that it’s ridiculously easy to convince users to willingly divulge their passwords, especially when they are confronted by someone operating from a real or feigned position of trust or authority. If you ever get requests for your password in an email or on the phone from “tech support” or “the IT department”, you know you are dealing with a scammer.
Problem #3: Easily guessed passwords
It has been proven time and time again that a significant percentage of computer users habitually choose passwords that are easy to remember, and hence easy to guess. Common techniques for generating passwords include common phrases and terms (see spreadsheet below), names of spouses, children and pets, birth dates, wedding dates, and dictionary words (which are vulnerable to dictionary attacks). Numerous account compromises have revealed that some passwords are used very frequently, and that users almost never choose passwords which could be considered strong (longer than eight characters with lower case letters, upper case letters, numbers, and special characters).
I studied some of the most notorious breaches in recent years and assembled this alphabetized list of passwords you definitely want to avoid.
Problem #4: The unintended consequences of mandating strong (complex and long) passwords
A fourth challenge facing password authentication is the irony that strength requirements can often increase the rate of password compromise. In response to the threat posed by easily guessed credentials, cautious account holders and system administrators often seek to make passwords unguessable by implementing strict complexity and length requirements. Passwords then need a mix of characters – lower case letters, upper case letters, numbers, and special characters like question marks – to be considered complex. Additionally, they need to conform to a minimum length standard as well. The problem with this approach is that when users are faced with challenging password length and complexity requirements, they are much more likely to write their passwords down on paper or store them in clear text in a digital document or spreadsheet. Passwords existing in such a state are much easier to exploit than those stored in a hashed manner.
Restricting passwords to time-based lifespans also results in the same dilemma. Administrators may implement password expiration which forces users to create new ones after a certain amount of time has passed. The primary reason to give passwords expiration dates is to cut short the amount of time a compromised password can be used by someone else. If a password expires after thirty days, then a hacker can get at most thirty days’ worth of benefit out of it. After that span of time, the password becomes useless. If the hackers acquires a victim’s password at say, day 28 of a 30-day validity period, he will only get two days’ worth of use. A disadvantage of this strategy is that if you force people to change their passwords frequently, they become more likely to choose easy-to-remember passwords (which are easy to guess) than they are if they can use the same passwords indefinitely. Therefore, any password-changing policy needs to be evaluated in awareness of this user habit.
You may wonder which is more important to creating strong passwords: complexity or length. The verdict is in, and it’s length.
The ‘Too Long; Did Not Read’ version of Problem #4, courtesy of XKCD.
Problem #5: Password reuse
Because modern computer users must log in to so many differing environments and services, we often resort to using only one or two passwords for all authentication purposes. This trend is especially true for people who use computers both at home and in the workplace. At work we must remember passwords to log in to our PCs and multiple applications and websites (for IT professionals, the number of passwords to remember can be daunting). At home, we have password-based accounts for the myriad of ubiquitous websites we have come to rely on: Amazon, eBay, PayPal, online banking, blogs, Gmail, Hotmail, Yahoo, LinkedIn and other career websites, discussion forums…the list goes on and on. Remembering unique passwords for each site is mental task that is simply too challenging, so users often rely on one password for all. This is a major risk because if your one password gets compromised, the attacker has access to not just one service you use but to all of them.
Problem #6: Password reset
Most account-based web services (email, blogs, online banking and shopping, etc.) provide a way for users to reset their passwords should they be forgotten. Usually a user needs to provide his username and answer a few questions regarding personal details, such as mother’s maiden name, city of birth, name of first pet, high school name, etc. In this day and age, however, persistent online searching courtesy of Google and perusal of social media profiles can reveal such “personal” details. Consequently the “reset your password” feature is often a valuable tool in a hacker’s arsenal.
Password weakness summary
Problems 1 – 6 above are major challenges to the password-based authentication model because passwords are a single point of failure. In other words, user’s accounts and resources usually need to suffer only one compromise (hacked passwords) to be completely exposed. This method of granting access is known as single factor authentication because all that is required is the presentation of one form of a credential (the password). As such, single factor authentication lacks depth and resilience.
Two-factor authentication has the potential to wipe out the aforementioned weaknesses of password reliance. If you have a bank card which you use to access automated teller machines, then guess what? You are already using two-factor authentication; it utilizes something you know (your PIN) and something you possess (the bank card). You need both your PIN and the card to access your account; they are ineffective on their own. The most stringent form of multi-factor authentication is three-factor, which combines something you know, something you possess, and something you are (such as your fingerprint).
