The Trouble with Pa$$w0rds

April 25, 2019by Geoff Nairn0

Since the dawn of the internet, security professionals have wrestled with the weaknesses of password-based security. Humans are hardwired to take the path of least resistance, so when asked to set a password to access an online service, they will typically opt for something that is short and easy to remember, e.g. “John1987”, rather than “Ff/x78Gyu@76”.

Needless to say, the latter is harder to crack than the former, and users with short easily guessable passwords continue to put unnecessary risk on themselves and/or their organisations.

One of the the most common password hacking techniques is a dictionary attack. There are about one million words in the English language and the majority of people still use a known word as their password, perhaps adding a capital at the start and a number at the end in the hope this makes it un-hackable.

In contrast to a brute force attack, where every combination of characters will be tested systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically using lists of leaked passwords readily available to hackers.

According to an analysis of 5m leaked passwords by SplashData, a password management software vendor, the most commonly used passwords are “123456” and “password”.   Other popular passwords in the top ten include “football”, “qwerty”, “welcome” and “passw0rd”.

Six of the top 10 passwords on the list comprise of numbers only and can be cracked much more rapidly than those that use letters.  A hacker with a PC running freely available brute-force password cracker software can easily attempt eight million passwords in just one second.

Defending against the dictionary

Websites have wised-up to the threat of dictionary attacks. The most security-conscious of websites, such as online banking, will automatically lock (or temporarily suspend) a user account where an incorrect password is entered more than three times in succession.

However, locking accounts can seriously inconvenience users who have simply forgotten their password, by obliging them to go through multiple hoops to reset their password – emails, SMS messages, security questions, temporary passwords and so on.

Another common practice is to require users to regularly change their password. But this can be self-defeating as users will make predictable and simple changes. For example, they might increment the number at the end of the old password by one, or reuse a password they use from another website. So, the extra security that frequent password changes should provide is largely illusory and the inconvenience for the user increases.

Password Proliferation in the Digital Age

The dangers of using passwords have intensified with the advent of social media, internet banking and the widespread digitalisation of government and public services.  Recent research has shown that the average internet user now has, a quite shocking, 191 different user accounts and passwords.

With so many accounts, users inevitably reuse passwords across different websites, which makes them particularly vulnerable to hacking and identity theft.

Millions of stolen social media identities, logins to PayPal and other subscription services can now be easily bought on the “dark web”, an online marketplace for mostly criminal activities that hides behind the public internet.

The overall result?  A seemingly innocuous hack on the usernames and passwords for a local sports club could give many criminals access to online banking profiles if common username and passwords are used.

Should we say “pass” to passwords?

With so many known vulnerabilities, why on earth do we continue to use passwords?

Implementing two-factor authentication – where users must provide an additional piece of information, e.g. fingerprint or token code – is a great way of mitigating many of the threats of passwords.

Unfortunately, the adoption of two-factor authentication by companies remains slow due to the costs and complexity of implementation. Furthermore, in most cases it remains an optional feature which means the majority of users will not enable the feature (see introductory comment on following the path of least resistance).

So, with passwords here to stay for the foreseeable future, what can be done to reduce the risks?

Mystic Meg proof passwords

The longer a password is, the harder it is to guess, and if it contains a mix of upper-and lower-case characters, numbers and symbols, then a basic dictionary attack will be ineffective.

However, human behaviour is predictable, and hackers know it.  Users tend to capitalize the first letter of the password and just add a symbol or number to the end. So these supposedly stronger passwords, as well as being more difficult to remember, are not much more secure.

The headaches associated with remembering cryptic passwords can be reduced with the use of password management tools such as LastPass, Hashapass and iCloud Keychain (Note – we do not have an association with any of these tools, so please do your own research before purchasing and using). Password management tools both generate passwords that are a random mix of characters, numbers and symbols and, most importantly, relieve the user of the need to remember them.

Paradoxically, the latest advice from the US Government’s National Institute of Standards and Technology (NIST) recommends not using cryptic combinations of letters and symbols, but instead using long “passphrases” of 64 characters or more and made up of four or five random words separated by spaces – “mother dog space exodus” for example.

Unfortunately, there is a restrictive limit on the length of passwords allowed by most websites, which is a shame since long passphrases are not only relatively easy to remember,but they are extremely difficult to hack with brute-force attacks.

No matter how strong a user makes a password, it counts for little if the website is compromised and its user logins and passwords are stolen – a depressingly common occurrence.

Users who suspect or are informed that one of their accounts has been compromised, should set a new password as soon as possible. Furthermore, if they use the same login and password combination to access other services, then they need to change those passwords too.

Geoff Nairn

Leave a Reply

Your email address will not be published. Required fields are marked *