jump to navigation

Password Security Concerns October 3, 2013

Posted by louloizides in Security.
trackback

Password security can be analyzed in two different ways. On one hand we can consider the password itself. The most common passwords used tend to be words like “password” or numbers like “123456” [1]. Obvious passwords are not only easy to crack using brute force techniques, but they can also be easily stolen by glancing over at a person’s keyboard while they’re typing.

The other analysis of password security regards the file passwords are stored on a system. In most systems passwords both hashed and encrypted. This way the original plain text password isn’t stored. If the password file is every copied, the person holding the file can’t retrieve someone’s plain text password. In too many cases lately, however, system developers haven’t taken the proper precautions on these files and passwords have been easily stolen through simple SQL injection techniques [2].

While we might tend to think of a password security file as sitting in a vault and not subject to frequent access, this isn’t really the case. Password security files are generally very accessible and tend to be backed up and exchanged regularly [3]. Encrypting and hashing passwords, therefore, is extremely critical.

Originally Unix used a routine called Crypt to accomplish this task. It was effective because on a computer in 1976 Crypt was very slow – most computers could only hash fewer than 4 passwords per second [3]. Brute force cracking wasn’t practical. By the late 90s, however, the best computers could easily hash 200,000 passwords per second and today computers are ten times as powerful [4]. Any password, therefore, that consists of a general combination of words and numbers can likely be guessed through brute force if this algorithm is used for protection.

To fix this problem, engineers have created stronger hashing algorithms. Some of these algorithms involve a process called “salting” passwords. Salting a password involves injecting some other random text into it so that it’s harder to guess and, therefore, better protected by the hash [3]. One concern regarding salting, however, is that if the number of possible salts used is small, the text injected into a password could help aid in decrypting it.

The other way password security can be improved is by improving passwords themselves. Because the hashing in a password table is only as secure as the number of possible password combinations, some companies have tried to replace text passwords with gesture based ones. Windows 8, for instance, can use picture based passwords [5] where the user draws a gesture on a picture instead of typing text. Unfortunately researchers have already proven that these techniques aren’t secure. They’re subject to the same vulnerability in text passwords in that it can be very easy to predict where a user will touch or which gesture they will create [6].

Another technique involves creating very hard to guess passwords and managing those passwords with another device. Mac OSX, for instance, has a tool called KeyChain [7] that can be used to manage passwords. Some thumb drives such as KeySafe exist for the same task [8].

Nowadays one of the biggest threats to password security are the robots that use brute force techniques to try and gain access to public servers. I’ve been caught by this myself. A few years ago I ran a website on a Linux server. The server was attacked several times per day and on multiple occasions these robots were able to gain entry and reconfigure it. Including odd combinations of numbers, letters and punctuation marks didn’t help at all (it only delayed the break-ins). Eventually what appeared to solve the problem permanently was removing the ability to directly log into the super user account through SSH. We only allowed a two-step process – a system admin was forced to log into a lower level account and then switch into a higher level system administrator account once they had the initial access. Furthermore all passwords used had to be randomly generated and contain no words. This kept the system fairly secure while it was still running, although I’d imagine it would have been temporary.

One thing I think we need to consider is whether or not companies today are doing enough to make potential security problems visible. Most people blindly trust a site like Facebook with the same password they use for their bank accounts. To the reader – are you aware of the potential security risks and do you think these companies are doing enough to make those risks visible?

  1. Ngak, Chenda, CBSNews.com, The 25 Most Common Passwords of 2012, Oct 24th, 2012, http://www.cbsnews.com/8301-205_162-57539366/the-25-most-common-passwords-of-2012/, accessed Sept 25th 2013
  2. Lunden, Ingrid, TeleCrunch.com, Yahoo Confirms, Apologizes for the Email Hack, July 12th, 2012, http://techcrunch.com/2012/07/12/yahoo-confirms-apologizes-for-the-email-hack-says-still-fixing-plus-check-if-you-were-impacted-non-yahoo-accounts-apply/, accessed Sept 27th 2012
  3. Provos, Niels and Maziere, David, A Future Adaptable Password Scheme, Proceedings of the FREENIX Track: 1999 USENIX Annual Technical Conference, 1999, https://www.usenix.org/legacy/event/usenix99/provos/provos.pdf
  4. Wikipedia Authors, Moore’s Law, http://en.wikipedia.org/wiki/Moore’s_law, accessed Sept 27th, 2013
  5. Microsoft, Picture Passwords, http://windows.microsoft.com/en-us/windows-8/picture-passwords, accessed Sept 25th, 2013
  6. Claburn, Thomas, Windows 8 Picture Passwords Easily Cracked, August 30th, 2013, http://www.informationweek.com/security/vulnerabilities/windows-8-picture-passwords-easily-crack/240160625, accessed Sept 27th, 2013
  7. Wikipedia Authors, Keychain (Apple), http://en.wikipedia.org/wiki/Keychain_(Apple), accessed Sept 27th, 2013
  8. SplashID Key Safe, http://www.splashdata.com/splashid/keysafe/, accessed Sept 27th, 2013
Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: