Poor Passwords, Poor SecurityRobert Lemos
Last December, hackers stumbled upon a treasure trove: Security problems with the site of social networking application maker RockYou allowed anyone to access a massive list of passwords belonging to its users.
Hackers discussed the site's weak security extensively in an online forum. The conversations were found by security firm Imperva, which warned the company. Not, however, before one of the hackers made off with nearly 33 million unencrypted passwords from the site. The thief posted the list of passwords, without usernames, to the forum and mocked the company for the lax security around the credentials.
“Pretty nice list with plain text passwords,” the hacker wrote, according to news reports. “It’s so lame, and I'm sure that more than half does work for MySpace and other sites.”
The stolen passwords put RockYou in the spotlight, and the company belatedly warned users that their passwords had been put at risk. Yet, the incident ended up being a windfall for password researchers. Luckily, the list of passwords did not include usernames, but it did give insight into users’ poor choice in passwords.
In total, 42 percent of people used passwords that only had lowercase letters and another 16 percent only used numbers, according to the analysis penned by Imperva. Both dramatically reduce the security of the person’s login. The analysis found that to top five secret phrases were “123456,” “12345,” “123456789,” “password” and “iloveyou.”
As society has moved away from face-to-face transactions, passwords have become the defacto method for determining someone’s identity. From banking to email access to social networks, people are identified by their public username and their private password. Yet the system has frequently broken down because most people’s passwords are easy to crack. The problem is that many people are still trying to keep all their passwords in their head, says Kevin Haley, director of Symantec’s security response group.
"You still see people using memory, which is only going to drive you to simple passwords and duplicating passwords, because they can’t remember so many,” says Haley.
Studies by the company have found that six in 10 people use memory for all their passwords. About 45 percent of people have a few passwords that they alternately use at different sites.
A history of bad choices
Ironically, the problem has changed very little in more than three decades.
In 1978 -- a year after the Apple II heralded the arrival of the personal computer and the Internet’s predecessor, the ARPANet, surpassed 100 nodes -- a paper on passwords found that people chose bad passwords. In the paper, Robert Morris Sr. and Ken Thompson of Bell Labs found that 86 percent of a collection of about 3,300 passwords used a word in the dictionary or consisted of less than 6 numbers or letters. The dictionary words alone accounted for a third of the passwords and could be broken in less than five minutes with a PDP-11/70, a standard big-iron computer of the era.
By using eight lowercase characters and digits, a password’s security improves dramatically. At the time, it would have taken the same computer 112 years to crack a single password.
In 1990, a study of Unix password security found that a decade had not changed users’ habits of picking poor passwords, and just 10 years ago, a list of Hotmail passwords from hacked accounts found that 42 percent used six characters or less. The most common password? “123456,” of course.
The study of the passwords exposed by the RockYou hack found similar issues. Almost half the passwords (45 percent) had less than eight characters. Using a list of the top 5,000 passwords, an attacker could have gained access to 1,000 accounts in less than 17 minutes. If the hacker ran the attack against all the accounts, about 20 percent would have been compromised, according to Imperva.
If anyone understands the head-pounding-against-a-wall frustration felt by security people over people’s password habits, it’s comedian Mel Brooks. In Spaceballs, his classic takeoff on Star Wars, the leader of the verdant planet of Druidia gives up the password to the shield that protects his world.
The password? “12345,” the second most popular password among RockYou users.
Yet picking simple passwords is not the only problem. Using the same password across a number of sites can dramatically weaken the security of a person’s data as well.
In a recent study of four million users’ online habits over a year, security firm Trusteer found that nearly three-quarters of users reuse the banking passwords on at least one other non-financial site, and nearly half shared both their username and password with other non-financial sites. While banks and financial sites tend to invest heavily in security, other sites may not, says Amit Klein, CTO of Trusteer.
“The significance of reusing passwords is in the security of your credentials,” says Klein. “Your credentials are only as secure as the weakest link. It is unlikely for someone to hack into a bank's Web server -- not so with your local grocery store website or your social network website, where security is much more lax."
The company has estimated losses to banks from their customers reusing weak passwords and giving up their credentials at $9.4 million per one million users.
Companies should not only be concerned about their customers’ penchant for picking poor passwords but should worry about their workers as well. If a worker uses the same password on a social networking site as they do to gain access to the company’s network, then a hack could cause the firm a lot of damage.
“If an employee has a password on a social site and the hacker knows they can use it to get into the firm’s (network), that’s bad,” says Imperva’s Rachwald.
Simplicity versus secrets
The problem with creating a strong system of passwords is that two aspects of human nature work to undermine users. Because passwords are meant to be secret, most people want to memorize them. Yet most people cannot keep dozens of complex sequences of alphanumeric characters in their head.
“I would love to recommend to people to use a different set of credentials for each site,” says Trusteer’s Klein. “The whole phenomenon, however, is that people’s memory is limited, and they don’t want to memorize a whole new set of credentials for each site.”
Klein recommends that people have a tiered system of passwords. On the first tier of sites -- such as financial services -- where compromised credentials could lead to significant harm, people should use a complex password. On the second tier of sites, social networks and other sites with personal data, people should use a different password. All other sites get a third password.
“It is difficult to come up with the right trade-off,” says Klein.
The right scheme may also depend on who you are: Home users have a different set of threats to worry about than business users. For consumers worried more about malicious keyloggers than nosy co-workers, keeping your passwords on a yellow sticky note -- a mnemonic shortcut derided by many security researchers in the past, but recommended by some today -- can help them keep complex passwords handy, thus securing their site.
Yet users should consider the dangers before doing so, says Klein.
“If your threat is the cleaning lady, then you would prefer to keep the passwords inside your computer and not on a sticky note beside your desk,” he says.
Finally, another system recommended by security researchers is to pick a root password and modify the password for each site. Using the first letter of each word in a sentence is a popular method. For example, “The quick brown fox jumped over the lazy dog” might become “TqbfJ0tld.” Then, the user modifies the password for each site. “TqbfJ0tld-rkyu” might be the version used for the RockYou website.
“The key is to make the password complex but make remembering the password simple,” says Imperva’s Rachwald.
Copyright (c) 2010 Studio One Networks. All rights reserved.