When a well known company held its password audit, one employee was found to be using the following: "MickeyMinniePlutoDocSneezyGrumpyDonaldGoofyLondon." When asked why he had such a long password, he informed his superiors that he had followed their instructions that it must contain 8 characters and include at least one capital.
I have just set up a new email account and I am prompted to ‘choose a new pass-word’. In the moments that follow, I make a decision that is central to the security of the all the information that will pass through this account. So, what considerations go through my mind in deciding what words, digits or formula I am going to select. Convenience often takes over and the desire to be ‘up and running’ can result in is making a hasty generation of a what should have been a careful creation of an ultra- secure password.
Research studies show that people commonly reported password creation practices that are simplistic and consequently very insecure. Selections include using lowercase letters, numbers or digits and words and numbers that are personally meaningful (e.g. significant dates).
It is widely typical to use birth dates, anniversary dates, variations on telephone numbers, car license plate numbers, social security numbers, street addresses, house numbers, etc. Likewise, personally meaningful words are typically derived from predictable areas and interests in the person's life and could be guessed through basic knowledge of his or her interests.
The studies indicated that even with the application of password guidelines, users still tended to revert to the simplest possible strategies. Nearly two thirds do not vary the complexity of their passwords depending on the nature of the site and more than half never change their password if they are not required to do so.
These practices are most likely motivated by the fact that people often hold several accounts and have difficulty recalling too many unique passwords. For this reason and others, many people opt to use a single password for all accounts. Once a hacker gains access to the password, he can wreak havoc, steal your identity, destroy your credit, ruin your relationships and expose your secrets.
Many smart phone devices such as the iPhone will allow one to set a four or six-digit number for entry. Research analysis shows that incredibly, nearly 20% of users opt for only five variations of the four-digit code. Nearly 11% of iPhone users chose 1234, 6% used 1111, 2% selected 0000 and 1% went for 1212. These combinations together with a permutation where the two digits used are 19 or 20, (representing significant or memorable years), set the category of a ‘predicable combination’ into an even higher percentage.
For any would-be hacker, the probabilities of gaining entry to private data are greatly increased by examining such trends and patterns of the user who invariably goes about his or her business thinking they are safe.
Security strengthens with layers. If entering a bank vault, one is required to pass through several doors to reach the inner sanctum and at different entry points, new information is required for continued access. Any kind of coding that is necessary to insert and known only to security or authorized entrants serves as a reinforcement of the secure area and prevents any access to unwarranted intruders.
Similarly, the simplest application of encryption on your database can help protect your own or customer’s data. One could assume that users would engage in best practice when creating secure passwords but recommended practices are often strangely overlooked. It seems that the majority of users are not aware of just how vulnerable password protected systems can be, the prevalence and ease of password cracking and the resulting damage that can be caused by it.
Password protection or lack of it is the IT industry's permanent headache. Are passwords a broken and outdated model? Everyone relies on them and we live as though they do what they're meant to do. By constantly emphasizing the importance of using ‘strong passwords’ we take the spotlight away from other concerns. Some computer security experts advance the controversial thought that passwords might not need to be “strong,” or even changed regularly. They say that persistent requirements for passwords have given us a false sense of protection against potential attacks. In fact, some would claim that we aren’t paying enough attention to other more potent threats.
Amongst these is ‘keystroke logging’, also known as key logging or ‘keyboard capturing’. This is the action of recording or taking a log of the keys struck on a keyboard. While this action has very legitimate uses in studies of human-computer interaction, it is also typically done in a secretive manner so that the person using the keyboard is unaware that their actions are being monitored. There are numerous key logging methods, ranging from hardware and software-based approaches to acoustic analysis. When ‘key logging’ software is deposited by a virus on a PC, it is capable of recording all keystrokes — including the so called ‘strongest passwords’ created — which may be forwarded to a remote location.
This was one method used by Panin or ‘Gribodemon,’ the creator of ‘SpyEye’ who in January 2014 admitted his fraud in an Atlanta court. In 2009, he developed software to automate the theft of confidential information and financial details including usernames, passwords, credit card details and online banking credentials. He then sold it to ‘invite only forums’ for thousands of dollars. The financial services industry alone reports that over 10,000 bank accounts were compromised by SpyEye in 2013.
Usability expert, Donald Norman points out that overly complex password policies actually negate the benefits they were designed to produce. According to Norman, unreasonable rules can end up rendering a system less secure: users end up writing down passwords and storing them in places where they can be readily discovered.
The US Government has launched several initiatives to improve the privacy, security and convenience of sensitive online transactions through communications with the private sector, advocacy groups, government agencies, and other organizations. The National Strategy for Trusted Identities in Cyberspace (NSTIC) had a vision imagining an online environment where individuals and organizations could trust each other because they identify and authenticate their digital identities and the digital amount of information that individuals must disclose.
The objective was to find something to give more confidence than "insecure passwords" in identities of organizations and devices. It was promoted to offer, but not approve, stronger identification and authentication while protecting privacy through limiting the order to make "online transactions more trustworthy." To achieve this, the program worked with companies to identify internet-scale solutions that could rely on password alternatives such as trusted identity providers and biometric solutions. While solutions like ‘single use passwords’, or ‘single sign on’ (through providers like Verizon or Google) can reduce risk or provide greater assurances of identity, some feel that biometric security is one of the best ways to gaurantee a core identity.
Biometrics refers to the identification of humans by their characteristics or traits. These identifiers are the physiological distinctive, measurable characteristics used to label and describe individuals. These could be selected from fingerprint, face recognition, palm print, iris or retina recognition and DNA. Some researchers have come up with the word ‘behavio-metrics’ referring to a study of biometrics relating to a person’s pattern of behaviour. This could include typing rhythm and patterns or voice recognition.
