Regular Password Changes Considered Harmful

 Computing, Security  No Responses »
Sep 122015
 

According to the latest advice from CESG: "Regular password changing harms rather than improves security, so avoid placing this burden on users."

Wrong!

(Thanks to xkcd.com).

Most of the advice given is eminently sensible, and indeed forcing password changes on a frequent basis does more harm than good – when forced to change their passwords every 30 days (yes really!), people will commonly resort to sanity and use passwords of the form: someword-${month} (such as "happy-July"). However the advice to never force password changes was obviously written by someone who is under the belief that staff accounts have a somewhat limited lifetime – people change jobs, etc.

There is still a great deal to be said for changing passwords less frequently – say every couple of years. Or even a random number of days between 730 and 1,095, which will help to randomise calls to the Helpdesk. Amongst other things :-

  1. The concept of a strong password changes over the decades; allowing account passwords to remain the same for the lifetime of a staff account will mean that a considerable number of staff accounts will have weak passwords.
  2. There is such a thing as "accidental shoulder surfing" whereby someone acquires knowledge of part of your password by merely being present when you enter it. Over time they can acquire more and more of your password. 
  3. Only changing an account password when there is a suspicion it has become compromised means that there is no mechanism to lock stealthy intruders out. Whatever kind of anomolous account behaviour detection mechanism you have in place, there is always the chance that a compromised account can remain below the radar; periodic password changes do lock this intruder out.
  4. Less directly, but forcing regular account password changes on an infrequent basis does have the side effect that it allows the education of people that passwords can be compromised.

Of course every security person who read the CESG advice on passwords probably thought "Great. Now who is going to educate the auditors?". 

Why Is Password Security So Important?

 Computing, Security  No Responses »
Dec 032013
 

People like me keep banging on about why the security of passwords is so important. We keep telling people they need strong passwords, when what people really want are easy to remember passwords. Of course we keep on saying the same message because not everyone pays any attention.

The truth is that it is possible; or at least partially possible to have both strong passwords and relatively easy to remember ones. But first why is it necessary at all?

The sad fact is that there are criminals out there; not spotty teenagers in basements having some sort of weird fun, but genuine criminals who want your account details for a variety of reasons. Organised crime has moved on from bathtub gin, bank robberies, and drugs realising that (amongst other activities) computer crime can be quite profitable with a lower risk of being caught.

The most obvious accounts targeted by criminals are bank accounts – online access to your bank. Whilst they will target such accounts, criminals will also target the most innocuous accounts as well – your ISP account, or a work account. The lowest level of usage of a stolen account is to send spam; not in vast quantities but even several hundred spams sent in your name can really ruin your day.

And will continue to have a less obvious negative effect over time – your email address will be less trusted by recipients if it has ever been used by a spammer. And of course that is the damage I know of. The criminals may use your account for other purposes.

In fact it is probable that any stolen account has a small but definite value on underground markets such as the Silk Road (or deeper and darker places).

And that is excluding the damage that criminals can more directly cause you by access to all the data contained within your account.

How Do Criminals Get Your Password?

So how do criminals get hold of account passwords? It turns out there are three main methods, and one is only useful in certain circumstances (and happens to be the most technical and so the most interesting to geeks).

Just Ask!

It may seem crazy, but probably the easiest method of obtaining account details is simply to ask for those details! The question is normally dressed up to confuse the situation so that it appears to be a legitimate organisation asking for the password. An email from your bank asking you to login via a provided link; an email from your IT support department asking for your password to increase your mail quota.

The defense against this is to never tell anyone your password. Your password is a method of demonstrating that you are yourself; if you give it away, you let other people pretend to be you.

Don’t do it.

Just Guess!

Some people use passwords so weak that they can be guessed relatively easily – or at least easily when the password guessing is scaled up. If a criminal has a 0.001% chance of guessing a password, but they try 1,000 different accounts with 10 different passwords at 1,000 different sites per day, they can expect to get 100 accounts a day!

The best defense against this sort of attack (for an individual) is to make sure you do not have a weak password – go for one that is long and strong (we’ll get to that later).

Password Cracking

The last method of getting account passwords is only possible with access to the password hashes which normally involves exploiting some kind of vulnerability. Once access to those hashes is obtained, it is possible to use a password cracking dictionary to generate a list of candidate passwords and calculate the password hash for each one. When the hash for a candidate password matches the hash of a real account, you know what the password is.

