Passwords are the cornerstone of modern information security. It’s inconceivable to think of information security without passwords, yet they are an extremely vulnerable security mechanism. Every time a new “mega breach” occurs, the details of millions of users are exposed and sold online. These include email addresses and of course, passwords.
Analysing password data over several years reveals just how weak this security mechanisms is, and how it exposes organisations to a greater risk of being breached. This post will review the common shortfalls of passwords, the risk emanating from such shortfalls, and the wisest practices to adopt, to increase security levels.
Too common, too simple
Most people use passwords which are not strong enough, and which can be easily guessed or cracked by brute force mechanisms. Every year, SplashData (http://splashdata.com/) complies a list of the millions of stolen passwords made public in the past twelve months, proceeding to list them in order of popularity. http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514
A quick read through this list, from 2015, reveals just how unimaginative/lazy people are when selecting passwords:
Data derived from countless breaches confirms this simple truth: people do still use foolish passwords! The security industry is trying to fight this habit; Microsoft Azure Active Directory's ten million or so users are no longer able to select a password that has appeared too many times on breach lists, or is commonly used by attackers when attempting to login.
Having a solid password ensures far better security. However, no matter how sly and foolproof, yet resilient and memorable a password you’ve crafted, do not fall into the trap of using it on multiple platforms.
Since we no longer can divide between our “private” IT (Gmail account, phone password, Amazon/dropbox account, etc.) and “work” IT (corporate email account, corporate cloud applications, etc.) it’s becoming impossible to create a separate set of passwords for work and private use. Using the same password repeatedly makes it easier for hackers to retrieve it from a password dump, or steal it from a less secure site, and then use it to unlock a corporate account.
Password reuse has resulted in some spectacular breaches, including the takeover of Twitter’s CEO account (hackers found Jack Dorsey’s email and generic password in the post-LinkedIn breach password dump, itself a result of a LinkedIn employee reusing their own password to access the site’s data base). It is now known that each massive data breach results in subsequent attacks using reused passwords (Github and Citrix suffered such attacks almost immediately after the LinkedIn hack was made public and the password database was published on an underground forum).
Password renewal/ replacement
The obvious solution to this problem would be to enforce stricter policies on users, making them change passwords often. While this is considered globally to be the best solution, some security experts regard it as futile, and even dangerous. Security researcher Per Thorsheim stated that it has been proved that corporations forcing their employees to change their passwords on a frequent basis are actually more exposed to attack; the more times workers are instructed to change their passwords, the more simpler passwords they use, ones that are easier to remember- and to crack.
Websites storing large amounts of passwords should encrypt them, to secure their users. Alas, encryption too isn’t all it’s made to be. Depending on the encryption method used, hackers can easily break the code and unlock countless passwords. This specific proficiency is called “cracking”, and is highly sought after in the criminal underworld. Dedicated cracking forums deal with topics ranging from general encryption/decoding and password cracking, to specific device/ encryption bypassing.
One such decryption method, often discussed in depth, is “hash decryption”. “Hash” is a mathematical algorithm, which maps data of arbitrary size to a bit string of a fixed size (a hash function), designed to be a one-way function, that is, a function which is almost impossible to invert. The only way to recreate the input data from a cryptographic hash function's output is to attempt a brute-force search of possible inputs, to see if they produce a match.
Many websites use the MD5 algorithm for password encryption. MD5 stands for 'Message Digest algorithm 5'. A MD5 hash is composed of 32 hexadecimal characters. Each MD5 function produces a single, unique hash, meaning that it is possible to build an enormous dictionary in order to search for matches that can reverse the encryption and reveal the original password.
A simple way to demonstrate this is to try one of the many sites generating md5 passwprds (such as http://www.md5online.org/md5-encrypt.html), Users are instructed to enter a random password (we entered “football”, which isfairlyy common). Our password recieved the value 37b4e2d82900d5e94b8da524fbeb33c0
We then inserted the encrypted (hashed) string into a decryptor, with a built-in dictionary:
As you can see, the dictionary quickly provided us with the correct password.
An additional layer of security can be inserted into the encryption algorithm in the form of “salt” - random data that is used as an additional input to a one-way function that "hashes" a password. Whilst salts ensure that dictionary attacks and brute-force attacks are far slower in cracking large numbers of passwordsr, they cannot prevent these altogether.
Where do we go from here?
You should assume that a password stored on any site or database can be easily stolen and cracked, and that attackers will use it to try and penetrate enterprise systems and accounts.Perhaps, in the near future, behavioral and biometric means will replace, or add a security layer to, passwords. Until this becomes a reality, we should try to adhere to most secure practices; to separate and avoid reusing older passwords as much as possible. Password generators and 2 factor authentication add additional security to this deficient mechanism.
And, please, try to avoid obvious passwords, like “football”, “password” and “qwerty”. Let’s, at the very least, make hackers and crackers sweat a little before they break in...
This post was written by Agam Gabay, Cyber intelligence analyst at IntSights