A sobering bucket of cold water recently got dumped on our faith in passwords. You see, some unsuspecting celebrities recently had their cloud storage accounts hacked. Unsecure passwords were part of the reason for such a scandalous breach in security.
Authentication methods with technology like biometric scanners and smartcards are on the rise but user credentials like usernames and passwords still remain the easiest and most cost-efficient. The username is usually known and not particularly discreet while the password is secret. This level of secrecy is what makes a password secure or not. To improve IT planning, we look at some tips for better password use.
How to store a password
When storing a password in a database alongside the username, the password should not be directly readable in plain text. Authentication works by comparing the password supplied to the password already stored. If they match, access is granted. The Information Commissioner’s Office (ICO) suggests there are various ways of storing passwords in an illegible form with varying degrees of effectiveness i.e. encrypting, hashing and salting:
- Encrypting a password okay. If a password has been encrypted, you’ll need a key to decrypt the password in order to do the comparison. However, a key will have to be stored managed securely for each password and so adds an additional layer of risk to your IT management.
- Hashing is preferable. It converts the string of characters in a password of any variable length into a fixed length, gobbledygook-like string. The only way of determining the original password is to compare the new “hashed” password (or hash) to a list of other hashed strings that would correlate with known plain text.
- Salting adds flavour. It’s another dimension to a password by storing a second value in plain text alongside a hashed password. It is also unique to each user and is usually used with hashing. This means that when having generated the hashed password, it is based on a conjunction of the original plain-text password and the salt characters. So during authentication, the comparison is made between the password supplied, which also gets hashed with the salt value, and the hashed password already in the database.
How a password is cracked
It seems traditional password conventions have reached their shelf life – partly due to computer power having escalated significantly and also misconceptions about passwords themselves. An exhaustive cycle of tests recently performed by Ars Technica, illustrated that with nominal computing power, hashed passwords containing less than six characters are cracked within a day – if not within minutes.
The problem isn’t that hashing doesn’t work, it’s the quality of the algorithm and also the quality of the password itself. The older MD5 and SHA1 algorithms, still widely used, were designed to hash passwords quickly with minimal computing power. Because they don’t use salting it makes it that much easier for an attacker to crack passwords hashed in this way. MD5 is no longer endorsed by the ICO and the National Institute of Standards and Technology (NIST) also no longer endorses SHA1 as a suitable password hashing function.
Simply put, the process of cracking hashed passwords using a dictionary attack involves using any combination of ninety-five characters (twenty-six lowercase letter, twenty-six uppercase letters, ten numbers and thirty-three symbols), hashing them, and then comparing the result to a dictionary of other hashed words. This differs from a standard brute-force attack where permutations of a possible password are systematically checked until the right one is found.
If a fast hashing method like MD5 is used, for example, a dictionary of one billion words can be searched through eight times per second, as reported by Wired.co.uk. If a match is found in the dictionary, the crack is successful. An attacker could crack a password of up to six digits in two minutes and thirty-two seconds (tested on a PC with a single Radeon 6970 GPU). This method is much faster than using a brute-force attack against longer passwords.
In 2012, a large scale breach was reported by LinkedIn where 6.5 million unsalted passwords were leaked. Although the passwords were hashed, real user data was revealed in the process. It resulted in the company having to reset the passwords and notify every affected user about the breach and for their passwords to be changed. Because of this gap in their IT planning regarding passwords, LinkedIn have since implemented additional security measures.
How to choose a good password
They say that a password is meant to fall into the hands of an attacker – that’s why it should be a secure one. Unfortunately no password is 100% secure but here are some tips that should help your IT planning with passwords:
- According to statistics, use eight characters in a password or more. When trying to crack a password, permutations of possible passwords increase with every additional character added to it. A longer password helps to achieve the “exponential wall” of increasing the time it takes to crack it. This applies to using the brute-force cracking method and the dictionary attack method mentioned here. Increasing the time it takes to crack a password makes it less viable for the attacker.
- The trick here is to rather link up four random words. See how “GreenAppleCartHorse” is much easier to remember than “[email protected]!e”. Also keep known information out of the password. Users, in an attempt to fulfil complexity requirements, reuse the same characters in sequence or even the same “random” values and substitutes. Hackers know this and won’t play along. For example, don’t use “GreenAppleFacebook” for Facebook and “GreenAppleGoogle” for Google. If one of them gets cracked, it will be easy to derive the others. The same goes for using pet names, family names, dates of birth, or any such personal details.
- The ultimate password is a truly random string of characters of sufficient length. This obviously makes it nearly impossible to remember all the passwords for your abundance of office and online accounts. To help with this, programs like PasswordSafe and 1Password are designed to keep all your passwords in secure place, protected by a single, uber master password. They can also help with generating randomised unique passwords.
- Some would argue that you should change your passwords at regular intervals. If you have a good password and an attack has already started on it, it could take months to crack. So limit the usefulness of stolen passwords by changing them every few months. However, this could be more effort than it’s worth if you’re going to write them down or forget what they are in the first place.
Passwords by policy
If your organisation makes use of an IT infrastructure, one can assume there are some passwords zipping around the information highways. A password isn’t just a password – it’s the last line of defence against unauthorised access to top-secret, highly confidential, super private consumer data, budgets and even photographs. Sufficient IT planning will require complexity requirements and appropriate hashing techniques to be implemented.