It shouldn’t be possible for a criminal to get access to password hashes, but they do get access to them on a regrettably frequent basis. In addition, it is not uncommon for password cracking to be used as the ultimate test of whether a password is “strong enough” – if it can be cracked with a reasonable level of resources, it is weak.

The best defense against this kind of attack is again to use a long and strong password.

Long And Strong (And Memorable) Passwords

The best passwords are long and random, but very definitely not memorable – as an example, a typical random password might be Y2JkOGY3OTg0YzY1NGMyNTUxMmUzZDkyNDFhZTU2OWYgIC0K. Not the sort of password anyone would want to remember, although password stores such as LastPass allow the use of such passwords. Certainly worth investigating.

However it still needs a master password and there are other circumstances where passwords you have to remember are essential. In such cases memorable becomes a requirement, but we still need strong passwords.

For most of us, a memorable password is made up of dictionary words, yet we are often told that a word-based password (no matter how cleverly transformed it might be) is a weak password. It turns out to be correct for single word passwords, but multi-word passwords are still relatively strong. A lot weaker than truly random passwords of an equivalent length, but somewhat surprisingly a lot stronger than short truly random passwords.

The mathematics of this gets a bit hairy, so take it on trust – length is the most important factor in determining password strength with certain exceptions (a very long word isn’t strong no matter how long it is).

The XKCD Password strength comic

Stringing together a whole bunch of words may not seem the most sensible way to come up with a memorable password; in fact I’ve been using a five word password for many years, and at this point I can’t forget it! I would suggest though that the XKCD method can be strengthened a wee bit by adding a symbol between every word – pick a random symbol like “@”.

Now pick three to four “random” words, and string them together with your random symbol :-

${word 1}${symbol}${word 2}${symbol}${word 3}${symbol}${word 4}${symbol}

Becomes: four@blatter@pong@zoo@

One thing to watch out for – you should have at least one “unusual” word in the list of random words, and don’t have too many short words – the password trustno1 is a weak password!

LinkedIn Password Compromise: The Unanswered Questions…

 Computing, Security  No Responses »
Jun 062012
 

If you have not already heard about it, and you have a LinkedIn account, you should be aware that a large number of password hashes has been found in the wild. This means it is possible that hackers have the ability to crack your password and break into your account.

Change any LinkedIn account passwords now.

But there are still just a few unanswered questions :-

Why were the password hashes unsalted ?

Storing passwords in the clear is just about the most irresponsible thing a website operator can do, but storing passwords in hashed form without a so-called salt is also a clear indication that someone needs a slap and told to go the extra 10m. It has long been known (i.e. for decades) that using a simple password hash allows for someone to find out what the original password was.

This is why the Unix system from the 1970s used a salt to make revealing passwords harder.

Technically a salt is a few extra bits of randomness added to the hash (and included in the output) to make pre-computing the password hashes more expensive. It also obfuscates identical passwords.

So why weren’t LinkedIn salting their passwords? Couldn’t be bothered? Assumed that their systems were so secure that nobody could break in? Whatever the reason, it was not a good enough reason – allowing their site to be hacked is bad enough, but caring so little about the security of our data shows pure incompetence and arrogance.

Are We Sure These Password Hashes Belong To LinkedIn?

In a word: No. We assume it is, and there’s some evidence to support that assumption. Several bloggers (one), have posted indicating that they have checked and found that their own LinkedIn password hash can be found in the file.

So we can assume that these password hashes are from LinkedIn, and to change our password if we have an account. Perhaps this is wrong and this huge list of password hashes is just some prankster’s idea of a fun day, but this is one of those cases where you assume it is real to be safe.

But There Are No Usernames. Aren’t We Safe?

I’ve come across at least one comment indicating that because the usernames aren’t associated, there isn’t anything to worry about.

It is true that the information as released is not especially helpful – if you cracked all the password hashes you still wouldn’t know if my password was #32768, #65536, or any of the others. But you could still use that information with the help of a botnet army and enough time to let the tools like Hydra do their work.

And we do not know that the person or group who obtained this information in the first place does not have access to further information. Even if all they had access to was a database table containing just the password hashes, they will almost certainly know the frequencies of every password.

So no, we’re not safe.

