In our previous articles we discussed malware, phishing, viruses and other computer infections designed to maliciously acquire your personal information. Last week we talked about low privacy settings on social networks, today we will talk about weak passwords.
Most people use extremely simple passwords. Security studies performed before 2000 found that most individuals use passwords like 12345, their name and year of birth (e.g. john1752), or the birthday of some close relative. Studies found that people reuse the same password for many different services provided by different organisations. Additionally, over time many users share these simple passwords with family, friends and/or co-workers, and often write them down on paper.
In this article we will look at the risks involved in the above practices and discuss how to select a secure password that you can remember.
The problem with sharing your password
Traditionally, humans have identified each other by recognising the other person’s face, and voice. However, computer services, like Facebook, hold unique relationships with over 800 million people. To keep operating costs low, their systems rely on the username and password method to identify users.
A password is supposed to be a secret known only to you and the service provider. That secret is the *only* way most service providers can identify it is actually *you* on the computer. What this means is that your “personal identity” is now tied to that username and secret for that service provider.
Lets imagine for one moment that, just like in science fiction, each of us can change the physical shape and size of our body and the sound of our voice at will. Giving someone your username and password is like giving someone else permission to shape-shift into you. We would probably feel very uncomfortable about someone physically pretending to be us with our friends and family, particularly when they don’t know it’s not really us. In the cyber world, sharing your password is the same as letting someone else shape-shift into you. It can lead to problems!
The problem with reusing your password
Facebook currently identify you by asking your username and password. Now lets imagine you make the bad decision to use your Facebook password for your LinkedIn account. At this point you are now sharing your Facebook password with a new set of complete strangers (the LinkedIn administrators). Every time you reuse your password on different sites, you are effectively giving more people the ability to impersonate you on all the sites that share the same password!!!
Now you might say:
“But I trust the technical administrators of each of those companies to behave honestly with regard to my personal identity.”
You have no assurance that they will, but lets presume that they are honest people. You are still at extremely high risk.
If anyone finds your password, by any method, they can impersonate you on those services.
If a hacker breaks into LinkedIn and steals your password (like they did recently), they now have the ability to impersonate you on LinkedIn and other websites that use the same password. Even worse, evil-hackers often publish stolen username and passwords to prove they attacked the system. This means that people who know you personally may be able to gain access to your accounts with potentially disastrous consequences... Other attack vectors include the theft of your mobile device, a computer virus that provides cyber criminals with your password when you type it into the computer, a phishing attack, or classic social engineering attacks.
The problem with weak passwords
A password is a secret. What this means it that even if someone knows you, they should have *no idea* what that password is. However this is not the full story. Imagine you could only pick between two passwords: “Black” and “White”. Obviously, an attacker could test both passwords very easily! So for a password to be secure, there must be lots of different possible passwords to choose from. So using your name and birthday “john1752” as your password is very easy for an attacker to guess! Simple passwords like 12345 are the first passwords tested by hackers... So lets look at how computer guess stronger passwords...
“Password cracking” is a term that refers to the process of recovering passwords from data that has been stored in, or transmitted by, a computer.
One of the most common methods of attacks to retrieve a password is known as a “Brute force attack”. This involves systematically trying all possible password combinations until the correct one is found. In the worst case it could be necessary (for the attacker) to try the entire search space of a password. The size of the search space is determined by the length of the password and the range of different characters used. For example, lets say we know that the password is a number of five digits in length, then the search space is 100,000 possible combinations. Six digits in length is much stronger at 1,000,000 possible combinations. Unfortunately, testing four billion combinations through brute force is easy today.
To make the situation worse, brute force attacks do not typically need to test every “possible” combination. They can dramatically speed up their attacks by testing every “probable” combination. For example, they can start by testing all the words in the English dictionary, and simple variations on those words...
To protect your password in storage on the remote system, they use a “hash function” to create a secure “fingerprint” of your password. In secure systems, when you set a new password for your account, only the “fingerprint” is stored in the database. When you log in, the password you typed in is hashed, and the two fingerprints are compared.
