Password security

I missed World Password Day a couple of weeks ago, but it’s still a good time for a reminder about password security.  To underline the importance of this, the full data from an incident that occurred to LinkedIn in 2012 is now readily available online. LinkedIn’s servers were broken into and account details of 164 million users were obtained by the attacker, including password hashes in 117 million cases. It is supposed to be hard to convert a password hash into the actual password, but unfortunately LinkedIn used a very poor hashing scheme and this means that the vast majority of these passwords have now been cracked.  Troy Hunt has more information on that breach if you’re interested, but the simple message is that if you had a LinkedIn account in 2012 it is very likely that the password you used is now known to many unsavoury characters.

There have been many many other similar incidents, see https://haveibeenpwned.com/PwnedWebsites, so even if you’re not affected by that particular incident you should read on.

What should you be doing:

  • Don’t re-use passwords between sites. If one site gets breached,
    in the manner that LinkedIn was, then re-using passwords between
    sites allows the attackers to break into your other accounts.

You almost certainly won’t be able to remember enough different passwords, so you’ll need a “password safe” such as http://keepass.info/ or https://lastpass.com/ or the saved passwords feature built into your web browser.

  • Use a strong password. That’s one that can’t be easily guessed by a person or a computer. It must not be in a dictionary or common password list and should be suitably long (at the very least it should be 8 characters, ideally it should be 12 or more).
  • Consider enabling “2 factor authentication” where it is offered.  This means that an attacker can’t break into your account using just your password, they need something else – the “second factor”.  Many sites support using your mobile phone as the second means of authentication, either by sending you a code in an SMS message or by using an app such as Google’s (which is also supported by Dropbox and Microsoft).

That’s the important message, but if you’re interested then you might want to read on.

How are passwords cracked?

Depending on the type of attack they’re able to carry out the attacker may only get a few guesses, or they may get thousands, millions or even billions per second. A critical question is how many guesses the attacker gets. This leads us to consider two types of attack.

First “online” attacks. These are where the attacker using the normal application log-in process, often connecting to the web page of a service over the internet, and attempts to guess the password. A secure system should limit the rate of password guess attempts allowed, for example by locking your account for 15 minutes after 5 incorrect attempts.  This way a system would limit an attacker to about 500 guesses a day.  Hopefully the system would also alert the administrators to such a sustained attack!

An attacker’s first day of guesses would probably look something very much like this: https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_500.txt

Update (2019): Attackers are increasingly using “combo lists” as the basis for these attacks. Instead of trying many passwords against a small number of usernames they simply work through a large list containing millions of known username and password pairs. Each guess they make uses the exact username/password combination that was found in a previous data breach, such as the LinkedIn one mentioned above. This type of attack is effective because many users do re-use the same password in multiple places.

The second attack is an “offline” attack. It is normal for systems to store passwords as hashes. These are based on a one-way function such that you can see if an arbitrary password matches the hash but can’t calculate the password from the hash. What an attacker who gets hold of the hash can do is guess repeatedly. The speed at which they can guess is limited only by the computing hardware they have available and the speed of the hashing algorithm. Some algorithms, such as bCrypt designed for storing passwords, are engineered to be slow. Others, such as MD5 and SHA, that are intended as general purpose hashes are designed to be fast. Storing passwords using these general purpose hashes is a poor idea. With the right hardware, which you can rent from Amazon Web Services for $2.6 an hour, it’s possible to make billions of guesses per second against them.

Attackers may use a large dictionary to try to guess passwords – and not just a regular dictionary but dictionaries specifically put together to contain things people use as passwords, such as the ones available from here: https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

For short passwords they may try a “brute force” attack, in which they literally try every possible combination of letters (or letters, numbers and common symbols). This becomes impractical as the password gets longer. Depending on the password complexity (whether it contains a mix of upper and lower case, numbers and symbols or not) it is likely that a brute force attack will become impractical as the password reaches 8 to 12 characters in length. Length is critical here: A password that is 11 characters long and contains just lower-case letters is actually stronger against a brute force attack then an 8 character one containing a mix of upper and lower case and numbers.  Randall Munroe wrote one of his XKCD cartoons about this.

When might an attacker be able to use an offline password attack?

I hope that’s given you a bit more background information to help you keep your accounts safe.