Sunday, April 5, 2015

What's In A (Pass)Word?

Prevailing wisdom among information security practitioners is that passwords are outdated as a secure means of authentication. However, until a better way achieves wide adoption they are a fact of online life.

Password Harvesting

So how do the bad guys get your password in the first place? There are lots of ways:

  • Sites like LeakedIn and Pastebin are popular locations for "dumps," collections of usernames or email addresses and associated passwords found by good guys, disclosed by rivaling bad guys, or posted as proof of an attacker's l337ness.
  • Spammers buy or trade validated credential dumps in underground forums, lists of usernames/email addresses with passwords that they've proven to be active by running them through automated account checking programs to log into the account at least once.
  • Credential-harvesting malware, like keystroke loggers and web form injections, that collect usernames and passwords typed into browsers on victim computers and get sent to a central collection point under the attacker's control.
  • Phishing emails that entice victims to login into replica, or "spoofed," websites that look exactly like popular online banking and email sign-in pages.
  • Brute force attacks against websites built on popular free platforms, like Wordpress and Joomla, or Internet-facing databases using automated scanning and exploit tools.

All of the attack tools are incredibly easy to find and so are credential dumps.


3 Basic Rules

The best defense is a good offense. It's trite but true. Let's start with the basics. Good password hygiene consists of 3 factors: complexity, length, and uniqueness.

A complex password is one that consists of upper and lower case letters, numbers, and special characters. The purpose of complexity is to defeat password crackers, automated programs that compare encrypted or hashed passwords against word lists. This is euphemistically known as a "dictionary attack" for a good reason. Password crackers run comparisons against plain language word lists and obvious variations. The more recognizable the password, the faster it can be cracked. For example, poppy123 is revealed in milliseconds, while pO9Py!@# can take hours or days, depending on the password-cracking program.

Just as important is password length. To grossly oversimplify the description of the computational process, password crackers "recognize" each character of a password, one by one. Therefore, the longer the password, the harder you force the cracker to work. It's kind of like the joke about outrunning an angry bear - you don't need to have the longest password, you just need to have one that's longer than the next guy's. Miscreants who crack passwords are typically going for quantity. They stop cracking when they've decrypted a victim list long enough to be worth their while, financially speaking. The harder password hashes get tossed out or recycled into credential lists they'll later sell or trade themselves for someone else to have a whack at them.

The single most important hygiene factor is uniqueness. This means that every time you register for an online account or change an existing password, you create a password that you don't use anywhere else. In other words, your email password is different from your Facebook password that's different from your Twitter password, banking password, and so on. Obviously, this means we have to keep track of an awful lot of passwords. There are several schools of thought on how best to do this. There are apps called password lockers that let you store all of your passwords and associations in a single place on your computer or smart phone. There's also good, old fashioned pencil and paper - writing down this information in a notebook. Some people I know use "forgot your password" as their preferred method, using this feature on websites to change their password every time they log in, subscribing to the above concepts with zeal because they're not worried about remembering it. Each password management method has its pluses and minuses. The right way is the one that works for you.


Additional Protections

But, wait, you're saying. What about that credential-stealing malware and phishing mentioned earlier? All the clever strategies in the world won't help if you hand your password to the bad guys in these cases. And you're right. This is where two-factor authentication and keystroke scrambling come in.

Two-factor authentication, also known as 2FA, is where you not only need a password but another piece of code to prove that you are who you say you are. Examples of this are cryptographic tokens, like chip-and-pin cards or USB dongles, and SMS text codes, a unique identifier sent to your cell phone that you type into a website to complete the login process. The former can't be easily replicated by miscreants, while the latter can be captured by keystroke loggers but the data is nearly worthless because it's only good for a very limited time. If you notice my equivocation, this is intentional. No 2FA method is 100% hack proof but, again, the harder the challenge the more likely the bad guys will go after easier targets and away from you.

Keystroke scramblers are anti-keystroke loggers, programs that turn your typing into random characters when collected by malware and phishing sites, while sending the real information to the website you're logging into. Keystroke scramblers do this by encrypting each action of the keyboard at the driver or operating system kernel level and verifying the recipient website. Again, this technology isn't 100% guaranteed to keep your passwords out of the hands of the bad guys but it certainly makes your information a less desirable target by wasting their time.

Will passwords be replaced with stronger authentication mechanisms some day? A lot of smart people are working towards this very goal. Until a solution is ubiquitous, these tips should help you stay safer online.