What is your password? How many passwords do you have? Are you worried about password theft? Is your password safe and secure or are you at risk? Do you use different passwords for each application or the same password for everything? Can you remember your passwords or do you write them down somewhere? How complicated is your password? Could someone easily guess it or crack it. How can you improve the situation and use a better password management system to simplify your life and enhance your password security?
Most people today have a problem with passwords. Simply there are too many of them. Passwords for your computer at home, another at work. Passwords for your mobile, your email, blogs, forums, facebook. Then there are more passwords for your credit card, bank account, PayPal account and so on. We have so many that it is sometimes a wonder that we can remember them all. Or do you, like me, forget them sometimes. Do you just reuse the same password for everything so you can’t forget it? Maybe, to help your remember it, you write your password down somewhere. You might not think that this is much of a problem, but it is. If you do some of the things above, then you are prone to becoming a victim of hackers.
So what? You may be asking, who’s going to hack my email and what benefit could they possibly gain from it? Does it really matter if I get hacked? Well, it is true that hackers aren’t interested in reading your email to your aunt. However, your email is a stepping stone to allow them into other things. They could use your account to send spam. They could get your passwords into other services and websites. The hacker could also use your accounts to hack other more important people. There’s a load of bad things that these hacker guys can do with your accounts that you are not even aware of, so your shouldn’t make it easy for them. Especially when securing passwords is relatively easy to do.
What can you do to secure your passwords? Well, there are a few things that you can do and you probably already know most of them but I’m guessing you don’t bother doing these things cause you don’t understand the benefit that it brings and doing things the way you do now is easy. Well, it’s time for a change. Let us start by explaining why you have to do all this security stuff and what the benefits are. To understand it all properly, you have to know how you could be compromised. If you know the hack, you’ll get why you do what you do to prevent that hack.
So this blog post will go over some of the methods (not all the methods) that could be used to compromise your password. It will then give you some suggestions as to what you should do to prevent this attack and keep your passwords secure.
Over the shoulder attack
Problem: The simplest form of attack possible. Someone watches you as you key in your password and remembers it. We can also include here people looking at the post-it note you left on your desk that has you password written on it.
Solution: Make sure people aren’t watching you when you enter a password. Also never write down your password in plain form anywhere.
Problem: Some malware or rootkit that got accidentally installed on your system without you knowing logs every key that you press and thus records your passwords and reports it back to the hacker. Some people purposely install keyloggers on their computers to record other users e.g. in an internet cafe or where you have a boss that wants to snoop on your work progress.
Solution: Two part solution here. On your own computers ensure that you have up to date anti-virus and malware killers plus firewall to keep your system clean. On other people’s computers, especially public computers, refrain from entering sensitive information, like passwords. You don’t know who has installed what on that machine.
Man in the middle (MITM)
Problem: How secure is the connection between you and the server for the website or service. Is someone listening in and recording everything you send? This is a particular problem on wireless networks, especially public wireless networks such as libraries and hotels.
Solution: If you have a wireless network, secure it with a password to keep it private. If you are using a public wireless network, think twice about entering passwords and other sensitive information. When logging into a website, always try to use the secure HTTPS rather than regular HTTP. This encrypts your information in transit and can foil some Man in the Middle attacks. There are browser add-ons that assist in this such as HTTPS Everywhere and HTTPS Finder or Secure Sites for Chrome.
A man in the middle attack is still possible with https and SSL if the attacker spoofs and fakes his own secure server. Such an attack would show up as the certificate wouldn’t match the website. However, very few people check the certificate names. When using a secure server, you should check up at the top left of the screen, next to the address bar. There will be a green box if the site is secured. Clicking on that box will give you more info about the certificate.
Problem: Passwords are difficult to remember so people often write them down. Bad idea. Worse people write the password in a text file on their own computer where any hacker can easily find it. At the server side of things, passwords need to be stored in order that you can validate against them. Such passwords should be encrypted but some server admins and programmers neglect this and store passwords in plain text where anyone could read them.
User Solution: If you can, try to keep passwords in your head. The problem is that people today have too many passwords to keep them all in their head. So we need a secure storage system: a Password Manager. There are many such systems on the market. Two that I have used are Keepass and Lastpass. Keepass has the advantage that it is on your desktop computer (and other devices) and is not dependent on a connection to the internet. Lastpass has the advantage of being built into your favourite web browser where you use passwords most and also being highly portable as it’s online, you can access it anywhere. When using a password manager, it is very important to set a Master Password to secure and encrypt the storage.
