February 1, 2013

Password Security

Passwords are the de-facto method of user authentication for consumer web services. They are used to protect emails, social profiles, bank accounts, and more. The many combinations of usernames and passwords are the increasingly important keys to people’s online identities. Ubiquity, however, does not imply security. Though passwords have the potential to be a very secure form of authentication, much responsibility is given to the end user.

How are users doing?

Although most users are aware of the risk of a compromised password, the difficulty of password management and ignorance of what makes a complex password results in the majority of users participating in insecure practices. The following are the most common issues; they are likely to be familiar:

What are the risks of these practices?

Low Entropy:

Low entropy passwords increase the risk of exposure from offline cracking. Web services store (or should store) passwords in a cryptographically secure format, such as salted SHA hashes. If your password is sufficiently complex and random it should be safe even if an attacker is able to compromise the web service’s database. Most passwords, however, are not. In recent breaches hackers have been able to decrypt 80% of the passwords within the first day and 90% within the first week.

The sheer number of passwords that have been leaked in the last few years has allowed crackers to increase their effectiveness with statistical analysis. Common structural tendencies have been identified, such as:

  1.      The most common words/phrases
  2.      If a capital is used it is likely to be the first character
  3. If a special character is used it is likely to be at the end
    1.  The most common special character is ‘!’
  4.      The most common replacements have been identified such as:

‘a -> @’, ‘e-> 3’, ‘I -> 1’, etc.

This increased understanding of common password structure has directly benefited cracking tools with transformations and improved dictionaries. The effective entropy of most non-random passwords has been significantly reduced because of these developments.

The use of random passwords, however, comes with the downside that they are much more difficult for humans to remember; ‘kaLsdh&s!d’ is much more difficult to remember than ‘Massive1’. This increases the occurrence of the other two most common insecure password practices: re-use and insecure storage.


Repeatedly using the same username and password combination allows the compromise of on account to trivially become the compromise of many accounts. The impact and exposure are multiplied with each account created with the same password. The difficulty of re-securing ones online identity is also made more difficult as many compromised accounts must now be reclaimed; one could easily be forgotten.

Insecure Storage:

The use of more complex passwords has the downside that they are much more difficult for humans to remember. As such, these passwords tend to be written down on post-its, saved in plain text in unprotected folders, or stored un-encrypted in web browsers such as Firefox.

Tevora and Massive Labs have encountered many enterprise environments where plaintext passwords are stored on public SMB shares, in some cases SQL database credentials! The use of a complex password is not enough it also must be properly managed

Is there a solution?

Companies like Google and Facebook are looking to the future with single sign-on and biometric solutions to replace the library of usernames/passwords users currently must manage; in the near term, however, the solution to both complexity and management problems are already available from a handful of password management suites both free and commercial. These will take care of both generating secure passwords and storing these passwords in a secure format. Another blog bost may thoroughly cover the currently available solutions.

There are some things service providers and administrators can do done to enhance the security for the end users

–        If you are running a web service enforce complex passwords to reduce your exposure

–        if you are managing users in an enterprise, deploy a identity management or single sign-on solution

Until a replacement becomes ubiquitous for password authentication end users will be the ones ultimately responsible for their own security.