Not without reason static passwords are the most popular authentication method. The easiness of deployment, intuitiveness and plainness of usage result in the fact that we use those passwords everywhere i.e. in applications, websites and even in the form of PIN code in cash machines, phones or interphones. But can we safely manage this kind of information? Apparently we can’t, because very often we share them between many different services.
The topic concerning security of the static passwords has been discussed for many years now. Security engineers, scientists or bank remittances are continuously flooding media with information regarding break-ins and leakage of end users’ passwords from popular services. And each time the discussion about complexity and storage of passwords arises. Editors and users are outrunning each other in comments in providing the newest, „checked” methods of creating and remembering passwords. Unfortunately, without knowledge of the actual method of implementing authentication mechanisms in application and of different passwords cracking techniques this kind of advices only cause more harm than good.
The fact is that we experience more and more database leakage. The number of overtaken accounts from different services is constantly growing so is the number of resources from auction sites or digital wallets, which land in the offenders’ hands. Interestingly, this kind of takeover isn’t hard to execute and is performed even by minors with limited technical skills.
In the following paragraphs I would like to present a few facts concerning password security, mainly in the context of using the same password in different services. Based on my observations, research and experience I would like to present why weak and unique password is safer than strong, however often used in different services one.
I use several passwords so I am safe
When I ask how people store and manage their passwords, very often I get the answer that the best method is remembering only few passwords and using them in services of a similar nature.
- one password to e-mail accounts,
- one password to online banking,
- one password to internet forums and social networks,
- one password to work,
- one password to the remaining services.
Is this solution safe?
Definitely, it is better solution than having a single password to each service. Unfortunately, contrary to appearances this kind of approach only provides a false sense of security.
In the event that any service of a given „category” is compromised by attackers, the accounts in all other services in this category are strongly threatened. It must be assumed that the attacker coming into possession of one of our passwords may simply use it in another service. This scenario isn’t so hypothetical – a cracker illegally taking personal information from service not only gets to know the password of the person – in a plaintext, encrypted or hash form – but also e-mail address, user name, first name, last name or address.
Having this data he often easily finds other services used by the victim. After that he tries to take over account in another service even if he didn’t manage to break security protection of a given server. In fact, why he should do that if he has password and access to services which can be cashed.
It can be said that using many passwords decreases the possibility of taking over accounts in different services. Definitely! The best solution is to use unique passwords. Then, breaking the security of one server will not affect the safety of other services, in which we are registered with the use of similar data. Regrettably, people are rather lazy so they look for ways in creating „unique passwords”, which unfortunately are far from being unique.
The most common technique of creating and remembering passwords is to come up with a „scheme” that generates data depending on the situation. Such templates are unfortunately almost always a bad idea and the attacker can easily get to know them, even with a single password from a poorly protected server (possibly having data from several of them).
To illustrate it I will try to present a method of getting to know the template of passwords for services where data didn’t leaked, on the basis of a single leak from another site.
Let’s assume that cracker comes into possession of database from a given service http://hackme.example.tk. In this way he gains a hashed version of the user’s password Olliver90 assigned to the e-mail address email@example.com. After a fast dictionary attack, a cracker knows the original password – Passw0rdAmple2013.
Having the above information, the offender asks web browser for login or e-mail and gets two services used by a given person. After a few attempts cracker successfully takes over victim’s accounts using the following passwords:
Now, try to guess which services are used by the victim.
It doesn’t concern me
As you can see, using „password templates” and/or „category passwords” isn’t an entirely good idea. It is worth remembering that personal information leakage, in particular ones concerning passwords, is something common now. Only some incidents are publicized and yet industry media present information concerning new leakages all the time.
In order not to be groundless, only in the first half of 2014 unauthorized persons gained access to users’ personal data in the following services :
- Centralnej Komisji Egzaminacyjnej (CKE) (probably),
- myMym.com (with over 1.5 million of professional players),
- and many, many more.
As you can see sites, regardless of size, provide services of various types, and it is difficult to discern the strict rules here. Any site may fall victim of an attack or human error, regardless of the industry it is related to i.e. security (ESET, Avast), electronic commerce (like eBay) or anything else.
The above list of disclosed leakages contains only popular sites, which have recently fallen victim of attack. The list of compromised sites is, however, much much longer.
On the basis of research I conducted between 2009 – 2013 I discovered that access to users’ passwords is very simple and doesn’t have to necessary be connected with breaking law or breaking security protection of internet servers. Lot of leakages is simply publicized and if you’re motivated enough you can download and analyse them.