Two-factor authentication can be applied to computing as well. The ‘Know + Possess’ model can be achieved with PINs/passwords and objects such as smart cards or hardware tokens. The ‘Know + Are’ model can be achieved with a password or PIN combined with a fingerprint scanner.
Image source: Wikipedia
Smart cards are plastic cards that contain integrated circuit cards, digital certificates and users’ private keys. They not only augment user authentication but can perform public key cryptography operations, such as digital signing (of emails, for example) and key exchange. To allow a device to utilize smart cards, a smart card reader must be installed. To use a smart card, the user inserts it into a smart card reader that is attached to a computer and types the PIN when prompted.
You may be wondering why numeric PINs are used with smart cards instead of strong passwords. Despite containing only numeric characters, PINs are actually the more secure choice. Unlike passwords, PINs never traverse network links so they cannot be sniffed. Furthermore, dictionary attacks and brute-force attacks are infeasible as they can be attempted only by someone in possession of the smart card. However, even when an attacker has the card in his possession, the smart card locks after a few failed attempts at guessing the PIN. If an attackers captures a PIN, it is useless without also acquiring the card.
Image source: Wikipedia
Smart cards are a viable option for authentication to networks utilizing public key infrastructure and enrollment stations. They seem to fall short, however, for authentication to web services. While it practical to use one smart card to provide access to a corporate network and its resources, attempts to replicate the same functionality for dozens of unrelated account-based websites would be unrealistic. Would we be able to handle having separate smart cards for Facebook, Gmail, Amazon, eBay, banking websites, Yahoo, LinkedIn, Twitter, etc.? Probably not, and the organizations behind these web services would not be willing to manufacture and ship millions of smart cards to their users.
In such situations, the Google Authenticator app can take the place of smart cards to provide two-factor authentication. The Authenticator works like a hardware token which displays a random codes which change at certain intervals, but it can be used to access multiple websites such as Dropbox, Outlook, WordPress, and several others.
A password manager is an application which lets you store and organize your login credentials in a safe way. Additionally password managers usually have the ability to generate strong passwords to save you the trouble of creating them yourself.
To launch these applications, you must enter a master password which permits full access to stored credentials. Therefore, it is of paramount importance that you do not forget this master password, and that you keep it as private as possible. Password managers store your passwords locally in encrypted format. You can make a copy of the local password database and open it on other hosts using the same password manager program.
Below are some screenshots of RoboForm, a commonly used password manager.
Recommendations for password requirements
Until two-factor authentication becomes standard, you can reduce the likelihood of successful attacks targeting your passwords by following a few simple guidelines.
1. Your password should be ten or more characters in length. Ten is a happy medium between high resistance to brute force attacks and the inability of most people to remember long strings of characters. Each character you add to a password makes it an order of magnitude harder to crack via brute force attacks.
2. Insert a mix of lower case and upper case letters, numbers, and special characters in your password. There are 26 lower case letters, 26 upper case letters, 10 digits (0-9) and 32 special characters in the standard keyboard layout. According to elPassword, there are 59,873,693,923,837,895,000 possible password combinations if you choose a ten character password with this level of complexity. Not bad!
3. Ensure that your password does not contain consecutive characters comprising a name, a slang word, or any word in any dictionary. It should not include any part of your name, family members’ names, pet names, or your e-mail address.
4. Use a different password for the various important websites you use, such as your social media accounts, banking and financial websites (including PayPal), major online shopping (such as eBay and Amazon), and web email. These are the websites that, if compromised, will do this most damage to you in terms of financial loss, identity theft, and embarrassment. However at this point you are faced with the ‘complex password paradox’ mentioned above: how are you going to remember various strong passwords for even a handful of websites? That’s where password managers come in.
IT security decision makers and system administrators can significantly harden their networks against password attacks by enforcing password policies based on the following guidelines.
1. Require strong passwords. If you allow your users freedom to create password according to their own preferences, it is very likely that they will choose weak passwords. To negate this tendency, require that passwords be strong (long and complex).
2. Implement an organization-wide policy forbidding the sharing and writing-down of passwords, whether on paper or in digital documents or text files.
3. Employ aggressive mechanisms against brute force attacks to detect and mitigate these attacks on login credentials. You can make these attacks too cumbersome for realistic purposes by putting obstacles in the way brute force style attacks, such as logon restrictions and account lockout settings.
4. Enforce a password change policy which requires to change their passwords after a certain amount of time. Be cautious that you do not make this policy too stringent or users will become much more likely to write their passwords down, especially when you are enforcing complexity.