Only 6.5million? I Thought LinkedIn Had 150million Accounts?

Indeed! It does seem strange that there are only 6.5million password hashes in the released file.

But those who have had a chance to poke around in the released file (including myself) have found that there are no duplicate hashes. Which would be normal in a salted password hash file, but given how woeful most people are at picking good passwords you would expect a very large number of duplicates in 150 million password hashes. Whether you would get as few as 6.5 million unique password hashes seems a touch unlikely, but possible.

Of course it may be that the person or group who grabbed this password dump in the first place only managed a partial dump for some reason.

But If The Original Leak Isn’t Fixed, Isn’t Changing Our Password A Waste Of Time?

It is certainly true that if LinkedIn hasn’t fixed their original problem, or has not implemented some form of remedial action, then it is possible that an attacker could break in with exactly the same method as they did before, and steal the passwords again. Which means we will probably have to change our passwords again – once LinkedIn finally gets around to announcing this has all been fixed.

But not changing your password now is foolish in the extreme – you should assume that the attacker(s) have your account details now.

Password Security & Cracking ‘Em

 Computing, Security, Working Notes  No Responses »
Sep 182011
 

This blog entry is of the form of some working notes to help me get to grips with this area of security. Would welcome corrections!

There are two basic forms of password cracking :-

  1. Brute force cracking where every possible password combination is tried.
  2. Dictionary cracking where the password cracker uses a list of possible passwords to try … and optionally some algorithms for varying each word in the dictionary.
I’m more interested in brute force cracking for now, so I’ll just say a few words about dictionary cracking …

Password Hashes

Some people are under the mistaken impression that it is possible to protect against password cracking by preventing multiple login attempts – try to login more than 5 times in a minute, and the account is locked.

People trying to break into systems know about this of course, so they rarely if ever try it (the exception is multiple attempts against equipment that does not perform account lockouts). What they do is obtain the encrypted password in some way – grabbing the /etc/shadow file from a Unix system, dumping Windows password hashes, etc.

Once you have a password hash, or a number of password hashes, it is possible to attempt to crack the passwords. Not by trying to reverse the password encryption – that should be impossible, but by using the same algorithm for encrypting the password in the first place.

For instance if someone sets their password to “bad”, the password hash that gets stored in ActiveDirectory or in a Unix system’s /etc/shadow file may look something like “bae60998ffe4923b131e3d6e4c19993e” (actually it won’t but we’ll gloss over that detail for now). The password cracker starts encoding 1 character passwords, moving onto all possible 2 character passwords, 3, etc.

Eventually he or she finds one that matches that “hash” at which point they will have the account’s password.

Dictionary Cracking

Brute force password cracking has historically been thought of as too computationally intensive to try, so people resorted to restricting the amount of passwords to search through by observing that most people use either simple words, or words made slightly more obscure through some method.

For example, the following are some passwords picked from a list of frequently found passwords (but before getting smug about your password being nowhere near as this simple, you may want to check first) :-

  • password
  • letmein
  • xxxxxxxx
  • qwerty
  • 123456

In addition, people often take a simple word like “monday” and make it more complex by replacing certain letters with digits – l33t speak – so “monday” becomes “m0nday”. There is no point to this at all – it is one of the most common algorithms for supplementing a dictionary. Similarly adding digits to the end of a word, etc.

Brute Force Cracking

The option of brute force cracking is the process of going through every single password combination and trying each one in turn. This would seem to be a very slow process, but computers are becoming quicker and quicker. For example, with a GPU password cracker, my workstation can tackle around 380 million passwords a second … and it is not an especially quick GPU!

As to how fast password cracking could be today, it is hard to say … some of the more interesting hardware out there doesn’t come with benchmarks, and there’s some guesswork involved. But it is probably safe to say that nothing quite comes up to the 100 billion password attempts a second mark … yet.

It is relatively easy to calculate the number of possible passwords for any particular length … take the size of the character set used in the password, which can usually be assumed to be 96 (all ASCII without the control set) and raise to the power of the length of the password.

