Are your passwords as secure as you think?
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM | | Tags:  xforce security password password-security ibm-security
0 Comments | 4,706 Visits
This post was written by Jason Kravitz,Techline Specialist for Tivoli Security Products at IBM.
Several high profile breaches so far this year have brought some much needed attention back around to the topic of password security. Odd that in the years since the World Wide Web was first founded, the username password paradigm remains relatively unchanged. Technologies, browsers, design and usability have all evolved exponentially, and yet the same authentication methodologies have persisted for nearly two decades.
In some ways, we are almost regressing in our ability to protect our private information online. Security questions based on public data, linked accounts which can be recovered through basic social engineering tricks, and password reuse have all served to further destabilize an already flawed system.
Attempts at educating users on proper password policy has been limited to a fuzzy stream of seemingly over complicated policies, oversimplified "rules", and increasing characters, symbols and numbers, without much consideration for the implications of a poor password choice.
Apathy and ignorance
One prevailing attitude is of general apathy towards preserving private data. So what if my account to the funny cat forum is hijacked, nobody cares what's on my computer, I barely use that social network. Yet many people don't consider that their cat forum password is the same as their webmail and their webmail is connected to an online shopping account where they have one click payment on file. Running up thousands of dollars in credit card charges due to a poor forum password is not something that anyone should need to experience.
The problems do not lie solely with the users. Recent breaches have also brought attention to the way that websites store that password. While they may be encrypted using some kind of password hashing function, they may not be as protected as previously believed. We have seen that some older widely used mathematical hash functions like MD5 and SHA-1 turn out to be very poor for protecting password information because they are very quick to calculate. This means that when a password database is leaked, attackers can take a list of millions of password hashes and using an off-the-shelf server, recover a huge percentage of the those passwords in plain text in a very short time.
"Best Practices" & technology have made cracking passwords even simpler
Note that in most cases, attackers are not attempting to guess password by logging into a website repeatedly, but rather take the list of leaked hashed passwords, and run a local program (there are several freely available tools) to attempt to recover the plain text. This process starts by using a source dictionary file that contains a huge number of known words, common phrases, and even passwords leaked from previous breaches. Given the high number of password reuse, it is often possible to recover a large number based solely on existing breached passwords. The software goes through the list of words, runs the same hash function on them that website developers use, and then compare to see if it matches one of the leaked hashes. Given the power of multi-core computers, particularly using the Graphic Processing Units (GPU) found on consumer grade video cards, this can be done at speeds of billions of guesses per second.
Consider that there are 57 billion possible combinations of a six character password made up of upper-case or lower-case letters plus numbers. With today's hardware, it is possible to guess every combination in under a minute.
These recovery tools can also be configured to guess common password rules. These are the same tricks that were once advised as best practices not so long ago. Replace the letter I with a 1, O with a zero, capitalize the first letter and put a number at the end. All of these simple rules make the attackers job much easier as they can reduce the number of possibilities by applying some basic logic. Even longer multi-word passwords that consist of common phrases like song titles, cliches, or quotes are likely to be easily guessed.
Read more in the IBM X-Force Mid-year Trend and Risk Report
In the latest X-Force Trend and Risk report, we take a look at some password security best practices, both from the perspective of the user, and for website developers. We explore how attackers are using leaked passwords, how developers can improve the security of their stored passwords, and other practical tips for increased protection. Download your copy today and read all about it.