Security Experts:

Password Purgatory - Are we Ever Going to Get Passwords Right?

Strong Passwords

From my perspective, there are two Internets. The one common folks use - you know, for surfing, stalking and finding who played first base for the NY Yankees in 1989 (Don Mattingly, of course).

The other Internet is my very own, a place where only I can go and my secrets are safe. To get to my personal Internet (i.e., on-line banking, shopping, social network), I simply have to provide the Internet equivalent of a secret handshake – better known as my name and password.

In fact, there are lots of secret handshakes, special knocks and code words that only I and the website behind the locked door know.

But here’s the problem: How many of those handshakes, knocks and code words can I remember and what happens if someone is peaking over my shoulder when I use that special knock?

We, of course, are talking about the ubiquitous credential sets that, for better or worse (I’ll point out worse below), our personal Internet usage revolves around.

These credentials are almost always a name/password pair with the name being public (our handle) and the password private. It’s the privacy of that password that drives us crazy.

So, I ask you, are we ever going to get passwords right? And by “right”, I mean impossible to crack, easy and inexpensive to implement, and acceptable to a public that generally views passwords as an annoyance?

If asked that same question, using my experience in the security field and a crystal ball, my answer would be yes, but not soon.

Let’s wander down a few password topics and see if I can convince you of my guarded ‘yes.’

Password Hacking 101

You do know your password isn’t really secret, don’t you?

The most important thing to remember in the password world is the fact that hackers have taken password cracking to an unbelievable level. Don’t think there is some pasty-faced kid in a basement spending weeks laboring over your Facebook account, typing in as many possible passwords as he can think of.

In fact, he just starts up a background script to test thousands of accounts, including yours, while he enjoys a few Xbox games. He’ll break some (maybe yours), and be happy for the night.

Easily obtained, automated password cracking tools use huge lists of commonly used passwords that can be run against most web applications. This brute force method of cracking passwords is depressingly successful.

Rednecks and Their Passwords

Given the opportunity, Americans will almost always take the easy route.

During a recent radio interview for National Security Month, the host jokingly asked me if his password, ‘12345’, was OK. The co-host then asked about using ‘password’ for his password. While good talk radio, the two of them did pick the two most frequently used passwords in America, ‘password’ and ‘12345’.

Ease of memory often wins out over creativity.

For those who are able to rise above this password shame, you may find yourselves in the theme passwords trap, where themes may be sport teams, celebrities, authors and the like. If a hacker can understand your passion, they will try passwords based on your favorite team or celeb. Again, these are loaded into a password hacking application to take a shot at your accounts.

Finally, there is a large group of people who pick their password out of some misguided sense of affection for family and loved ones – Sally, Fido, Buttons (my childhood parakeet). A hacker just needs to find out the names of your family and give them a try. Too easy.

Before some of you get too smug, saying you’re too clever to be this easily fooled, hackers are just as aware of your transparent ploy of adding easily typed prefixes and suffixes like ‘1234’ or ‘abcd’ to some of these base names – Yankees1234, abcmom.

Again, a well-constructed password hacking tool will easily test these obvious derivations.

Password Re-use

An amazing fact for you – studies have found that over 50% of the US population uses the same password for every on-line account requiring a login. On the dumb scale, this is right up there with using ‘12345’ as your password.

Most Internet users have multiple on-line accounts. The problem with using the same password for all of these accounts is any hack that unearths your common password makes you a hacking target across the entire Internet.

You have my guarantee that any name/password set picked up from even the most innocent social network account will immediately be tried on every major financial and retail website on the internet. Yep, your free subscription to the on-line version of ‘Better Mice and Rabbits’ may have just emptied your PayPal account – 30 minutes after BM&R gets hacked and your login credentials get stolen.

The Smarter Consumer

Many on-line websites are forcing consumers (with no end of whining on the consumer’s part) to use strong passwords that are a minimum length and contain a certain number of non-alpha characters.

OK, we all agree Az4$gh#y is a good password – just pretty hard to remember.

Let’s get a bit creative and look at G!ng3r8D1nn3r – a derivation of Ginger (G!ng3r) Ate (8) Dinner (D1nn3r) (G!ng3r . (My dog Ginger always eats dinner – easy to remember). I’ve substituted a few letters with easily remembered numeric and punctuation characters, capitalized words and switched ‘ate’ to ‘8’. It is almost a certainty that no password list in the world contains a ‘G!ng3r8D1nn3r’.

If you’re willing to go the extra mile but still suffer from password overload, many security experts are suggesting the use of at least three distinct passwords for an individual’s use across the Internet. One password would be used sparingly and only for very sensitive, and hopefully secure, accounts (i.e., financial, medical). The second password would be used for retail accounts where you might have to use your credit card. Finally, the third password would be used for social, fun and information sites.

All three, of course, should be strong passwords (long and containing standard and non-alpha characters) and unique.

Password Problems at the Server End

Life is not fair. You pick a great, unguessable password, stay away from public terminals and your on-line bank gets itself hacked.

If you’re lucky, your bank will have done a good job encrypting the database containing your password. If you’re having a bad day, the hackers will be smarter than your bank and your great, unguessable password will be a tool of your financial undoing.

The lesson learned here is the fact that even the best password systems are still susceptible to hacking.

The Future of Passwords

Standard password implementation is an inefficient, consumer unfriendly means of protecting our identities and assets on the Internet.

The obvious flaws in current password environments are unsophisticated consumers (tell me again why I can’t use my dog’s name?) and web applications getting hacked (Zappos just gave up 24 million passwords).

The good news is that we are on the edge of a mass implementation of a very successful credential system that may make all of our lives more secure.

Ancient by Internet standards but still viable, a hardware security token (SecurID) sold by RSA has been providing Two-Factor token ID security for over 10 years. This device generates a new, unique 6-digit security code every 60 seconds. This code, along with a user-supplied pin (4-digits), is then used as credentials into a website that expects the exact 10 digit code.

Note: the Two-Factor description is indicative of the user’s Pin (always the same, easy to remember) and the ever-changing six-digit code from the SecurID device.

The beauty of this system is that, on the consumer side, a hacker would have to steal the device as well as convince the consumer to give up the Pin. Most websites using a Two-Factor security system also require a standard login name/password credential set as well.

Given the cost of a Two-Factor security system device, SecurID tokens have found widespread use only in business banking, government agencies and large corporations.

The exciting news is that RSA has begun providing a smart phone application that operates just like the current hardware token. This has eliminated the additional cost of adding an additional Two-Factor security system to even standard websites.

We should expect to see a widespread use of the Two-Factor security identification in the future.

It Will Get Better

As a consumer, you can hope for a better credential system where the burden of verifying your identity won’t entirely rely in your brain and a stolen password won’t compromise your entire Internet presence.

It will take a while and, like most new technologies, there will be several competing technologies until a clear winner emerges.

Patience is often a virtue.

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.