Length Passwords Time (380M/s) Time (100 billion/s)
2 9216 <1s <1s
3 884736 <1s <1s
4 84934656 0.2s <1s
5 8153726976 23s <1s
6 782757789696 37m 8s
7 7.5E13 59h 12m
8 7.2E15 5725h 20h
9 6.9E17 62 years 1916h
10 6.6E19 6035 years 20 years
11 6.4E21 577,845 years 2028 years
12 6.1E23 55473145 years 193297 years

 

There are several points to learn from this table :-

  1. The numbers of passwords gets very large very quickly. But not quickly enough to keep up with password crackers.
  2. Any password of less than 7 characters is trivial to crack … even with relatively modest hardware.
  3. Any password of less than 9 characters is trivial to crack if you have access to a large network of machines to work with.
  4. If you want to be safe for another decade or so (and policies can last quite a while), you will probably want to pick 12 characters as the minimum password length.
  5. These are the times to search the whole password space … it is not necessary to search through every single possible password to find the password you are looking for. That password might be found in 1/10 of the maximum time, or 3/4 of the maximum time. As long as the person generating the password has not been spectacularly dumb, it will still take a significant proportion of the total time to find the password.

If you look at the different brute force password cracking software out there, it quickly becomes apparent that there are simplistic password crackers that attempt each password combination in turn, and there are more sophisticated password crackers that attempt to tackle the most likely password combinations first. They do this by looking at passwords consisting of words, parts of words, pronounceable sequences that could be words, etc.

However good they are, all they do is increase the likelihood of obtaining the password in less than the maximum time. And possibly not by very much; let’s be generous and suppose that an intelligent brute force password cracker can produce the password on average after processing 25% of the possible passwords rather than 50% of the possible passwords. So for example for a 10 character password, an intelligent brute force password grabber could be expected to find the password after 1,500 years rather than 3,000 years (with a worst case scenario of 6,000 years in either case) … helpful, but not enough to make password cracking practical for 10 character passwords.

Poor Passwords

Everyone is obsessed with telling everyone what makes a strong password, so there’s no need for me to do likewise. But here’s my thoughts on what makes a weak password :-

  • Contains a single word in any language however it may have been deformed.
  • Common sequences of digits (i.e. “31415926”) or letters (“qwerty”) … they are effectively the same as words and appear in dictionaries of words to try for dictionary attacks.
  • Where letters have been changed into digits is no stronger than the password with the letters would have been – the classic “monday” -> “m0nday”.
  • Appending simple digits or symbols.
  • Anything short; an otherwise strong password is weak if it is too short (less than 10 characters; preferably 12).

In fact the list of what makes a password weak is so long that it’s always a good idea to test how strong your password is. Preferably with a hacking tool; and not with one of those web forms where they probably don’t test too well to avoid irritating potential customers.

Passwords Suck!

Ha! Yes you’re right … passwords are now a pretty poor way of demonstrating identity. However whilst there are many alternatives, none are universal so until someone comes up with a suitable replacement we are kind of stuck with them.

Passwords Are Dumb …

 Computing  No Responses »
Jan 142009
 

But not writing them down is dumber.

Supposedly we are not supposed to write down passwords, but who can remember hundreds of passwords ? In the distant past where the advice to not write down passwords was first suggested most users would have had just a few passwords.

Gradually things become more IT-orientated, and users would start complaining about the number of passwords they had to remember.

And we made things simpler for them by coming up with single-sign on mechanisms. Which was the wrong thing to do. Yes it makes things easier, but now a single compromised password will open up many different systems.

And of course we have the web with zillions of web sites that insist that each are important enough to have a unique account for. More passwords to “remember”.

Trying to tell people not to write passwords down is in the end going to reduce security. Firstly users will use the same password in many places so that they have fewer passwords to remember, and secondly they will write those passwords down. Why not let them do it right ?

So how can password be written down securely ? Well the first possibility is to use a secure password store so that passwords are held in an encrypted form. The second is to write them down using a consistent system to encode the passwords in some way (for example adding 1 to every digit, and moving each letter down 1) and splitting the usernames and passwords into seperate lists.

And of course encourage them to use different passwords in different places so that if one becomes compromised they will only have one site broken into.

But is it time to move on from passwords ?

We (as users) do not really want to enter passwords to use things. The login screen is an interruption in the flow of activities. We need something that will allow a distant server to establish the identity of ourselves without a login screen. Preferrably using something similar to Kerberos.

This will probably require an initial authentication process. Again the use of passwords should be avoided (except for critical services such as banking). Why not use some form of biometrics ?