Identity Island Blog Identity Island Blog

The Password Problem

Posted by Zane Harnish under Lifestyle and Security

Insights

Passwords are all over the place. In many situations, if you want to access something on your computer, your phone, or the internet, you need an account secured by a password. Passwords are good. They serve as a form of authentication that prevents people from gaining access to your personal accounts and information. You may have noticed that most people do not like passwords very much. They are perceived as inconvenient and of limited value to security. This article is meant to outline what I have dubbed “The Password Problem”: the widespread misuse and misunderstanding of passwords.

Everyone knows what a password is, but let’s define it just because we can. A password is a string of characters (letters, numbers, and other symbols) used for authentication or identity verification in order to prevent unauthorized access to a protected or private resource. They allow us to keep our information secure yet allow us to easily access it when we need to.

It took me a while to decide the most effective way to organize the information I want to present, but I think the best way will be to walk through the most common vulnerabilities related to passwords one at a time. This will allow us to look at how we can deal with each one, and in the end maybe decide the most effective way to approach passwords. Note that we will be primarily looking at this in terms of passwords used to access internet-based services, as opposed to the password that you enter to unlock your phone or computer (although many of the same vulnerabilities apply to these as well).

Human Error and Social Engineering
Contrary to what you might believe, the biggest factor in keeping your password a secret isn’t some security system on a server somewhere in the cloud. In fact, if someone wants your password, the easiest way to get it is through you.

This all starts when you create a password. A study done by Google in 2013 found that the most common passwords were one of the following:

1. Pet names
2. A notable date, such as a wedding anniversary
3. A family member’s birthday
4. Your child’s name
5. Another family member’s name
6. Your birthplace
7. A favorite holiday
8. Something related to your favorite sports team
9. The name of a significant other
10. The word “Password”

I’m going to put it the simplest way I can: these are not good passwords. If you are wondering why, take a look at your social media accounts. Are there any of the first 9 of these that someone couldn’t find there? Even if you don’t use social media, most of these things would not be hard to find out, whether from one of your friends, or through other means. If you use number 10, you might as well just leave now. Ask someone nearby to show you how to close your web browser.

Your password should not be something that anyone could figure out with an educated guess. Many websites require you to have at least one number in your password, and sometimes even a special character. This can be both good and bad. We’ll talk about the bad later. First let’s look at why it is good to include all types of characters in your password, even if you aren’t required to.

The more symbols you include, the greater the entropy of your password. Entropy is essentially a measure of the possible ways a system can be organized; in simple terms, a measure of “randomness”. High entropy makes passwords harder to determine via a brute-force attack (trying every combination of possible characters). Basically, the longer your password is and the more types of characters you use, the higher the entropy will be. What is important to remember is that entropy is not a measure of how good a password is. Even though “Password123” has higher entropy than “ngksaibh”, the latter is more secure, as it is impossible to reach it by simply making a guess based on common passwords. Obviously, something like “s8!F(njP” is even better, as it has greater entropy and is entirely random. To give you an idea of the difference in entropy between passwords of different lengths and from different sets of characters, I put together this list:

1. 8-characters, lowercase letters only: 208.8 billion possible passwords
2. 8-characters, all characters: 6.1 quadrillion possible passwords
3. 16-characters, lowercase letters only: 37.8 sextillion possible passwords
4. 16-characters, all characters: 40.6 nonillion possible passwords

This may make it seem like even the least complex passwords are very secure. Just keep in mind that computers are fast. There is no way to come up with the exact amount of time it would take to crack a password in each of these categories, but here is a list of approximations that corresponds to the list above.

1. 40-60 seconds
2. 20-60 days
3. 300-500 thousand years
4. 10-20 trillion years

So including numbers and symbols is a good thing, and long passwords are even better. The problem is, when websites require more complex passwords, users tend to make them less secure. This may not make sense at first, but if you think about it, it is not surprising. If you are forced to include special symbols and numbers, you are more likely to be afraid that you will forget it. To counteract this, you make the password something easier to remember and probably also easier to guess. Also, the more complex passwords need to be, the more likely you are to reuse the same password across multiple sites. This brings up an entirely separate issue: remembering your password.

There are three common solutions that address creating and remembering passwords. The most common one is to use a password manager. These are services that create and remember passwords for you. All you have to do is remember one password to access the manager, and you will be logged into all of your accounts automatically. These have some other vulnerabilities that won’t be covered in this article (we already have more than enough to talk about), but are still one of the best solutions for creating and remembering passwords.

Another method, although not very common, is to create a personal algorithm for generating passwords. An example of a very simple algorithm would be to take the name of the website you are creating the password for, reverse it (“google” becomes “elgoog”), then replace each letter with the one that comes before it in the alphabet (“elgoog” becomes “dkfnnf”), and finally add the number of letters in the websites name to the end of it (“dkfnnf” becomes “dkfnnf6”). This password appears random, but if you would ever forget it for some reason, you can simply follow the steps of the algorithm to come up with it again. As long as you remember the steps, you will never forget a password.

