P@$$1234: the end of strong password-only security
Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking. Inadequate password protection may result in billions of dollars of losses, declining confidence in Internet transactions and significant damage to the reputations of the companies compromised by attacks. As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication.
How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password.
Most organizations keep usernames and passwords in a master file. That file is hashed: a piece of software encrypts both the username and password together. Nobody in the organization can see a password in its unencrypted form. When there is an attempt to log in, the web site hashes the login attempt (in real time) and determines if the hashed result matches the one stored in the database for that username.
So far, so secure. However, master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware, discussed in this Prediction, can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers.
For years a password that was at least eight characters long and included mixed-case letters, at least one number, and one non-alphanumeric symbol was considered relatively strong. Although not perfectly secure, such a password was considered good enough for even relatively high-value transactions such as banking and e-commerce.
How strong were they? An eight-character password chosen from all 94 characters available on a standard keyboard1 is one of 6.1 quadrillion2 (6,095,689,385,410,816) possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation. Even gaining access to a credit card would not be worth the computing time.
However, a number of factors, related to human behavior and changes in technology, have combined to render the "strong" password vulnerable.
First, humans struggle to remember more than seven numbers in our short-term memory3. Over a longer time span, the average person can remember only five. Adding letters, cases, and odd symbols to the mix makes remembering multiple characters even more challenging.
As a result, people use a variety of tricks to make recalling passwords easier. For example, users often create passwords that reference words and names in our language and experience. Users typically put the upper case symbol at the beginning of the password and place the numbers at the end of the password, repeating the numbers or putting them in ascending order. Although a keyboard has 32 different symbols, humans generally only use half-a-dozen in passwords because they have trouble distinguishing between many of them4. These tricks and tendencies combine to make passwords less random, and therefore weaker.
In a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts5. Non-random distribution allows hackers to create a file, or “dictionary,” of common password words and phrases, and symbolic variations, making cracking an account thousands or millions of times easier.
But non-random passwords aren’t even the biggest problem. The bigger problem is password re-use. The average user has 26 password-protected accounts, but only five different passwords across those accounts6. Because of password re-use, a security breach on a less-secure gaming or social networking site can expose the password that protects a bank account. This is exactly what happened in a series of breaches in 2011 and 2012, and there are now websites where tens of millions of actual passwords can be accessed7.
There have also been advances in the hardware used to crack passwords. Dictionary and behavior-based attacks are elegant, but “brute force” attack can also succeed. A brute force attack simply applies each of the 6.1 quadrillion combinations for an eight-character password until one works. A dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can crack any eight-character password in 5.5 hours. The cost of such a machine was about $30,000 in 2012,8 but hackers don’t even need such powerful machines. Crowd-hacking lets hackers distribute the task over thousands of relatively slow machines, each attacking a different part of the puzzle, to crack a password much faster than any single machine8.
With so many threats, we might expect users to be adopting longer and stronger passwords. That has not occurred, in part because of the difficulty of entering passwords on mobile devices. In general, mobile passwords tend to be less secure than those used on a PC10. On a standard physical keyboard, all 94 possible characters are easily entered; on a smartphone with a small physical keyboard, accessing all possible characters takes a bit longer; on a touchscreen-only device, a user may have to page through multiple screens just to find the “#” symbol. The average user takes 4-5 seconds to type a strong ten-character password on a PC keyboard. That increases to 7-10 seconds on a smartphone with a keyboard and 7-30 seconds on touchscreen devices. A quarter of the people surveyed admitted to using less-secure passwords on mobile devices to save time11.
The incentives for obtaining unauthorized access to accounts will remain strong so all organizations that keep passwords should follow authentication best practices. Usernames and passwords should never be stored in unencrypted form; at a minimum they should be cryptographically hashed so that hackers are limited to dictionary and brute force attacks. A relatively simple and inexpensive technique called salting appends a random string of characters to the password each time the user enters it, effectively randomizing the hash and making hacking the code orders of magnitude more difficult12. It is also important to establish a password-creation system that rejects obvious passwords such as “password” and “abc123.” For example, one mobile device manufacturer has a blacklist of 106 commonly used passwords that are not allowed13. Finally, a strong password is useless if the password reset clue is too easily found (e.g., "mother’s maiden name"). Choosing less searchable reset clues makes the system more secure14.
Longer passwords could make systems more secure. Adding just one or two characters make brute-force attacks almost a thousand times slower. A ten-character password has 8,836 times as many possible combinations than an eight-character password, and the same password-cracking machine cited above would take more than 5 years to crack it. Truly random passwords would also decrease the threat from hackers. But given human nature and users who struggle to remember long passwords, refuse to regularly change passwords, and frequently re-use passwords across accounts, neither longer nor truly random passwords seem likely to be embraced. In addition, adopting longer or random passwords could increase the frequency of password resets, which tend to make the overall system less secure15.
Password-keeper accounts--single sign-on (SSO) accounts that hold several highly-secure passwords or provide access to multiple accounts--can improve adoption of long or random passwords. However, they also create a ‘honey pot’ problem: hackers will have a bigger incentive to target the password-keeper account16.
What other solutions might work better?
