A Game of Pwns: A Storm of (Pas)swords
Despite their perpetual status as old news, passwords and their security weaknesses continue to make headlines and disrupt security in ever-expanding ways, and the usual advice about better protection continues to go unheeded or, more worryingly, fails to address the threats any longer. As attacks continue to improve, they show that a cracked password for a given user account often has significant value beyond just the compromised environment.
We do not sow.
Attackers and security testers have been cracking passwords for decades. The usual situation involves capturing the cryptographic hash of the password, where the password has undergone a one-way cryptographic transformation that does not have a decryption function (unlike encryption that uses a key to encrypt or decrypt), such that the only way to discover the value is to guess it, transform it using the same hash function, and compare the output against the captured password hash. While this may seem improbable, attacks have successfully cracked passwords this way for a long time. In part, this occurs as a result of bad password hash functions, but most of the success comes from easily guessed passwords.
The North remembers.
Security incidents that expose passwords have a few significant effects. The most obvious, that an attacker can access that user’s account, is perhaps the least significant, barring a compromise of something significant like an online banking application, a work-related system, or a regularly used social media platform. The more likely scenario is that this compromised password is the same password used by the same individual for other accounts, and an attacker now has a pretty good guess at the password of something more valuable. The less well understood, but perhaps more important consideration, is that actual password disclosures, particularly on a large scale, improve the ability to crack passwords in the future.
That’s what I do. I drink and I know things.
Cracking passwords by guessing purely random strings of characters takes a comparatively long time in terms of computing effort. Because users typically pick easily guessed passwords, those who crack passwords have learned to take some shortcuts. In the beginning, these were lists of words, derived from dictionaries or other sources, but containing little insight about how users actually selected passwords.
Advancements such as rules for modifying words from the list (substituting an “e” for a “3” or appending a symbol like a “!” to the end of a word), or narrowing down brute force attempts to set patterns like four alphabetic characters followed by three numerals brought about some incremental improvements, but still guessed at the nature of user passwords rather than relied on much actual data. However, that changed with security incidents that exposed large numbers of passwords, such as the RockYou incident in 2010, or the LinkedIn incident in 2012. These events offered password crackers, both the proverbial good guys and bad guys, a major insight into the ways users select passwords. As such, password crackers can make use of previously cracked passwords as the basis for new password cracking efforts. Given the high probability of password reuse, the ever-increasing knowledge of the patterns that successfully match user passwords, and the easy accessibility to the specialized hardware and software tools (you can have an effective cracker running on Amazon Web Services up and running in less than an hour) each significant breach of credentials drives the feedback loop that improves password cracking, which results in a more effective crack of the next password breach, which improves our collective knowledge and ability to crack passwords.
And make no mistake, the dead are coming.
Simply put, passwords that our minds are capable of remembering without assiduous effort are too easily susceptible to password cracking techniques. Also, reusing the same password across more than one account creates significant risks that an attacker who obtains the password can leverage that credential to attack the user or the user’s employer more significantly (perhaps more embarrassing than dangerous is the recent news alleging that Mark Zuckerberg’s LinkedIn password was the same bad password he used for Twitter and Pinterest, although it illustrates the point quite splendidly). While regulatory requirements may call for a certain password complexity that humans can easily remember or security advice from a few years ago suggest a few memory tricks to improve password selection and recall, the reality of modern cracking efforts leads to this: select a unique, random, lengthy password (ideally 20 characters or more) for each account and do not reuse it.
The practical outcome of needing large, random, unique passwords is the urgent need for some sort of password vault.
Today, this typically takes one of two shapes: an application run locally on a computer or mobile device, such as KeePass or PasswordSafe, or a web service like LastPass. Like most security decisions, this involves a series of tradeoffs for matters of trust, usability, and protection of your credentials. Using an open-source local application like KeePass gives you perhaps more control over your accounts than a web service like LastPass. Additionally, the cost is usually $0 for the open source option. However, LastPass offers a number of useful features like accessibility on your mobile devices, a forgot password feature (which local applications usually do not have), and some ease-of-use features for browsers. Both also have security issues, as LastPass has reported some security incidents and local applications have security vulnerabilities like every other piece of software in existence.
That said, either choice, constitutes a significant security improvement over reusing easily guessed passwords, and the cost-benefit analysis for choosing one over the other grows very small when placed next to the problem of doing neither.
I am the horn that wakes the sleeper. I am the shield that guards the realms of men.
As a consumer of Internet services, the best security advice is to begin transitioning to the use of a password vault of some sort as soon as possible, along with enabling multi-factor authentication for as many accounts that will support it (e.g., Amazon, Google). As an organization that operates applications where users authenticate, support strong passwords (shame on you if your site has a maximum length or disallows certain special characters) and start working on supporting multi-factor authentication. For your password storage, follow the current best practices for using slow hash functions like bcrypt with good, random salts and move away from outdated hash functions like MD5 or SHA1 (which we still frequently see during assessments). Attacks get better and not worse, and attacks against passwords get better with almost blinding speed. Incremental defenses like requiring a few more characters of minimum length won’t suffice; a good defense needs to change the game about authentication altogether.
About JACOB ANSARI
Jacob Ansari is the Chief Information Security Officer at Schellman & Company, where he develops and manages the company-wide information security program. Jacob oversees the processes for risk and security assessment, vulnerability management, software security, awareness and education, and incident response. Jacob has also performed in a client facing role as the technical lead for Schellman’s PCI services, and represents Schellman to the payments industry. Additionally, Jacob has experience with other Payment Card Industry assessment services, namely Software Security Framework, PA-DSS, P2PE, 3DS, and PIN. Jacob has extensive technical expertise on matters of information security, compliance, application security, and cryptography, and has been performing payment card security assessments since the card brands operated the predecessor standards to PCI DSS. Over the 20 years of his career, Jacob has spoken extensively on PCI-related matters, trained and mentored assessors, and contributed to groups on emerging standards, advisory bodies, and special interest groups.