Passwords. Nearly our oldest technology for security and yet oh, so vulnerable! In our last blog, we covered a variety of breaches and how the leaked data continues to haunt victims for years after the breach. Yet hackers use more than just breaches to attack an organization. Weak passwords remain a key vector of entry despite decades of training and a traditional requirement to change passwords regularly. We also mentioned the change in password philosophy now recommended by the National Institute of Standards and Technology (NIST) and we will go into more depth on the rationale behind their change and fundamental issues with attempts to use biometrics.
To begin with, consider the advice of: “Either try to crack internal passwords regularly or enforce password changes every 60-90 days.” This recommendation from last week represents a shifting philosophy within password management. In their password overview podcast, Doug White and Russell Beauchemin of Secure Digital Life discussed the new NIST password recommendations that no longer recommend regular password changes. Human brains simply cannot recall a huge variety of complex passwords, so unless your organization uses password managers (which we recommend!) then users will tend to simplify passwords or reuse them. This obviously increases the vulnerability of the organization and exposes it to issues from unrelated breaches (see last week’s blog). The new philosophy is to run password cracking on the organization to force users with weak passwords to change their passwords and to allow users with strong passwords to retain them for a longer time period.
In May of this year, DarkReading’s Curtis Franklin Jr. detailed that researchers at Virginia Tech analyzed 61.5 million passwords from 28.8 million users and found that 16 million of those passwords could be cracked within just 10 guesses! More critically, the more sensitive the information, the more likely people reuse or use a simple password. Likewise, in Red Zone Security Podcast #82, Bill Murphy and James Crifasi discussed a project in which they performed password-crack testing as a service for their client. They used a modern password ‘dictionary’ that incorporates fuzzy logic (for example, how Google recognizes h00ver and automatically suggests hoover dam as a search) as well as a deep database of common searches (people, fictional names, etc.). Out of several thousand users, many had their passwords cracked in the first four seconds, many more failed to last one minute and most of the organization’s passwords had been cracked before the end of the first day! In alignment with the NIST findings, they found that many passwords used a pattern based upon when the password was changed (spring18, 2018October, etc.) or were pop culture references. If your password involves The Game of Thrones, change it now!
Perhaps your international offices might be more unique? Don’t count on it! Soliton’s Tokyo team analyzed two large repositories of breached data looking for patterns among Japanese users (User Breach Analysis report available now for download). The top five passwords in both investigations will be familiar to IT managers all around the world:
August 2017 Analysis (~5 million plain text passwords related to .jp):
2018 Analysis (6.19 million plain text passwords related to .jp):
Although the top 25 list does introduce a few Japanese words (sakura, woaini, etc.), the vast majority are keyboard patterns. On the bright side, users do seem to be learning. In the 2017 analysis, out of 5 million passwords analyzed, there were only 814,000 unique passwords used – meaning that less than 20% were unique! In the 2018 analysis, out of 6.19 million passwords used, they found 3.98 million unique passwords – now more than 50% are unique, representing a five-fold improvement in password variety over the previous year.
Biometrics and Behavioral Algorithms
Of course, there are companies trying to create intensely complex passwords that we do not need to remember. Biometrics and behavioral algorithms are in place now using fingerprints, facial recognition and more. In 2013 Apple introduced TouchID as a security option for their phones and as early as 2014, as detailed by Parmy Olson of Forbes magazine, banks were trying to track typing behavior on phones as a secondary check to pin numbers in Nordic banks. However, biometric passwords remain less than perfect. German hackers famously hacked iPhone fingerprint technology within two days of its initial release, and in early 2018, Sam Rutherford of Gizmodo reported that Lenovo’s Fingerprint Manager Pro software used a weak encryption, contained a hard-coded password and was accessible to all users with local non-administrative access to the system. These are reminders that although biometric passwords will be much more difficult to crack, we still need to be worried about the programs and systems storing these passwords. Should a vendor fail to use strong encryption and suffer a breach of biometric data, no one can simply change their face or fingerprints!
A Strong Defense
Once again, we are faced with reminders that even as technology evolves, there is no silver bullet for security. We need to protect our data in layers and insist the same of our vendors. For passwords, this means one must start with improved complexity, but add layers of security with multi-factor authentication using secondary devices (text, apps, dongles) to verify the user or certificates that authenticate the device. Yes, this conclusion is basically the same as our last blog’s and it will continue to be the same conclusion next week and for the foreseeable future. People will still be people and password hygiene will still be suspect.
For information about Soliton products, please visit:
White, D., and Beauchemin, R. Password Creation and Protection – Secure Digital Life #16
Soliton Blog, Password Problems 1: Ghosts of Breaches Past
Franklin, C., More Than Half of Users Reuse Passwords
Crifasi, J., Passwords Redefined | Make Your Password Interesting, Not Difficult!
Olson, P., Forget Passwords. Now Banks Can Track Your Typing Behavior On Phones
Rutherford, S., Lenovo Flaw Could Let Hackers Bypass Fingerprint Scanners on Some PCs