As a part of my research I managed to get dumps of up to 75 databases (including 45 of the Polish sites), which were made public by crackers in commonly available sources. These included, among others, Polish websites such as:
- Filmweb.pl (955 836 users),
- Cs-puchatek.pl (546 204 users),
- Gram24.pl (236 351 users),
- Wiocha.pl (100 000 users),
- Haker.com.pl (99 907 users),
- Kobietykobietom.pl (82 428 users),
- Pobieramy24.pl (64 564 users),
- Innastrona.pl (51 568 users) – with all passwords in a plaintext form
- 4teens.pl (39 553 users),
- Poezja.org (39 316 users),
- Schaffashoes.pl (35 811 users) – with all passwords in a plaintext form
- Cs-wysypisko.pl (30 821 users).
Of course, it is easy to also find data concerning users from other countries e.g.:
- Gamigo.com (7 004 341 users),
- Linkedin.com (6 442 924 users),
- EHarmony.com (1 516 877 users),
- Gunz.universegamers.com (966 711 users) – all passwords in a plaintext form
- Battlefieldheroes.com (548 774 users).
In total, the study enabled me to raise over 65 million passwords (in various forms), most of which are still available to everyone at your fingertips. Interestingly, at the average, every third password in those data sets was recorded in a plaintext, which constituted a great material for further research and drawing conclusions about trends of creating passwords by users, both technical and non-technical.
Analysing the data set it appeared that:
- 33% of users has password no longer than 7 characters,
- 83% of users has password no longer than 10 characters,
- 93% of users has password no longer than 12 characters,
- less than 1% of users has password longer than 16 characters.
When it comes to complexity:
- 41% of passwords had characters from loweralphanum (a-z, 0-9),
- 26% of passwords had characters from loweralpha (a-z),
- 17 % of passwords had characters from numeric (0-9)
It is worth mentioning that loweralpha and numeric in this set are not a subset of loweralphanum, so a cracker can successfully carry out attacks using only lowercase letters and numbers. The attack time is significantly reduced, and its range is still very large (in this study, even 84% of passwords).
In view of the fact that approx. 83% of users has the password not exceeding 10 characters, attack even on password stored in the hashed form (e.g. the MD5, SHA1) is possible to carry out at home, without a large financial outlay. Currently, the average PC is able to break the abbreviation of a 10 character password in loweralpha (MD5, SHA) in at most a few days (and sometimes even a few minutes).
The complexity of passwords, and the method of storage on the server side is a topic for a separate article, so let’s get back to the problem of using the same password for several services.
We already know that no matter how we take care of our passwords, these data can leak from the sites and we aren’t able to prevent it. It may seem that this problem doesn’t concern us, and we accept the risk. To speak to the imagination, let’s check what is the risk of losing account in all sites, assuming that the password from at least one of them ended up in the hands of burglars.
Assume any probability of data leakage in a single service. Of course, some sites are better protected than others, but roughly assume that the probability of the password leakage of the service during the year is 1%, i.e..
Of course, when one website was broken into, you should assume that, in practice, the password will be compromised also in other „related” services. The probability of losing the password for one service per year is therefore:
The probability of leakage from whichever site when passwords are divided into two services is:
and in the case of three services:
In more general case:
- the probability of leakage from any of the 5 sites is 0,04900995 ~= 5%,
- the probability of leakage from any of the 15 sites is 0,139941645 ~= 14%,
- the probability of leakage from any of the 30 sites is 0,260299627 ~= 26%,
- the probability of leakage from any of the 69 sites is 0,50016297~= 50%,
- the probability of leakage from any of the 5 sites is 0,096079203 ~= 10%,
- the probability of leakage from any of the 15 sites is 0,261430897~= 26%,
- the probability of leakage from any of the 30 sites is 0,454515681 ~= 45%,
- the probability of leakage from any of the 69 sites is 0,751915733~= 75%,
Theoretically, if you use the same password for 30 sites there is the probability of 26% that within a year an unauthorized person will have access to all of these services.
Are you able to accept such a risk? You have to answer this question yourself.
Remedy for poor memory
In fact, one can say that the only safe password is the one you can’t remember.
How to generate such (unique, complex) passwords? How to use them? It is enough to use password managers such as Keepass or 1Password. With their help, we will generate a separate password, and set the automatic login for each service. Access to the program is secured with one complicated string of characters (or file), and a program database is stored locally (so no one can access it). The problem of lazy human nature is solved this way 🙂
Of course, password manager won’t solve all the problems with passwords, but it will significantly increase our security. Therefore, I highly recommend checking Keepass or 1Password software and start using unique passwords.
For the safety of all of us 🙂
- Adrian Michalczyk – „Cracking Static Passwords in Web Applications – Analysis of Attack and Defence Strategies „, (available for request, currently not published)
- Adrian Michalczyk – „Compedium of passwords security”, url: http://sekurak.pl/kompendium-bezpieczenstwa-hasel-atak-i-obrona/