When hackers breached the servers of Sony Pictures in June, they cast a harsh light on one of the Web’s most bedeviling security problems: passwords. After finding that a million user passwords for three Sony sites were stored without encryption, the intruders posted them online for anyone to see.
Security researcher Troy Hunt pored over the file and found that half of the passwords could be considered weak because they had a low degree of randomness—they had only lowercase letters, only uppercase letters, or only numbers. More than a third of the passwords could have been found in a dictionary and easily guessed by a password cracker, a tool that quickly tries different words and word combinations. Half the passwords were seven characters or less. Finally, the researcher found 90 e-mail accounts that had also shown up in another leaked password file, from Gawker.com, and discovered that about two-thirds of those users had the same password at both sites. “It indicates to me that this was a normal practice for people to plug in the same password into their accounts,” says Hunt, a software architect who studies security.
The Internet relies on passwords, and each person typically has dozens of accounts that require them. But as the Sony and Gawker episodes revealed, people often use passwords that are easy to guess or crack, and then repeat them across multiple sites rather than trying to remember dozens of complex strings of characters. And yet researchers who study passwords offer no easy alternatives to this insecure practice.
“I truly wish I there was a simple prescriptive, constructive, bullet-point list of two or three things that users could do,” says Cormac Herley, a computer scientist with Microsoft Research. “Unfortunately, I don’t think I or anyone else has that list right now. So much of the last 10 years, so many people in security have been assuming that passwords would be gone. But more and more time has gone by, and that has not happened.”
Instead, password-protected accounts have proliferated. Software for password management could be a solution, but relying on such an application has its own downside. An attacker who infects a victim’s PC gets the ultimate prize: the password for every account a user owns.
The situation looks worse when you consider that even our understanding of what makes a strong password might have flaws. In a recent paper, researchers from Florida State University, Redjack, and Cisco Systems found that a typical measure of password strength—the degree of randomness or entropy exhibited by the string of characters—does not have a great deal of meaning. Password crackers follow certain strategies: first searching through certain dictionary terms, then appending numbers to the guesses, then trying combinations of words. The researchers found that the cracking tools used by these criminals are generally very good at guessing a small but significant fraction of passwords, identifying up to 20 percent of passwords seven characters or longer in about 10,000 tries.
The researchers argue that analyzing passwords for their level of entropy overestimates the ease of cracking some passwords and underestimates it for others, depending on how much time an attacker is willing to spend on the assault. As a result, says researcher Matt Weir, one of the authors of the paper, an organization that analyzes its passwords for randomness might have “an overly optimistic view of the security provided by their password creation policies.”
It also means that forcing employees to change their passwords every so often might not be useful. Instead, it may make it more likely that employees will reuse a password across multiple sites, meaning a hack on one can endanger accounts elsewhere. And although corporate networks and consumer Web services often lock out attackers who try multiple passwords in succession, hackers don’t encounter such limitations if they gain internal access to the file where user passwords are cryptographically “hashed” before being stored. In that case, the password cracker can keep trying hashed versions of guesses at passwords.
Because of such flaws, security researchers say, companies serious about security should not rely on passwords alone. For example, they might use devices or software that generate one-time passwords; to defeat those, an attacker would have to either steal the device or execute a real-time operation known as a man-in-the-middle attack, in which the attacker modifies the connection between a victim and a service provider during a transaction. Such attacks are not unheard-of—criminals employing banking Trojans, such as Zeus, have used just such techniques to steal millions of dollars from small businesses and organizations—but the technology requires attackers to expend significantly more effort. “It is a more expensive attack,” says Microsoft’s Herley.