Password Problems Part 1: Structural Challenges
Take a moment to sit back and count the number of passwords that you have... Our modern internet-enabled lives require computer logins, email addresses, bank accounts, health insurance websites, car insurance websites, your healthcare provider, work accounts, shopping accounts, streaming services, social media, pin codes for your garage and work doors, and many more. The list of passwords required to navigate daily life in an internet connected culture is already large for most users and that number is climbing as years progress. One study conducted in 2019 by the Ponemon Institute found that the average user had 12 passwords, whereas a study conducted in 2022 by NordPass found that the average user actually maintains closer to 100 passwords. With the increase in quantity of passwords, an increasing complexity requirement, and scheduled password changes being part of most modern information security policies and procedures, the average user oftentimes reuses passwords or creates easily guessable passwords to reduce the strain on memorizing all the passwords.
In part one of this blog, I will unpack the common issues with modern security practices surrounding passwords including laying out the groundwork for common issues in password management practices and some basic attacks that are conducted to bypass authentication. Part two will dive deeper into common attack strategies used by hackers and threat-actors to bypass authentication, collect your passwords, and figure out how to breach your accounts. Finally, part three will cover effective strategies, best practices, and tips to better manage, secure, and draft passwords to keep the bad guys out and your data secure.
When managing so many passwords, reuse becomes a major security concern for corporations as well as private users. According to the 2019 State of Password and Authentication Security Behaviors Report conducted by the Ponemon Institute, in 2019 46% of passwords were reused four to six times compared to a staggering 26% of passwords being reused more than six times. Password reuse is one of the major factors that can lead to a breach of personal information security as well as corporate information security.
Figure 1: Average number of times a password is reused according to the Ponemon Institute Study conducted in 2019. Credit: Ponemon Institute 2019 State of Password and Authentication Security Behaviors Report
When reusing passwords, a breach of one account password can then be chained to breach numerous other accounts that share the identical password and are also associated with that user. Take for example a user who uses the same email to sign up for multiple online services. This user uses their email to sign up for a streaming service, a rewards program, a bank account, an email account, a social media platform and a local medical records portal. Since this user has limited bandwidth with which to memorize passwords, the same password is used across all these
platforms. One day, a hacker is able to breach the rewards program site as it has lower security than the other institutions and collect username and password combinations for all users of that system. The attacker will then take our victim’s email address and password and try that combination across other well-known sites. Since our victim is reusing a password across multiple platforms, the breach of their password on a rewards program site has now led to the breach of their personal social media data and has given the attacker access to their health-records and bank account information.
Modern security practices at high-value targets like bank accounts and healthcare institutions typically enable some type of multi-factor authentication by default, so at times these attacks will be mitigated by the platform. However, bypassing these extra security features is possible with a dedicated attacker. In part two we will discuss methods by which attackers gain access to these passwords, how they spray passwords across the web to find matching combinations, and how they can bypass additional security measures put in place by websites and other online portals. In part three we will cover defense strategies to protect yourself from these types of attacks.
In tandem with the rise of the number of passwords managed by individuals, complexity of password requirements is also on the rise. In the early 2000’s and into the 2010’s a password of 8-12 characters containing one upper-case one lower-case and a symbol or number was considered a complex password. Modern teaching at the time recommended using substitution—replacing letters with symbols—including additional characters at the end of passwords, and periodic changes to make a strong password.
Changes to the threat landscape have forced evolutions in the generally accepted password complexity requirements. With the improvement of consumer-grade graphical processing units (GPU) and the reduction in their overall cost, password cracking with consumer-grade/readily available parts has become much more effective and affordable a tactic for threat-actors across the globe. As GPU technology has increased, the need for longer passwords has also grown as shorter passwords have become easier to crack and brute-force with dictionary and brute-force attacks using consumer-grade hardware. According to Hive Systems an eight-character password using any complexity requirements and hashed in MD5 format is crackable by an NVIDIA 2080 in under eight hours and by an NVIDIA RTX 3090 in five hours.
Figure 2: Brute-forcing time for the NVIDIA RTX 2080 (left) and the NVIDIA RTX 3090 (right). Credit: HiveSystems
To combat the pervasiveness of password cracking most sites and organizations require a minimum password length of 12 characters to combat the rise in successful cracks and breaches brought about by dictionary or brute-force attacks leveraged against shorter passwords. Likewise alternative hashing algorithms can be used that require longer processing times for the attacker attempting to crack the passwords. In part two, we will discuss how attackers are able to get their hands on these hashes, how they attempt to crack the passwords, common tactics and techniques in password cracking, and how they are able to bypass common best-practices in password security. In part three we will discuss effective password management, storage, and protections to keep your passwords safe and secure from hackers looking to breach your accounts.
Creating easily guessable passwords and storing passwords in inappropriate places is are two of the most common errors made by individuals when it comes to password best-practices. In many organizations, passwords are required to be changed every 90 days. Because of this, a user will typically follow a format, changing something minor about the password to reduce the need to memorize an entirely different string. A common example used by many users is to select the current season, year, and a special character: Fall2022#. Likewise using the organization name, a pet’s name, a child’s name, a significant other’s name, or a local sports team as part of the password are extremely common. Additionally, users will reuse those poorly crafted passwords for non-work related accounts as well creating additional vectors for password discovery and account enumeration. Attackers are well aware of the types of passwords that are commonly used and create special word lists to more quickly guess easily crackable passwords on an initial pass through a breached list. Comparing a list of known password hashes against a breached hash is called a rainbow table attack, is extremely fast, and will be covered in part two of this blog. In part three we will discuss tactics for crafting strong passwords that are difficult to crack.
Finally, improper password storage can lead to additional problems. Many users will write down their password on a sticky note and store it on the monitor or on the underside of the keyboard. When an attacker has physical access to a workstation, this is one of the first places they will look to see if they can uncover a password to a user account leading to additional problems for the company or user. Likewise, many users may create a plain-text file or spreadsheet on their computer wherein they store password and username combinations. An attacker with remote access to these systems can run search queries on filenames and file contents to discover possible passwords stored on the computer. Stick around for part two where we will briefly discuss password storage and how attackers are able to search for locally stored passwords. Furthermore, part three will discuss better alternatives for password storage and management.
By: Kyle Rozendaal
Need help with information security policy or practice?
Get in touch today: https://itauditlabs.com/contact