A recent headline in a major news outlet announced, “Please do not change your password” because, as the sub-head teased, “it’s a waste of your time.” The paper cited in the story is the latest salvo questioning a certain orthodoxy about computer security—that strong, cryptic passwords are the keystone to personal security online. This oft-repeated advice may be at best, outdated, and at worst, counterproductive, potentially exposing users to more risk rather than less.
When creating accounts, users are often told to choose “strong” passwords—meaning that they are of sufficient length (often longer than 6 characters) and include a combination of characters that do not resemble simple words. The premise, of course, is that these passwords will be difficult for a hacker to guess. We’ve all seen the crucial scene in a movie where the evil hacker logs onto a victim’s computer and, using only their wit, guesses the correct password. But like most events in movies, this hardly ever happens in real life.
In today’s Internet age, hackers don’t need to blindly guess at users’ passwords because it is much easier to steal them. Take phishing attacks, for example. An April 2010 study by Symantec found that 17% of all spam messages are phishing attempts, wherein the user is lured into visiting a decoy site which imitates a site they would normally trust—like eBay, Paypal, or their bank. The unwitting user attempts to log in to the decoy site by providing their credentials and voila, they’ve just handed their password over to the hackers.
Last year, Microsoft’s Hotmail service lost several thousand user passwords in just this way.? Earlier this year, Twitter required many users to change their passwords after widespread phishing fraud. And as reported right here on eSecurityPlanet in April, phishing attacks against eBay collected over 5,000 user passwords.
From the hackers’ point of view, phishing is far more effective than password guessing. After all, it makes no difference how “strong” your password is if you are tricked into giving it away. Just imagine how long it would have taken hackers to simply guess the tens of thousands of passwords revealed in just these three attacks.
More pernicious than even phishing are keyloggers, which often wind up on compromised PC’s by way of malware infections. There are dozens of keylogger programs which can record every keystroke a user makes. Often installed without the user’s knowledge, these keyloggers can then “phone home” and send the recorded data to the hackers’ servers, where it can be analyzed for logins and passwords. Again, like phishing attacks, password strength is no defense at all against keyloggers.
Strong passwords are also commonly recommended as a defense against so-called “brute force” or “dictionary” attacks. In this sort of attack, the hacker is not trying to take an educated guess at the victim’s password. Instead, he or she is using software to try millions of permutations of common words and numbers, hoping to get a successful hit. Theoretically, a “difficult” password will take longer for a software algorithm to unlock because it will have to go through more permutations to hit upon it—but how much longer? Computers are so fast these days, and brute force attacks can be run over sophisticated distributed networks, meaning that almost no password is safe against a thorough brute force attack.
The best defense against brute force attacks may not be the password itself, but how the server storing it is configured. In a paper (“Do Strong Web Passwords Accomplish Anything?”), Microsoft researchers argue that on the Web, servers should be designed with sensible lockout policies. Some sites do this already—if you fail to login three times, your account is temporarily disabled. This is not quite the recommended strategy because it can unfairly punish users who are legitimately trying to recall their password. Better still, a lockout policy based on a ratio—say, ten failed logins per hour—would provide a more generous window for legitimate users yet still block massive brute force attacks. Unless the attacker can attempt thousands of logins per hour, they have little chance of success.
A variation of the brute force attack is known as the offline attack. In this case, the hacker somehow obtains password data from the server and runs brute force software against it in the privacy of their own lair. Clearly, the best defense against an offline attack is to run a secure server that is not vulnerable to being data-harvested by hackers. Better still is to store passwords in a format that is extremely resistant to brute force decryption—a preferred algorithm combines a randomly-generated salt with a hash key. Such a password cannot be decrypted, and generating a successful brute force attack against it could take months, if not years, of computing time, a certain turnoff to hackers.
When users are encouraged or required to create passwords that are very difficult to remember, they are apt to store them somewhere. This is how strong passwords can actually undermine security—a strong password stored in an unsecure location could be stolen. As we’ve seen, stolen passwords are the far more common means of unauthorized access than passwords being guessed.
To be fair, the conclusion to be drawn from reconsidering password security is probably not that strong passwords are entirely worthless. The problem is that our conventional wisdom still treats passwords like a first line of defense when, in fact, in today’s security environment, passwords should really be a last line of defense.