Anachronistic security compromised with heuristics

Fortunately, no one emailed me passwords after reading my column two weeks back. Unfortunately, organizations that hold huge amounts of user information are doing a bad job securing it. From Adobe to Yahoo, poor security has lead to database breaches, with usernames and passwords being exposed.

Assuming that no one has screwed up horribly (not a safe assumption), services should never store your password. Instead, they store an unrecognizable ‘hash’ generated by a mathematical function. A hash function takes data of an arbitrary length, scrambles it, then shortens or lengthens it. For example, the MD5 algorithm turns the string ‘password’ into ‘5f4dcc3b5aa765d61d8327deb882cf99’.

When you see that complicated string, you probably don’t immediately think ‘password’. However, reverse translation tables exist that can turn hashes back into passwords. To render these tables useless, a unique (usually random) ‘salt’ should be added to the password before it is hashed, producing an unpredictably different result.

Far too often, websites and services mess up storing passwords, either keeping them in ‘plaintext’ or implementing weak, easily reversible hashes. Where there’s one security mistake, there are likely many more. The non-profit Identity Theft Resource Center reported at least 781 data breaches in the US in 2015.

Once an attacker has a copy of a database with passwords non-encrypted (or poorly encrypted), they will typically retry email and password combinations on PayPal and other websites. They also now have a huge dictionary of passwords to try against other accounts.

Brute force attacks on passwords are effective, but slow. A long, complicated password could take somewhere between a decade and the heat death of the universe to crack. By testing passwords in a dictionary, an attacker is more likely to get into an account than by trying random combinations. This effect is improved when the dictionary is comprised of passwords that are known to be in use.

TeamsID puts out an annual list of the 25 worst (most frequently used) passwords. Compiled from leaked passwords of North American and Western European users, ‘123456’ and ‘password’ have topped the list for years. 3% of all accounts found in breaches had a password on this list. Extrapolating, with a dictionary of just these 25 common passwords, we can get into 3% of all online accounts. Expanding to a 500 word dictionary will improve odds, but there are diminishing returns as we add more passwords.

To protect yourself against dictionary attacks, your password shouldn’t be a word in the dictionary, or used anywhere else. Unfortunately, it gets more complicated with heuristic attacks.

In an attempt to protect users, many websites will require you to add numbers and/or special characters to your password. This ensures that passwords aren’t dictionary words. However, with a little more effort an adversary can still break your password.

Imagine I’m picking a new password. ‘password’ is too obvious, so I’ll pick something more tricky. ‘passw0rd’, with a ‘0’ replacing ‘o’, is the 24th worst password on 2015’s list, so I’ll need to get a little more complicated. How about ‘Pa$$word1994’? It’s easy enough to remember, and contains uppercase letters, lowercase letters, numbers and special characters. Despite being more complex, common substitutions and additions only offer a little more protection.

It’s trivial to write a script that will replace letters with common number or character substitutions (‘3’ for ‘e’, ‘&’ for ‘a’, etc.). I’ll also add all possible birth years and dates to the end of each word. After running through my dictionary once, I’ll swing through several more times, testing these modified versions.

Here’s the takeaway: organizations large and small will lose your data. The best way to protect yourself from being a part of a data breach is to not be a part of a data.┬áDon’t register for anything unless you absolutely have to, and even then avoid including more details than necessary.

If you are in a breach, data is encrypted, and passwords are properly hashed, avoid being the low hanging fruit. Using a longer and more complex password will protect you against brute force attacks, but if it’s based on a word, you’re still vulnerable to dictionary and heuristic attacks. ‘Passw0rd’ is just as weak a password as ‘password’. Remember that hackers also know movie quotes and song lyrics. Always use passwords you’ve never used before; use passwords you’re pretty sure no one in the world has ever used. Trust only goes so far, and you must take your passwords into your own hands.