Using a Common Password? Online Password Crackers are Effective Even with Services that Have Strict Lock-out Policies.
A recent Google campaign attempted to educate users on the choice of good passwords. The motive was good. Google’s accompanying infographic was not. The infographic depicted Hamlet calling out “To be or not to be,” to which a modern-age woman responds by coming up with the following password: 2bon2btitq. There is just one problem - as a Cambridge professor pointed out, this particular password is actually of average strength. Oops.
A password by any other name
When you enter a locker room, there are hundreds of lockers. Each locker has its own combination lock. Without giving it too much thought, you open your particular locker using the combination that only you know, which is the same combination provided when joining the gym.
Similarly, a password is a shared secret between a user and a service. When the user wants to connect to the service, she identifies herself with her username or some other form of account identifier. She then proves her identity by providing the service with the password. The service compares the provided password against what the user supplied during registration. If there is a match, the service grants the user access to the service. We can consider the service as the locker, the username as the locker’s number and the password as the lock’s combination.
Problems arise of course if someone else has your combination. It could be that you use a very popular combination, or you use that same combination on your tote, and someone was able to find the combination to that lock. Alternatively, it could be that someone broke into the gym’s system and saw the list of locks with their respective combinations. Let’s take a look at these aspects when it comes to the virtual world.
What’s past is prologue
In 1990 a researcher (PDF) tested the strength of passwords of Unix users. With a list containing less than 63,000 common sequences, he was able to guess nearly 25 percent of all passwords. Two decades later, a Rockyou database containing 32 million passwords was leaked to the Web that provided further fodder for password analysis. Any guess what the most common password was? 123456. Earlier this year, Gawker’s website was hacked divulging its own database of user passwords. The most common password used by Gawker bloggers - 12345. Popular passwords are so problematic that in July Microsoft announced it is banning its usage for Hotmail accounts. You would think that with all these news about common passwords, people might start to be more creative. Think again. In June of this year, an iOS developer analyzed the most common iPhone passwords. Guess what topped the list? You got it- 1234.
Oh, What Men Dare Do!
Lists of most common passwords are very useful for hackers since they can use these to increase their probability of guessing a user’s password in a quicker and more efficient manner. The hacker tools used to guess these passwords are called “crackers.” Two types of crackers exist: online and offline.
Online crackers repeatedly attempt to access a service under some chosen user identity with different passwords until the right password is found. These crackers are limited to the speed at which the service accepts and handles requests, as well as the network capabilities of the "cracking" machine. In most practical cases online crackers are limited to a low number of attempts per account due to account lockout policies in many services. However, by using most common passwords online crackers are effective even with services that have strict lock out policies.
Offline crackers are used when passwords are recovered from a service but appear in a “digested” format. A password digest is a safety guard used by services in which they store a mathematical transformation of the password. The digest allows the comparison to the original password, but does not easily disclose the password itself. An offline cracker repeatedly chooses different passwords, transforms them to their digested format and compares the result to the exposed password digests. Offline crackers can reach incredible speed, depending on the CPU power of the cracking machine. Some very powerful offline crackers have been built using gaming platforms (Sony PS) or cloud based services (Amazon EC2). To further expedite their operations, offline crackers sometimes use a technique called “Rainbow Tables” in which a large number of calculations are stored in the computer’s memory.
To reduce the effectiveness of offline crackers, services usually add a special step to the process called "salting." Using a salt, a different digest is crafted even if the password is the same. So although “salted” passwords are not completely hack-proof, this makes it much more difficult for crackers to guess numerous passwords within a reasonable amount of time.
More honored in the breach
Take for example July’s Booz Allen breach that divulged 90,000 passwords that appeared in a digested format. In order to crack the passwords, the hacker would have to first “guess” the password. Then the hacker would need to pass it through the mathematical transformation, called SHA-1 in this case, and finally compare it to the list. As a test, let’s check out 123456. Numerous tools exist which calculate the SHA-1 digest. Running the sequence through any one of them will result with the value: 7c4a8d09ca3762af61e59520943dc26494f8941b. One more additional step requires transforming this value to a different type of representation – a base64 encoding. Different tools exist for this as well and they’ll show that the base64 encoding of this value is equivalent o fEqNCco3Yq9h5ZUglD3CZJT4lBs=. This value can now be checked against the leaked list. In fact, 22 passwords in that leaked military list contained this value.
Had the passwords been salted before being digested, it would not be possible to find all the appearances of 123456 in one go. Rather, a hacker would have to go through the process individually for each password with respect to its salt value.
The fault, dear Brutus, is not in our stars
On a personal level, you should use strong passwords and not repeat them across different sites. Obviously, the choice of passwords is all in context. You want a strong one for your online banking application, PayPal, your health benefits and all other types of applications you consider sensitive. On the other hand, using a strong password to reserve a car tune-up at your local dealership just becomes too much of a hassle.
On the business level, services should realize that they simply cannot trust users to choose strong passwords. If you give users the choice, they’ll simply fall back to 123456. Or to the seemingly random sequence of !QAZ2WSX (this password appeared 160 times throughout Booz Allen’s list. It’s simply the two leftmost diagonals on your keyboard). What can administrators do to keep passwords secure?
• Enforce strong password policies. This includes forcing a minimum length of characters, banning common passwords and requiring a mix of characters (digits, letters, upper-case, lower-case, etc).
• Make sure passwords are not transmitted in the clear. Using network transport encryption (e.g SSL) is strongly encouraged. Some authentication protocols (e.g. NTLM) are even designed in a way that the password itself never travels through the network.
• Make sure passwords are not kept in clear-text. Salt a password and then digest it before storing to the database.
• Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. By doing this, attacks are made too slow for practical purposes, even when it comes to shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.
• Employ a password change policy. Trigger the policy either by time or when the suspicion of a compromise arises.
• Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.
The year 2011 is coming to a close. Forbes has just released the SplashData analysis of the 25 “worst passwords” of 2011. But what were the top most groundbreaking hacks of 2011? Stay tuned for these in the next column.