Multi-factor authentication is a strong candidate. Instead of requiring only an account name and password to gain access, multiple identification factors would be required. Examples of additional factors include: a password sent to a user’s registered cell phone, a dongle that plugs into a USB slot, or a biometric feature such as a fingerprint or iris scan17. Multi-factor authentication could also be attached to something most users already carry around, such as a cell phone or credit or bank card. This approach combines factors that users already possess (knowledge, behavior, passwords, computers, phones and cards in wallets) with behaviors users already understand (tapping a credit card with an embedded NFC chip, entering a short passcode).
Each type of additional factor has weaknesses, but the idea is that, while a hacker might know your username and password, they are unlikely to also know your cell phone number or have a copy of your fingerprint. While it is possible to obtain someone’s cell phone or fingerprint, it makes cracking accounts far more difficult18.
A number of technology and telecommunication companies will likely implement some form of multifactor authentication with their services, software and/or devices in 201319. There is likely to be a direct relationship between the value of the information being protected and the complexity of the authentication process: bank accounts would be more demanding than social media networks, which in turn would be more rigorous than a computer game.
Password vaults are likely to become more popular for managing multiple accounts and minimizing password re-use, but they will require strong multi-factor authentication.
Finally, organizations must establish better password security policies. Current rules regarding password expiration, minimum length, use of the full symbol set, and password resets are vulnerable and need to be strengthened. In addition, every organization should continually monitor its systems for hacking attempts, and be ready to respond.
1 All standard keyboards have 47 symbol keys, or 94 with the shift button. Language doesn’t affect the number of keys, just which symbols those keys represent.
2 94 raised to the eighth power: 6,095,689,385,410,816.
3Source: The Magical Number Seven, Plus or Minus Two Some Limits on Our Capacity for Processing Information. University of Toronto, 10 October 2001. See: http://www.psych.utoronto.ca/users/peterson/psy430s2001/Miller%20GA%20Magical%20Seven%20Psych%20Review%201955.pdf
4 Users tend not to select symbols that are easily confused: commas/periods, semicolons/colons, the two dashes, forward slash/back slash, the three quotation marks and the three sets of parentheses. That leaves the most common symbols as: !@#$%&?
5 Source: 10,000 Top Passwords, Xato, 20 June 2011. See: http://xato.net/passwords/more-top-worst-passwords/
6 Source: Lazy password reuse opens Brits to crook’s presentation, The Register, 20 July 2012. See: http://www.theregister.co.uk/2012/07/20/password_reuse_survey/
7 Source: Passwords, Skull Security, 21 September 2011. See: http://www.skullsecurity.org/wiki/index.php/Passwords .
8 Source: New 25 GPU Monster Devours Passwords In Seconds, Security Ledger, 4 December 2012. See: http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/
The cost of the machine is a Deloitte Touche Tohmatsu Limited estimate.
9 Source: Hackers crowdsource help to crack nearly 6.5 million leaked LinkedIn passwords, Computerworld, 6 June 2012. See: http://blogs.computerworld.com/20272/hackers_crowdsource_help_to_crack_nearly_6_5_million_leaked_linkedin_passwords
10 Source: Smartphone Password Managers Not Secure, PC Magazine, 16 March 2012. See: http://securitywatch.pcmag.com/none/295400-elcomsoft-smartphone-password-managers-not-secure
11 There are few published studies on this subject. Across about 30 test subjects, the Deloitte Touche Tohmatsu Limited (DTTL) TMT group set up a standardised test structure (same length password, same timing mechanism, same methodology, multiple attempts averaged). Everyone was fastest on the PC, but there were some whose touchscreen results were around nine seconds, while another group was much slower and took over 20 seconds using touch. This was purely an informal and unpublished attempt to provide some data on the difference between strong password entry on a full keyboard and a series of touch screens.
12 Source: Safe Password Hashing, The PHP Group, 7 December 2012. See: http://php.net/manual/en/faq.passwords.php
13 Source: RIM's BlackBerry 10 To Block Certain Passwords, Information Week, 5 December 2012. See: http://www.informationweek.com/security/mobile/rims-blackberry-10-to-block-certain-pass/240143824
14 Source: Mum's maiden name not strong enough for password backup, IT PRO, 9 March 2010. See: http://www.itpro.co.uk/621235/mums-maiden-name-not-strong-enough-for-password-backup
15 Source: Password Reset Mechanisms: The Online Security Threat Nobody’s Talking About, Daniel Miessler, 25 August 2009. See: http://danielmiessler.com/blog/password-reset-mechanisms-the-online-security-threat-nobodys-talking-about
16 Source: Smartphone Password Keepers are Insecure, ElcomSoft, 2012. See: http://www.elcomsoft.com/PR/Keepers_WP.html
17 The whole area of multi-factor (or two factor) authentication is complex. There are regulatory definitions, limitations and many additional factors. The examples above are merely for illustrative purposes. An excellent summary can be found at: Source: Two-factor Authentication, Wikipedia, 12 December 2012. See: http://en.wikipedia.org/wiki/Two-factor_authentication
18 Source: German Hackers Publish Interior Minister’s Fingerprint to Protest Against Biometric IDs, GIZMODO, 30 March 2008. See: http://ca.gizmodo.com/373829/german-hackers-publish-interior-ministers-fingerprint-to-protest-against-biometric-ids
19 Based on Deloitte Touche Tohmatsu Limited interviews with security experts and large companies.