A third technique, which has been gaining popularity lately, is to use passphrases. Rather than making a password out of random characters, passphrases are groups of words. Sometimes these form a sentence, other times they are just a few random words smashed together. The advantage of passphrases is that they can be very long (and therefore very secure), while remaining easy to remember. A good way to create basic passphrase is to take a line from your favorite book, such as “notallthosewhowanderarelost”. If it is allowed, adding capitalization, spaces, and punctuation can make a passphrase even stronger, “Not all those who wander are lost.”. Some people believe that using an intelligible sentence makes the passphrase too easy to guess. An even more secure passphrase can be created using a few random words, for example: “chickenpianoseventyphone”, or even better: “Chicken, piano seventy phone!”. This is still easier to remember than a bunch of random characters, while also being more secure than an actual sentence.

An alternative to these three methods is to simply use the same password for every account you create. Then you only have to remember one. The obvious issue with this, is that if someone were to somehow obtain your password, they immediately have access to all of the sites you log into. Reusing passwords is okay, but is best to at least have separate passwords to protect more important accounts and information. Yet another option is to write passwords down. This is okay, although you have to be careful where you store them. A wallet is a common place, but don’t lose it. Writing your passwords on a sticky note and putting it on your monitor at work is not a good option. You could also just trust your brain to remember the password and reset it if you need to. This is okay, but depending how good your memory is, it could become annoying.

So, once you have some secure passwords and a good way to remember them, you’re in the clear, right? From here it is up to the websites to keep your passwords safe! Unfortunately, that is not the case. We need to talk about social engineering, which is when you are tricked into giving your password away.

The most common way for this to happen is through phishing emails. An attacker will try to create an email that appears to be from a legitimate source. Then you click on the link in the email. If they did a good job, you won’t even notice you are on a copy of the site you think you’re on, rather than the real one. Then once you type in your password and press “enter”, they have your username and password. Whoops. The point is be careful. Don’t knowingly give your password to anyone, and do what you can to make sure that you don’t give it away unknowingly.

Okay, so you get the idea. The security of your password is up to you. The rest of this article will primarily focus on the way that passwords are handled behind the scenes.

Password Storage
Websites need to store your password in a database so they have a way to verify that you entered it correctly when you try to log in. There are a few ways this is done, some much more secure than others.

The simplest (and by far the least secure) way to do this is to store the passwords in plaintext. The problem is, if someone manages to gain access to the database, they immediately have access to every account because the passwords are right in front of them. This also means if any of the users chose the same password on any other sites, the invader could easily gain access to those accounts as well. This is an extremely rare (practically nonexistent) method of password storage because it is so insecure. Nonetheless, it is a good reason not to use the same password for everything.

Most websites only store cryptographically protected versions of the password, not the password itself. This way, if someone gains access to the database, they don’t have direct access to the actual passwords. Usually this is done using an advanced cryptographic hash function. These functions take an input value (in this case the password) of any length and output a hash value of a set length (they usually look something like this: “e4d909c290d0fb1ca068ffaddf22cbd0”). These are one-way functions, meaning that it is nearly impossible to invert the function, and determine the input based on seeing only the output. This means that if someone gains access to a database, they only learn the hash value of the passwords, and have no way (aside from trial and error) to find out what the actual passwords are. This is why hackers use either “hash tables” or “rainbow tables”. These two are often confused with each other, but are very different.

A hash table is simply a list of common passwords and their hash values. This means that a computer can very quickly search an entire database for any hashes that match those in the hash table. It should now be even more obvious why using “Password” as your password is not a good idea. Its hash will most definitely be in the hash table and will be discovered in seconds. Hash tables are lightning fast, but require a great deal of space as they have to store the hash value of every password. Fortunately, they do have the advantage of allowing the creator to choose exactly what passwords are included.

Rainbow tables are a good bit more complex, and I won’t bother explaining how they work (that would require an entire article to itself). They are slower than hash tables, but require less storage space and can cover a much wider range of passwords. The main disadvantage is that the creator can’t choose specific passwords to include; however, they can choose exactly how much space the table requires. They also require a bit more computing power. Most hackers will use a combination of hash tables and rainbow tables.

In order to counteract the use of these tables, just add salt! Salt is some random data generated for each password that is used as an additional input to the hash function. This means that a hash table or rainbow table is useless, as each password’s hash is obfuscated by its unique salt and would require a separate table. In this case, it is just as easy to use a brute-force trial and error approach.

