As most people know, passwords are a vital part of user authentication. With the ‘Cybercrime as a Service’ industry worth billions of pounds every year, it’s not an exaggeration to say that a significant percentage of these ‘profits’ are attributable to the ignorance of users. Failure to follow basic safety practices, such as weak password selection, is giving the cybercrooks an easy ride.
This blog will discuss some pitfalls around passwords, and what we can do about them.
How do people choose passwords then? According to psychological studies, choosing a password is a balance between security, convenience and memorisation. If these are not balanced, it will drive people to write down their passwords, re-use their passwords, and/or follow insecure patterns to fulfil security requirements. Following the iCloud’s security breach, the software used to brute force these passwords used a pre-defined password list acquired from a service called RockYou, which leaked out 32 million usernames and passwords back in 2009.
Consider the following example of a basic password security requirement, which almost all companies worldwide use in order to comply with various security requirements and frameworks. It will probably sound familiar: Passwords must be at least 8 characters long and not contain a significant portion of your account name or full name. The password should also contain characters from three of the following categories.
- English uppercase characters
- English lowercase characters
- Non-alphanetic characters
Not surprisingly, the most common passwords used where “Password1” “Princess1” “P@ssword” “Charlie1” “Letmein1” and so on. This of course fulfils the above requirements, but users put themselves at risk by using weak, easily guessable passwords. This then raises the question: what does actually constitute a weak password?
- Any default passwords that are supplied default by the vendors
- Words derived from dictionaries
- Words with numbers appended
- Words with simple obfuscation
- Common sequences from a keyboard
- User’s personal information
The core principle behind making a password secure is its randomness; it needs to be not derivable by any crafty patterns.
A Graphic Attack
The old fashioned way was to setup a workstation or a cluster of workstations to work together and use their CPU power to brute-force the password in order to find the right one. The new fashion is to use your graphics card. Yes. Your GPU. An average computer with a quadcore CPU can be used to calculate under 1 billion instructions per second. An average GPU, on the other hand, can calculate more than 3 billion instructions per second, thanks to its parallel architecture.
The maths behind the password strength is relatively simple: to work out how easy a password can be found we simply calculate the character set combination raised to the power of its length.
Let’s see how long it will take an attacker who stole an encrypted password to brute-force it. We know that:
- There are 26 lower case English letters
- There are 26 upper case English letters
- There are 10 digits
|Password Value||Character Set||Character Length||Calculations per Second||Calculations||Time|
|12345678||10||8||3 billion||10^8 / 3x10^8||>1 second|
|Password or PASSWORD||26||8||3 billion||26^8 / 3x10^8||11 seconds|
|PaSsWoRd||52||8||3 billion||52^8 / 3x10^8||2 days|
|password1||36||9||3 billion||36^9 / 3x10^8||3.9 days|
|Password1||62||9||3 billion||62^9 / 3x10^8||52 days|
And this is only from a standard graphics card. Think about the power of a cluster of high-performance workstations working together!
What about passphrases then? Passphrases are a sequence of words that are long enough and hard to guess. Using the above calculations, the following passphrases seem much more secure:
- ILoveToPlaySquash = A trillion years
- ILove2PlaySquash! = A quadrillion years
But this might upset the ‘balance’ we mentioned at the start of this blog: passphrases are easier to remember and but sometimes not as convenient. Overall though they are much more secure than passwords and I think more people should use them
Of course, a live brute-force attack is not always possible: most websites will lock you out if you make a certain number of failed login attempts. The problem comes when an attacker manages to compromise a system and download the user database. Now they can brute-force the encrypted data offline at their leisure, without worry of lock-out limits. Weak passwords will be broken quickly and now the criminals have your user ID and your password. This is why you must always change your password after a database of a company that you had account is found to be compromised. In a later blog I’ll be discussing the technical details around this, such as rainbow tables and dictionary attacks.
Have you ever thought about not using a password/passphrase and instead choosing a different means of authentication?
I do not believe that passwords will last for many years. I am a futurist and I firmly believe that new authentication concepts will replace the password. I’d like to introduce you to a new authentication concept called passmaps. Our brains work well on pattern recognition and find it easier to remember images and shapes than character strings (imagine trying to reliably recall FjWo£Lp&^12). Thus passmaps, or ‘graphical passwords’, substitute the characters used for the password with regions of a single image – or even better a whole map. Imagine you were to use GoogleMaps for logging on to Amazon. It might seem weird at first, but phishing schemes will be greatly reduced, or even eliminated, as it would be nearly impossible to predict and retrieve all the various places a user would need to authenticate themselves. As an added bonus, it’s touchscreen friendly.
Let’s step back for one second and think about something else; something you might have overlooked. Does anyone pay attention to those ‘security questions’? Is it a security question or is it in fact a free key to your kingdom?
I’m sure you’ve all seen the typical questions of:
- What’s your mother’s maiden name?
- In which city were you born?
- What’s your pet’s name?
How hard is it for someone to find the answer to one of these questions? Given the vast amount of personal information posted freely on social networks these days, chances are it is much easier than you think. Why would a skillful attacker go to the bother of cracking a complex password if all they have to do is look at your twitter and see the name of your dog?
The moral here is to always give the same importance to each step of the security process, including the security question and the answer. Always select questions that would make the answers difficult for an attacker to find. Or, what about using an answer that does not relate to that question? No-one said you have to play by their rules.
Security is a serious issue: do not be the weakest link.