Scorpion Software Blog

Breaches in password security are nothing new. Since the invention of the Internet, and the desire to keep private information completely safeguarded, hackers and cyber criminals have long worked hard at tearing down the barriers of Internet security to gain access to valuable data, including the harvest of personal information, banking numbers and other pertinent files.

When the Internet became an effective tool to control personal information, passwords were developed to be used in combination with the online user’s ID. This first line of defense single factor authentication tool worked well simply because of the limited population that was using online sites for such matters.

When the banking world, and other financial institutions, started taking to the Internet by providing tools to assist their customers in doing business with them online, it became obvious that single factor authentication was not going to work. Quickly, two factor authentication tools began to evolve. Along with that, simple passwords were let go in place of passphrases, because stronger phrases appeared to be harder to crack. The results of simple two factor authentication tools did not work well either.

The public soon became aware that they needed to encrypt their information before sending it over the Internet. An additional transport layer of encryption, such as SSL, was added to the process. In time that too was recognized to have limitations at safeguarding the public from hackers that were to illegally gain access into personal and business accounts.

 

An Ineffective Encryption Method

Today, one-way hashing algorithms are used by a large variety of websites as a way to safeguard its store passwords. Typically, this is accomplished by having the user input a password to the website. The site then computes a cryptographic hash to the password and will then store the information in some type of database. The next time the user provides their login credentials, the site will automatically compute the hash and use the results to compare the information with the data already stored. As long as no one can gain access to the password hashes, this system can work well, although with limitations.

One such limitation is that without a safeguard in place, all users that have the same password will also have stored the same hash value. This result allows hackers to develop huge databases filled with passwords that are already hashed, and compare all the information. Using GPU’s (graphic processing units) they can accelerate the process of their comparison for better hash cracking results, making encryption ineffective.

 

Complex Passwords

The limitation of too many websites that require a setup of a password with the user ID is that they simply do not offer the ability to set a strong password. Already proven to be an ineffective process, these sites force their users to select a series of alphanumeric choices that has at least one uppercase letter, one special character and at least one number. While this may seem like a complex password that is impenetrable, the user might simply type in “!234E”, which is hardly an impassable barrier.

 

A Hacker Strategy

Based on the password set up limitations of the website, hackers can develop strategies based specifically on that site’s policy that focuses on the limitations. Once the conditions are met, the hacker can develop a dictionary or list that will contain only the passwords that follow the guidelines set by the website. The next step of the strategy is to determine the shortest length of the password used by the majority of website users.

Next, the hacker will build into the list all the phrases and passwords that are the most common to the targeted users. In the end, a hacker strategy can be very successful at breaching the protective password wall and gain instant access into the account. Even worse, they will have access to every account the individual has, where they use the same password (because that method is so easy for the user to remember).

 

The Ineffectiveness of Passwords

In the end, if the hacker has the ability to develop an effective password cracking strategy using the best hardware and software, the complexity of a password or passphrase hardly matters. What will matter will be the overall length of the password. While it may not make it impenetrable, it will take significantly more time to crack it. Therefore, websites that only allow a specific limit to the length of the password have already eliminated one of the best protections the individual has in safeguarding their information.

 

What to Do

For any business or individual that is concerned about maintaining high levels of security on their information, there are only a few things that work. They can use proven security architecture, quality assurance programs, and an effective password strategy, all working in unison. By implementing an effective resilient security architecture combined with quality assurance and a longer, more complicated password, users can increase their chances of being safeguarded against brute-forced cracking.

Nothing is more annoying than to be required to change your password on a very regular basis. This type of logic harkens back to the days when all of our user ID password information was stored on UNIX systems in a plain text file. Today, we have a better understanding of exactly how passwords can remain secure. It is now known that this old adage of continually making updated changes on our passwords tends to decrease the level of security for a variety of reasons.

These reasons include:

• The Human Condition – When individuals are forced to make changes to their password, they tend to develop ineffective or lousy passwords that are based on how easy the word or phrase is to remember.

• The Predictability – Being forced to perform some security-related tasks on a predictable, regular basis every month or quarter provides the perfect gift to a hacker, attacker or cyber-criminal.

The Path of Least Resistance

Users are rarely intentionally lazy. However, most users will not give a second thought to adhering to the absolute minimum password standards. After all, why spend five or ten minutes constructing a password that they'll only get to keep for 30 days. The results are creations like p@ssw0rd01, then p@ssw0rd02. If someone cracks a password like "p@ssw0rd09" in the month of September, I'm pretty sure they'll have October's password too.