Password Transmission
So, you have a secure password and it is stored safely in a database, but somehow the password has to be transmitted from you to the server where the database resides. Much like password storage, there are several ways to do this, but not all of them are safe.

Similarly to storing a password in plaintext, passwords can simply be transmitted in plaintext across the network. This means if someone is able to monitor your transmissions (not difficult to do on an unsecured Wi-Fi network), they will have no trouble at all intercepting your password. And unfortunately, plaintext transmission is not nearly as rare as plaintext password storage.

Many sites transmit passwords over an encrypted channel, most commonly TLS/SSL. You can see when this is in use by looking at the beginning of the URL in your web browser. If the URL begins with “https://” rather than “http://”, then you are dealing with an encrypted connection. Most browsers also show some type of padlock icon to show that you are connected to the site via an encrypted connection. This does not make it impossible to capture the password, but it does make it extremely difficult. If you are ever connected to a public Wi-Fi network, I wouldn’t recommend logging into any accounts that are not utilizing a secure connection.

Although rare, some sites make the mistake of using hash-based challenge-response authentication. In this case the hash value of the entered password is found on your computer and the hashed value is transmitted. This takes the security provided by storing only the hash value of a password, and throws it out the door. Now anyone who is able to intercept the transmission has access to the hash value of your password and can use that to discover your password, much as if they had gotten access to the database it was stored in. Even worse, since the server is only looking for the hash value, not the password itself, the attacker may be able to simply transmit the hash value and gain access to the account without ever knowing the password.

Some systems enhance their security by using something called a zero-knowledge password proof. This allows the user to prove to the server that they know the password without transmitting the password at all. This makes eavesdropping almost useless in an effort to intercept a password. This is often used in addition to TLS/SSL encryption, making it even more secure. A method known as password-authenticated key agreement makes this even more secure. Much like rainbow tables, I won’t bother explaining how these work in this article, as it also would take far too long (and this post is already quite lengthy).

Other Security Features
Websites often have a few additional basic security measures in place in order to help slow down attackers and limit what they can do.

1. Timeouts
Some sites impose a limit to how often you can attempt to access your account. For example, after 3 failed attempts to log in, it may force you to wait 30 seconds before trying again. This makes it implausible to brute-force any reasonably strong password as it vastly slows down the process. Obviously this is ineffective if the attacker has access to the password’s hash, as they can then work offline to determine the password.
2. Guess Limits
A similar tactic to timeouts are guess limited. The site simply limits the number of failed login attempts. After the limit is passed, the account is temporarily locked. You then must reset your password or make a phone call to unlock the account. Again, this does not prevent a hacker from discovering the password if they have access to its hash value.
3. Password Aging
Another policy to increase security is to require users to reset their password after a set amount of time (for example every month). This makes it much more difficult to determine the password as it is constantly changing. There is also often a limit on how soon you can reuse a password you have used before (for example you cannot reuse any of the last 4 passwords you used). The huge disadvantage of password aging is that it causes users to be much more likely to write down their password on a sticky note on their desk or use a less secure password because they have to constantly memorize new ones.
4. Semi Log-Off Policy
One more common tactic is to require users to re-enter their password after a period of inactivity. This ensures that you don’t accidentally leave yourself logged in on a public device. It also means if someone gains access to your account without actually knowing your password, any extended period of inactivity will end their attack.
5. Self-Service Password Reset
Almost every website provides a relatively simple system to change your password. This allows you to prevent someone from accessing your account if you believe they know your password, and also can be used simply as a precautionary measure. Often, you are required to answer security questions that you provided the correct answers for when you created your account. This can be a vulnerability if the answers to the questions can be easily found on social media or elsewhere. To counteract this, many sites also require that you have access to the email account associated with the address you used to sign up. The danger in this is that if someone gains access to your email, they can often reset your password for other websites and gain access to those accounts as well.

Now What?
I imagine after reading this article, you are wondering two things: “Why did it have to be so long?” and “Okay, I read it, so now what?” To answer the first question, I just wanted to be as thorough as I could. It seems like too many people don’t realize exactly how insecure passwords can be. It’s also far too common that someone warns people to create more secure passwords without really explaining how to do it or why it’s so important.

As for the second question, I don’t know that I have a good answer. You can do what you please. Just remember what you’ve read. Maybe next time you create an account for a website you’ll think twice before entering your dog’s name as your password. All I really wanted to accomplish with this article is to make people aware of what it really takes in order for a password to successfully protect your information. Maybe some of you will take the time to change all of your passwords and make sure you use different passwords for your email and online banking than you do for that sketchy online gaming site you found last week. Others may not change anything, but at least now you know the risk you run. Either way, if you made it through this whole article, I’ve accomplished my goal: spreading knowledge of the password problem.

Related Posts

How to Ruin Your Dreams in 5 Easy Steps
Video: A Main Focus Point