In an effort to protect against the use of weak passwords in their system, trusted system administrators may run tools to intelligently guess the passwords of users.
At a conceptual level, cracking passwords is very similar to logging into a service.
The password crackers “guesses” a password, run it through a “hashing” algorithm and compare the fingerprint with those stored on the server. A match means a user account has been cracked. Of course, computers can check hundreds of thousands, if not millions of guesses every second.
Some of the most popular cracking software tools are “Cain and Abel” and “John the Ripper”. The John the Ripper tool is considered one of the most popular password testing and breaking programmes and is routinely used by the good and bad guys.
2012, the year of password theft
To give a clear vision of the extension of the phenomenon of password theft it is possible to analyse the figures provided by the security firm “Security Coverage”:
- More than 60 per cent of people use the same password across multiple sites.
- Password theft has increased by 300 per cent.
- There has been a 67 per cent increase in the total number of data breaches since 2010.
- The pieces of personal information sold illegally went from 9.5 million in Q1 2010 to 12 million of Q1 2012.
- 63 per cent of smartphone users do not use password protection.
- 32 per cent of smartphone users save login information directly to their devices.
- Smartphone users are 33 per cent more likely to be victims of identity theft.
- Users whose personal information is taken in a data breach are 9.5 times more likely to be victims of identity theft.
- 72 per cent of identity theft victims do not know the source of the crime.
Choosing a good password
At this point we hope you have understand just how powerful computers are at guessing passwords.
To compose hard-to-guess passwords, we recommend:
Use long passwords (minimum length of seven characters, preferably more to increase strength)
Use a wide range of characters including A-Z, a-z, 0-9, punctuation and symbols, like # $ @, if possible
As a rule try to use at least one lower-case and one upper-case character, and at least one digit. If it is technically possible, also use a punctuation mark. This helps increase the total search space.
Use numbers in place of letters in some cases. Change “i” by “1”, “E” by “3”, “A” by “4” (or @), “S” by “5”, “G” by “6”, “O” by “0”. Again, this helps increase the search space.
Avoid trivial passwords
Try to avoid words found in a dictionary (or at least words less than four chars long)
Passwords should not include your name or Login/User ID
Avoid sequences such as 12345 or abcde or paired letters (e.g. bbcc)
Avoid using similar and easy-to-derive passwords for many online services (like J0hnF@cebook, J0hnG00gl3...),
Try to spend some time designing passwords for the important services you use. Create complex but easy-to-remember passwords. For example, suppose you’re a big fan of The Simpsons. A good password for your e-mail might be something along the lines of: Ih4teM0ntg0m3ry#Burn5 (if you do not get it, it means “I hate Montgomery Burns”). And for Facebook maybe you can use B4rT#I5#MY#Fr13nD (“Bart is my friend”. with numbers in place of letters and every word beginning and finishing in uppercase). These are not so easy to guess by brute force attacks because of the length, character range (upper- and lower-case, numbers, and symbols), and because knowing that you like The Simpsons does not mean that is easy to derive what you think about The Simpsons characters.
When you use long expressions or phrases as a password, try to use some simple technique to substitute one letter for a different letter: for example, replacing every letter ‘a’ with the symbol ‘per cent’. This helps prevent against dictionary attacks while keeping it easy to remember your pass phrase.
In closing, this article has provided you the basics to understand and select strong passwords. Remember that your username and password is how you establish your identity online in many contexts, and it needs to be carefully managed! In future articles in this series, we will discuss multi-factor authentication, single sign on technologies and electronic password managers!
Prof. Fabian Martins (http://br.linkedin.com/in/fabianmartinssilva) is a banking security expert and Product Development Manager at Scopus Tecnologia,(http://www.scopus.com.br/) owned by Bradesco Group.
Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder
of Security Affairs (http://securityaffairs.co/wordpress)
Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited [email protected] .
David Pace is project manager of the ICT Gozo Malta Project, and a freelance IT consultant
Ben Gittins is CTO of Synaptic Laboratories Limited. [email protected]