Hackers like Predictability

Predictability is known to be a gift to a cyber-criminal. They base their entire account hacking strategies around the understanding of human predictability. Hackers know that in time the user will grow tired of always having to change his or her password, and will fall back onto the simplicity of some kind of pattern. Also, the more passwords a user has to create, the more likely they are to use words they shouldn't like "dragon", "12345", or "michael". Malicious users will also learn their window to act upon stolen credentials, if they can figure out when they were last changed.

Solutions

When it comes down to it, there doesn't seem to be a "perfect" solution here. We usually recommend a middle ground for most average security-level passwords. Allow the users to keep their passwords longer, but require a much higher standard for them. Instead of having a six or eight character minimum password that must be changed monthly, perhaps give them 90 days, but require an extra four characters in exchange.

If increasing password length is simply not an option, it could be time to look at deploying a two-factor authentication system. Our friends over at Yubico have developed a piece of hardware that brings two factor authentication down to one button press.

 

Since the beginning of time – at least on the Internet – the role of passwords served as an important tool to prevent unauthorized access to information the same way a key is used to prevent access into an apartment or home. Once considered the ultimate safeguard, a password was secured with the same level of protective care that a key was for a house.

However, it quickly became apparent that if someone wants to enter your home without a key, an average size rock thrown through the glass window was all that was necessary. Likewise, passwords have been found to be an effective way to keep people away that never wanted access to your online account in the first place. It never offered anything more.

Alternative Passwords

With that realization, alternative methods for creating “heavy-duty” passwords were developed. Some of the alternatives included passwords that contained multiple words or a group of three or four words clumped together that had no relational value to one another. However, security managers quickly realized the ineffectiveness of that strategy. Either the collection of non-associated words were too easy to guess, too difficult to remember, or not random enough. Many of these heavy-duty passwords used common substitutions, numerical characters, and even punctuation, often ending up in a garbled mess. Quickly, the gibberish of a complicated password proved to be difficult to penetrate into the account, especially by the one who needed to memorize it to gain access into the account they owned.

Using Passphrases

Attempting to avoid a reiterated thought, a brilliant idea was hatched of using pass-phrases instead of passwords. The end result proved to be highly effective, if the right method of selecting phrases was used. Studies were done on the most common phrasing in the English language. With over 20,000 of those most common phrases determined, the researchers were able to get past many difficult passphrases, and into accounts well over 8000 times, simply by using the 20,000 phrases as their “guesses”.
However, it must be stated that by using sentences from a book, a title out of a magazine or something self-written can be much harder to crack than many of the common passwords today, even if you do not use any special characters. After much analysis, it was determined that using a passphrase was significantly better at safeguarding accounts as compared to passwords. An effective passphrase was able to repel many brute-force attacks against the account versus the traditional mixture of alphanumeric gibberish, with or without special characters.

The Effectiveness of a Passphrase, or Not

It turns out that the stalwart barrier that is built when individuals create passphrases is not a technical one, but simply the understanding that using a short one-word password is most likely much simpler to type in the longer passphrase.
It can be said that the glimmer of hope of using paraphrases has its boundaries. When left to laziness, many users have the tendency to pick phrases that are plucked directly out of our everyday traditional lexicon to use as a passphrase. The results can often be disastrous, hearkening back to the days when a simple one-word password was all that stood between the secured account holder’s information and a hacker.

The Beauty of Disorder

Researchers understand the process of entropy. The idea was developed around the concept that natural tendencies that are formulated from order tend to transform into disorder when placed in isolated systems. Extending that to this problem, individuals looking for secured phrases to safeguard their accounts appear to be incapable of coming up with completely random words and instead rely on the natural flow of language (natural predictable order) to develop their barriers. In the end, they do little to safeguard their account.
The end result is often nothing more than weak phrasing of natural, traditional language that seems highly insufficient to guard against any online or off-line attack. What would be better is to work from disorder because the process is unpredictable to know where the next action will lead. Selecting an odd phrase to use as a passphrase to guard against an account would be significantly better than choosing a well ordered lexicon-driven phrase that is known by all.

Selecting a Paraphrase

The best way to select a passphrase requires not one of the following, but all. They include:

• Length – To be effective, the passphrase needs to be long enough that it is very challenging to guess.
• Familiarity – Never use a famous quotation from holy books, literature, pop culture, or familiar sayings.
• Guess-Ability – The ability for another individual to guess by intuition can be deadly when you are attempting to safeguard your online account. Make your passphrase difficult to guess.
• Recall – To gain access to your account, you need to remember your own passphrase. Make it easy to recall.
• Encoding – It is essential to encode your passphrase to make it more challenging to penetrate.
• Uniqueness – If you have more than one website, application, or service, never, ever, reuse a passphrase between sites.

