'Strong' Passwords May Not Be All They're Cracked Up to Be
Conventional wisdom still treats passwords like a first line of defense when, in fact, in todays security environment, passwords should really be the last line of defense.
A recent headline in a major news outlet announced, Please do not change your password because, as the sub-head teased, its a waste of your time. The paper cited in the story is the latest salvo questioning a certain orthodoxy about computer securitythat strong, cryptic passwords are the keystone to personal security online. This oft-repeated advice may be at best, outdated, and at worst, counterproductive, potentially exposing users to more risk rather than less.
When creating accounts, users are often told to choose strong passwordsmeaning that they are of sufficient length (often longer than 6 characters) and include a combination of characters that do not resemble simple words. The premise, of course, is that these passwords will be difficult for a hacker to guess. Weve all seen the crucial scene in a movie where the evil hacker logs onto a victims computer and, using only their wit, guesses the correct password. But like most events in movies, this hardly ever happens in real life.
In todays Internet age, hackers dont need to blindly guess at users passwords because it is much easier to steal them. Take phishing attacks, for example. An April 2010 study by Symantec found that 17% of all spam messages are phishing attempts, wherein the user is lured into visiting a decoy site which imitates a site they would normally trustlike eBay, Paypal, or their bank. The unwitting user attempts to log in to the decoy site by providing their credentials and voila, theyve just handed their password over to the hackers.
Last year, Microsofts Hotmail service lost several thousand user passwords in just this way. Earlier this year, Twitter required many users to change their passwords after widespread phishing fraud. And as reported right here on eSecurityPlanet in April, phishing attacks against eBay collected over 5,000 user passwords.
From the hackers point of view, phishing is far more effective than password guessing. After all, it makes no difference how strong your password is if you are tricked into giving it away. Just imagine how long it would have taken hackers to simply guess the tens of thousands of passwords revealed in just these three attacks.
More pernicious than even phishing are keyloggers, which often wind up on compromised PCs by way of malware infections. There are dozens of keylogger programs which can record every keystroke a user makes. Often installed without the users knowledge, these keyloggers can then phone home and send the recorded data to the hackers servers, where it can be analyzed for logins and passwords. Again, like phishing attacks, password strength is no defense at all against keyloggers.
Strong passwords are also commonly recommended as a defense against so-called brute force or dictionary attacks. In this sort of attack, the hacker is not trying to take an educated guess at the victims password. Instead, he or she is using software to try millions of permutations of common words and numbers, hoping to get a successful hit. Theoretically, a difficult password will take longer for a software algorithm to unlock because it will have to go through more permutations to hit upon itbut how much longer? Computers are so fast these days, and brute force attacks can be run over sophisticated distributed networks, meaning that almost no password is safe against a thorough brute force attack.
The best defense against brute force attacks may not be the password itself, but how the server storing it is configured. In a paper ("Do Strong Web Passwords Accomplish Anything?), Microsoft researchers argue that on the Web, servers should be designed with sensible lockout policies. Some sites do this alreadyif you fail to login three times, your account is temporarily disabled. This is not quite the recommended strategy because it can unfairly punish users who are legitimately trying to recall their password. Better still, a lockout policy based on a ratiosay, ten failed logins per hourwould provide a more generous window for legitimate users yet still block massive brute force attacks. Unless the attacker can attempt thousands of logins per hour, they have little chance of success.
A variation of the brute force attack is known as the offline attack. In this case, the hacker somehow obtains password data from the server and runs brute force software against it in the privacy of their own lair. Clearly, the best defense against an offline attack is to run a secure server that is not vulnerable to being data-harvested by hackers. Better still is to store passwords in a format that is extremely resistant to brute force decryptiona preferred algorithm combines a randomly-generated salt with a hash key. Such a password cannot be decrypted, and generating a successful brute force attack against it could take months, if not years, of computing time, a certain turnoff to hackers.
When users are encouraged or required to create passwords that are very difficult to remember, they are apt to store them somewhere. This is how strong passwords can actually undermine securitya strong password stored in an unsecure location could be stolen. As weve seen, stolen passwords are the far more common means of unauthorized access than passwords being guessed.
To be fair, the conclusion to be drawn from reconsidering password security is probably not that strong passwords are entirely worthless. The problem is that our conventional wisdom still treats passwords like a first line of defense when, in fact, in todays security environment, passwords should really be a last line of defense.