Why not use the password manager that is built into the web browser e.g. “Do you want Firefox to remember this password yes/no?” Well by default, these password managers do not contain a master password and so by default they are insecure. Firefox and Opera users can change this setting to use a master password and encrypt the stored password info. Chrome users cannot do this so Chrome’s password manager is not secure. In addition, web browsers own password managers lack some functions such as being able to backup the password file
Developer Solution: If you are writing an application that needs to store passwords, you should not store the password in plain text. Instead, you should store a hash of the password. Currently, the best recommendations are either to use Bcrypt which is based on Blowfish encryption. You can use scripts such as PHPass to ingrate these hash systems into your application.
Problem: If someone gets a hold of your file/database of stored passwords either from your password manager or from your application’s database, then they can try to reverse the encryption and recover your passwords. Rather than using a Brute Force Attack and trying every possible password, hashing it, and testing – a long slow process that can take days, month or years – you can use rainbow tables. A rainbow table is a database of possible passwords and pre-computed hash values. The hacker can use these to simply search for the hash value in the rainbow table database and read out the password almost instantly.
User Solution: Use a secure password manager such as discussed above along with a master password to encrypt the password data securely. Avoid any password managers that use a simple encryption system or plain text to store your passwords.
Developer Solution: Include random “salt” in your hashing process. A salt is a string of text that is added and hashed together with the password. The intention is that two hashes of the same password should not match. Thus the rainbow table will not find any matches. The salt can be safely stored as plain text in the database alongside the hash. Even if the attacker had both the hash and the salt value he would be unable to use a rainbow table to attack and would instead have to resort to brute force.
Brute Force Attacks
Problem: This attack is what everyone thinks hackers do. Simply guess your password thousands of times until they find the one that works. Since there are allot of possible passwords, it takes a long time to work through all of them. To speed things up, attackers will use a dictionary of common passwords to try first. Did you know that about 2% of people use “password1” as their password? Many other people have an equally simple to guess, commonly used password. The attacker will try all of these first before going on to more random possibilities. If you use a simple, common, easy to guess password then you are prone to this kind of attack.
User Solution: Use longer and more complex passwords that are not based on normal words or names. The longer and more complex the better. Mix in some capital letters, numbers and some punctuation symbols like %, *, @ and & to make it even harder to crack. Of course, this has the problem of making the password harder to remember as well. To fix that you can use a password manager as discussed above but even then you need to remember a secure master password. To remember this password I and other security experts suggest using a passphrase or mnemonics. An example you could use the password “J&WgmiSJCoM24th” which secure and complex but easy to remember because it comes from the phrase “John and Wendy got married in St. James Church on May 24th.” Contracting a phrase like this is a simple way to make a memorable yet secure, long, password.
Developer Solution: There are several things a developer can do to help secure his website or application from brute force attacks. The first is to ensure that your users do not use simple passwords. Insist that they use complex and long passwords. Also keep a blacklist of common and easy to crack passwords and forbid users from selecting them.
The second thing to do is to slow down the hashing process. The longer it takes to create and check the hash from the password, the slower the attack will be. Popular, but dated hashes, such as MD5 and SHA1 are too fast. They take just milliseconds to compute. So an attacker can try many many password combinations in a very short time. Using a hash such a Bcrypt with a high work factor will be slow and thus take longer to crack. Using up as much as half a second for the hashing will cause little inconvenience to your users but greatly inconvenience the attacker.
It used to be the case that cracking an alphanumeric password with a length of 8 characters secured as an MD5 or SHA-1 hash was difficult. It took months or even years and so could be considered secure. Today your desktop PC could probably do the 218 trillion combinations in about 5 days. If you rent some compute nodes from Amazon it could be done in just 1 hour. Using Bitcoin’s distributed computing network would be even faster, it can calculate SHA-256 at a rate of 11 * 10^12 hash/s or more. So the 8 character alphanumeric password would be cracked in just a few tens of seconds.
By switching from MD5 and SHA-1 to Bcrypt and adding a suitable work factor you would shift the balance much more in your favour, slowing down the hashing by 1000 times or more. A desktop PC might then take 12 years to crack the password. Amazon’s services would be up to 40 days and even Bitcoin would be slowed to over a day to crack. Enough to make the attacker go elsewhere. Additionally, Bcrypt allows you to increase the work factor as time goes by to make the hashing slower as computers get even faster.
The third thing a developer should do to prevent brute force attacks is to monitor password failures. If a user fails to log in a certain number of times, an alert should be sent to the admin so he can monitor the problem. After a few more failures you may opt to take one of the several measures to halt an attack. The least drastic of these is to ask for an additional step such as completing a CAPTCHA. If the problem persists further, you might consider blocking the user’s accounts or IP addresses. However, that has its own security risks such as a Denial of Service (DoS) attack where the hacker tries many accounts or IP addresses, forcing groups of users to be locked out, thus preventing legitimate people from using your site.
So I hope you found this article useful to help you to secure your passwords. Questions and comments can be left below. If I have missed anything, do mention and I will add to this list.