5. Encourage the selection of passphrases instead of passwords. A passphrase is a sentence or phrase that functions like a password. Passphrases are more resilient to compromise because of their greater length. Modern operating systems will have no problem accommodating most long passphrases.
Administrators configure password policies for Windows domains via Group Policy objects using the Group Policy Management Console. For Windows hosts which are not joined to a domain, you can configure these settings in the Local Security Policy MMC snap-in (secpol.msc) or the Local Group Policy Editor (gpedit.msc). Navigate to Computer Configuration->Windows Settings->Security Settings->Account Policy->Password Policy, as depicted below.
For Linux-based hosts, password parameters are configured in
/etc/login.defs and in
/etc/pam.d/common-password depending on your Linux distribution. Red Hat Enterprise Linux provides a web-based interface for password settings.
Archive of infamous password hacks
Sarah Palin email hack (Wikipedia)
Monster Says Hackers Stole Data From Users’ Accounts (Bloomberg)
Gawker Media Websites Hacked, Staff and User Passwords Leaked (Wired)
32 million RockYou passwords show most users careless about security (ArsTechnica) (passwords)
LulzSec releases 62,000 passwords (RafeKettler)
PlentyofFish.com Hacked (Krebs)
Sony Hack Reveals ‘Seinfeld’ as Most Popular Password (Time)
LulzSec Dumps 26,000 Porn Site Usernames And Passwords (Forbes) (passwords)
Hackers post 450K credentials pilfered from Yahoo (CNET)
What the Last.fm, eHarmony, and LinkedIN password leaks mean to you (CNET)
8 million leaked passwords connected to LinkedIn, eHarmony (ArsTechnica)
Update: LinkedIn hacked passwords from 2012 up for sale in 2016 (Motherboard)
Hackers stole account details for over 60 million Dropbox users (Motherboard)
The most common pin numbers (The Guardian)
YouPorn passwords available for download, thousands of users exposed (Sophos) (passwords)
2 million Facebook, Gmail and Twitter passwords stolen in massive hack (CNN)
Analysis reveals popular Adobe passwords (BBC)
Top 100 Adobe Passwords with Count (Stricture Group)
Just how bad are the top 100 Adobe passwords? (ZDnet)
Russia gang hacks 1.2 billion usernames and passwords (BBC)
Nude celebs? Blame the passwords (Politico) (Wired)
Ashley Madison hack – Top 100 Passwords (Ars Technica)
ArsTechnica.com, 25-GPU cluster cracks Windows passwords in under 6 hours
ArsTechnica.com, How a security ninja cracked the password guarding his most valued assets
ArsTechnica.com, How elite security ninjas choose and safeguard their passwords
ArsTechnica.com, Turbo-charged cracking comes to long passwords
ArsTechnica.com, Why passwords have never been weaker and crackers have never been stronger
CMU.edu, Of Passwords and People: Measuring the Effect of Password-Composition Policies (478 KB PDF)
Computer.org, Improving Compliance with Password Guidelines: How User Perceptions of Passwords and Security Threats Affect Compliance with Guidelines (227 KB PDF)
Computer.org, Passwords, Privacy, and Policies: Can They Do Business Together? (1.1 MB PDF)
Computer.org, Revisiting Defenses against Large-Scale Online Password Guessing Attacks
Computer.org, Twelve Random Characters: Passwords in the Era of Massive Parallelism
Doug Vitale Tech Blog, Default device passwords
EthicalHacker.net, John the Ripper – Why You Are Doing It Wrong
FirstLook.org, Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
Foofus.net, fgdump, password auditing tool for Windows
Github.com, IsItCompromised.com source code
HackingDojo.com, Local password attacks (video)
Hashcat.net, oclHashcat: the world’s fastest password cracker
No.Spam.ee, Distribution of passwords between men and women
NTDSXtract.com, Active Directory Offline Hash Dump and Forensic Analysis (237 KB PDF)
PaulDotCom.com, Safely dumping password hashes from live domain controllers
PlainTextOffenders.com, Websites storing user passwords in clear text
PwnedList.com, Breached credential database
Research.microsoft.com, It’s no secret: Measuring the security and reliability of authentication via ‘secret’ questions (182 KB PDF)
Skullsecurity.org, Evil password resource page
TeamSID.com, Worst Passwords of 2015
ToolsWatch.org, Default Password Enumeration Project
Wired.com, Google declares war on the password
Xato.net, 10,000 top passwords
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!