As biometric identifiers are unique to individuals, they are more reliable in verifying identity than any other knowledge-based methods. Their obvious and crucial strength is that the only one who can use it is you yourself. However, the collecting and storing of biometric identifiers raises privacy concerns as does the ultimate use of this held information.
When a system uses passwords for authentication, it must have some way to check any inserted password in order to authorize access. If, as is usual, the valid passwords are simply stored in a system file or database, it means that if an attacker gains sufficient access to the system then he can obtain all user passwords. This allows access to all accounts on the attacked system, and possibly other systems where users employ the same or similar passwords. So it is not a good idea for computer systems to store passwords in ‘cleartext’, that is - in their original form.
Encryption transforms data from a cleartext to ‘ciphertext’ and back (given the right keys), and the two texts should roughly correspond to each other in size: long cleartext yields long ‘ciphertext’. "Encryption" is a two-way operation. Hashes, on the other hand, compile a stream of data into a small ‘digest’ or a summarized form and it's strictly a one-way operation. All hashes of the same type have the same size no matter how big the inputs are.
One way to reduce this risk of success for the attacker is to store only a ‘cryptographic hash’ of each password instead of the password itself. Standard cryptographic hashes, such as the Secure Hash Algorithm series (SHA), are very hard to reverse, so an attacker who gets hold of the hash value cannot directly recover the password.
However, knowledge of the hash value lets the attacker quickly test guesses offline. Automated Programs to crack passwords are widely available that will test large number of trial passwords against a cryptographic hash. Improvements in computing technology keep increasing the rate at which guessed passwords can be tested. Commercial products are available that claim the ability to test up to nearly 3,000,000,000 passwords per second on a standard desktop computer using a high-end graphics processor.
Such a device can crack a 10 letter single-case password in one day. Note that the work can be distributed over many computers for an additional speedup proportional to the number of available computers with comparable abilities. Special hashes (key stretching) are available that take a relatively long time to compute, reducing the rate at which guessing can take place. Although it is considered best practice to use key stretching, many common systems do not.
So how do key stretching techniques work? The initial key is fed into an algorithm that outputs an enhanced key. The enhanced key should be sufficient size to make it unfeasible to break by brute force, (at least 128 bits). The overall algorithm used should be secure in the sense that there should be no known way of taking a shortcut that would make it possible to calculate the enhanced key in less time (less processor work) than by using the key stretching algorithm itself.
An attacker has effectively two options by trying every possible combination of the enhanced key (which if long enough is not really viable), or else trying likely combinations of the initial key.
In the second approach, if the initial key corresponds to that of a password, then the attacker would check every word in a dictionary or common password list before trying all character combinations for longer passwords. Key stretching does not prevent this, but it means that the hacker has to spend a lot more time in attempting to gain access.
When using a ‘hash of the password’, rather than the password itself, the security lies in the hashes being irreversible, so there is no way to find out for sure "what password actually produced this hash" As a result, the consequence of a compromise is much lower. Even with the password tucked away in a safe place, since this is a one-way function, we can’t be sure that some future user at a login prompt will return the same password. So we take the proposed password in ‘clear text’ format, run it through the same hash function, and see whether this result matches the hash we've saved in the password store. If they match, the user must have known the proper password, so access is granted, but if the hashes are not identical, access is denied.
If the attacker uses the same class of hardware as the user, each guess will take the same amount of time to process as it took the user and that could be a second. Even if the attacker has greater computing resources than the user, the key stretching will still slow him or her down. The user's computer only has to compute the stretching function once when the user enters his/her password. The attacker on the other hand must compute it for every guess in the attack.
If a password system only stores the hash of the password, an attacker can pre-compute hash values for common passwords variants and for all passwords shorter than a certain length, allowing very rapid recovery of the password once its hash is obtained. Very long lists of pre-computed password hashes can be efficiently stored using what are known as rainbow tables.
These are used to recover clear text passwords up to a certain length and consisting of a limited set of characters. It is a practical example of using more computer processing time at the cost of less storage when calculating a hash on every attempt, or less processing time and more storage when compared to a reference table with one entry per hash.
This method of attack can be prevented by storing a random value, (cryptographic salt) along with the password. The 'salt' (which may be an additional number) is combined with the password when computing the hash, so an attacker pre-computing a rainbow table would have to store for each password its hash with every possible salt value. This becomes infeasible if the salt has a big enough range, say a 32-bit number. Unfortunately, many authentication systems in common use do not employ ‘salt’ security and rainbow tables are available on the Internet for several systems.
In the world of Computer Security, it is advisable to migrate to better hash functions. Even though the SHA contributions have been accepted as wholly secure for a long time now, NIST (the National Institute of Standards and Technology) has a standard for even longer hash functions which are named for the number of bits in their output.
512 bits of hash holds 1.34 x 10154 possible values, which well exceeds the number of hydrogen atoms in the universe. So, can we take it that this is likely to be safe from brute-force or any kind of attacks for quite some time.
It is nearly a decade since many experts claimed that the ‘password’ is on borrowed time. Google’s manager of information security, Heather Adkins told the TechCrunch Disrupt Conference in San Francisco back in 2013 that “passwords are dead” and this was only a few months after PayPal’s chief security officer, Michael Barrett began an address in Las Vegas with an image of a tombstone marked with the words ‘Passwords 1961-2013’. He believed then that “passwords were running out of steam as an authentic solution”.
The multi layered security solution still seems best and many businesses today use two-step authentication for remote access to their network. Technology like ‘biometrics’ could become a great mobile security tool, however, the combination of such measures along with and not instead of ‘pass-code authentication’ is our most powerful way forward.