 

As a business owner, you may understand the importance of a strong, complex password. However, your employees might not. Hackers often look for patterns based on human behavior, especially those that involve the inability to recollect. Many employees tend to set up passwords that are easily identifiable, and based on part of their own name, the names of their children, birth dates, or their favorite activity.

Reusable Passwords

The other pitfall where your employees most likely fail is in using the same password to gain access to multiple accounts. While it is certainly okay to use a complex password on a single site, crossing over and using the identical one on additional sites can cause great harm to both the employee and the business owner.

Employees often reusable passwords on their trivial sites like Twitter, or Facebook. However, if a hacker is successful in harvesting the password on an employee’s simple, trivial account, they might gain immediate access to non-trivial sites including the employee’s bank accounts, PayPal account, or work assets up to and including full remote access as the user. It is imperative to not use any password on multiple accounts, no matter how easy they are to remember.

Password Size

The size or length of the password is critical to ensure it is not easily cracked. Many hackers, cyber criminals and online attackers use algorithmic software programs that can generate millions of password possibilities.

Using traditional brute-force techniques, hackers recover simple four-character or six-character passwords near instantly. Individuals that develop passwords of eight characters or more can slightly slow down a hacker’s abilities, while twelve characters take an even longer time. The ultimate password might be generated using a complex phrase of at least 25 to 30 characters in length.

Password Variety

Encourage your employees to sample from all four standard character sets in every password. With 26 uppercase characters, 26 lowercase characters, 10 digits and a huge supply of special characters there are combinations of many millions of possibilities when generating a unique passphrase. Extending simple passwords out to 26 or 30 characters in length, there are literally trillions of possibilities, or a nearly impossible task to attempt to figure out how to gain access into an account.

Protect Yourself

As much as you can, discourage employees from using poor passwords. However, there is nothing you can do to physically prevent an employee from reusing their complex work password for their Facebook account.

Adding an additional layer of authentication is the best way to ensure you have created a much stronger barrier to anyone wishing to improperly enter your network. With a good two factor authentication system, even if a malicious person has a valid password their access is denied. The employee simply adds a short one-time password to gain access into their account.

Believe it or not, the most common password turns out to be the word “password”. Ranked #2 is “123456”. It does not take too much rational thinking to understand that individuals that use these types of passwords are simply asking for problems.

When hackers want to make their way into an online account, they use huge lists of known passwords, because they understand basic human nature. Even though an individual might not leave their car or house keys out in the open for someone to take, using a simple, common password is no different than offering a thief exactly what they wish to steal.

Although online users might believe they are clever in using a simple password, hackers can easily enter accounts and websites through the simplicity of easy-to-guess words, phrases and alphanumeric structuring. Some of the most commonly used passwords include “monkey”, “letmein” and “trustno1” (a tipping of the hat to the familiar expression from The X-Files – “Trust No One”).

An Individual and Business Problem

Even large companies have to deal with hackers making their way into their websites and accounts. Banks have had to deal with the problem. Large online merchandise websites and even Wall Street have all been hacked in recent years. While these large companies seem to be so prone to hacking, gaining access into an individual user’s account often goes unnoticed. Typically, large company’s hacking issues become public and often garner worldwide attention, while the individual can have their financial world quickly collapse, or have their personal information stolen, all out of the public eye.

A Governmental and Business Problem

To make matters worse, many federal, state and local government employees and management will use simplistic passwords for their government business accounts. This can provide an increased threat to many governmental agencies. These agencies, along with many large utility companies, water companies and other industries that affect every citizen in the nation, reuse identical passwords across their IT platforms, which allow hackers and cyber criminals complete access into the individual’s entire structure online.

Multi-Factor Authentication

The sure way of improving this situation is to use multi-factor authentication as a way to protect the individual or business’ non-trivial assets. However, even this has its challenges. Although an added layer of authentication does provide extra level of safeguarding, it can only be effective if the default administration password is not used, and any "backdoor" passwords are not easily guessable. That could allow a hacker, attacker or cybercriminal instant easy access through the perimeter-, application- or network-level security controls.

Weak authentication mechanisms have been known to cause a breach in a variety of systems including the payment processing industry. When these passwords are bypassed, cardholder data can be exposed to those who would abuse or sell the information. The exploitation of weak passwords has become a severe endemic issue in both the hospitality and retail industries, leaving consumer’s information exposed to anyone having online access.

With today’s availability and portability of two factor authentication systems, there is simply no more excuse for relying on simple passwords. A simple or short phrase password has too many significant weaknesses, including the human factor.