Passwords are ubiquitous with the use of a computer. They are used to access the computer itself, to protect files, access bank accounts, social media, online shopping sites, and so much more. While passwords have been used in computer systems since at least 1961, they are prone to compromise. This paper will give a brief overview of the history surrounding passwords, their origins in computing, the differences between strong and weak passwords, as well as various technological and social attacks employed to obtain these ubiquitous credentials.
The use of passwords to hide or conceal information have been used long before the advent of computers. Indeed, passwords has been documented throughout the history of mankind. Dating back to 1,900 B.C., Egyptians engraved encrypted text on tombs, detailing the life of those who lied within. In Ancient Rome soldiers would use a watchword, which was used in the process of relieving a watchman from his duties. As a soldier was relieved of post, the new watch would handover a wooden tablet, on which the watchword would be inscribed. The relived soldier would deliver the engraved tablet to his superior, who would verify that each soldier was authentic and had completed his duty. The use of passwords was not limited to ancient armies. During World War II, American paratroopers used a password handshake to identify one-another as allies. As troops approached, the initial keyword of “flash” would be shouted. If the second party responded with the keyword “thunder”, it was assumed that the approaching party was friendly.
The first documented use of passwords in a computer system was that of the Compatible Time Sharing System (CTSS) developed by MIT in 1961. The system was used to limit the amount of time each user could log on a computer per week. A year later, the first documented case of computer password theft occurred. Allan Scherr, a graduate student working on his PhD, desiring more than the allotted four hour weekly ration, located and printed the file containing all passwords for the system. Upon obtaining the list of passwords, Scherr was then able to log as much time he desired, using a new password every four hours.
In the Digital Age, passwords are used by far more than just members of the military and academic researchers. With the advent of the internet the average citizen of the web has around 25 different accounts utilizing passwords. These passwords protect everything from public library access to credit card numbers, a persons geo-location, bank information, social influence, medical history, and personal media.
The majority of modern password practices were established in 1985 by the Department of Defense (DoD). William Chiswick, a security researcher, comments that the advice given DoD document, Password Management Guideline, “was good at the time, and much of it still holds up, but many of our password aphorisms come from dated assumptions about threats and technology.” He notes that the guideline was created in a time when punchcards were still in popular use as well as remote serial terminals; the World Wide Web and the personal computer had not yet blossomed into the powerful forces they would become.
According to Chiswick, modern passwords are most vulnerable to compromise due to several central components of an authentication system as set fourth by the DoD. Firstly, “Passwords should be machine-generated rather than user-created.” The reasoning behind machine generated passwords (random character strings, example: “8uV^Qd)32l!”), is that they pose a much more difficult task to break, though not impossible (more on this further on). Pair difficult passwords with the additional advice that, “Users must remember their passwords,” and “A user’s password must be changed periodically.” While sound advice, Chiswick and others have come to the conclusion that this trio of constraints are near impossible for most human users to follow. This is especially true when applied to the modern user who maintains around 25 passwords, each of which should be unique. In a study held over 30 years ago, researchers Morris and Thompson confirmed that passwords were indeed a “weak point in information system’s security. They found out that majority of users’ passwords (87% of them) were short, contained only lowercase letters or digits or were easily found in dictionaries.”
While the problem of memorable unique difficult passwords is challenging, there are modern guides to assist in their creation. Before understanding what currently makes a “strong” password, it is necessary to understand which types passwords are classified as weak. Weak passwords are those that succumb to attacks most easily. These are passwords consisting dictionary words, phrases, or other common variants. Examples the most easily (and common) passwords are “password”, “123456”, “qwerty”, and “letmein”.
In the past, advice has dictated that adding a suffix, prefix, or replacing alphabetic characters with numbers or symbols would substantially hinder a dictionary attack (such as “BandGeek321” or “p2$$w0rd”). Unfortunately, this hasn’t been effective for years as dictionaries containing common combinations and substitutions. The subsequent advice, popularly touted by XKCD and others was to string random words together, as detailed in the following comic:
While more effective than the previous schema, this too is unfortunately no longer a good guide for the creation of a strong, memorable password. Attackers have been able to incorporate this method into their attacks tools. It also has been discovered “that passphrase users initially experienced a significantly higher number of login failures due to typographical errors.”
Currently, companies such as Microsoft and security experts such as Bruce Schneier recommend a password scheme which combines aspects of the two previous. The recommendation is to take a sentence or phrase and create an acronym from it, creating a string of text similar to a computer generated password. One example given by Microsoft is that the phrase “My son’s birthday is 12 December, 2004” could be transformed into “Msbi12/Dec,4”. An similar example by Schneier uses the phrase “this little piggy went to the market”, which could become “tlpWENT2m”.
The most common attack model used by password crackers happens offline, with a leaked password dump. These dumps are generally encrypted (in the form of hashed text), to which the attacker will seek to decrypt (to plaintext). This is done through either a brute force, dictionary, or hybrid attack. Though different in implementation, the success of each type of attack relies heavily on two factors: power and efficiency. Power, the amount of computations per second greatly determines the speed at which a cracking application can crunch through data. With the advent of multicore CPU’s and GPU’s, power has become a commodity in the cracking world. Efficiency on the other hand, is reliant on the creativity of the designer of the cracking program. Schneier explains that it is the ability to “guess cleverly”.
In the brute force method, an attacker would compute every possible permutation for each character of a password: upper and lower case letters, symbols, and numbers. “Whenever a computed hash, for which the attacker knows the input, matches one of the hashes in the stolen set, that user’s password is revealed. Clearly this approach requires abundant processing power and a lot of time.”
The second, and more effective method, is the dictionary attack. In this technique, the attacker will again compute hashes to try and match those of the of the password dump, but bases the hashes off of lists of potential passwords. These lists may consist of English and foreign dictionaries, common passwords (such as “password”). According to security researcher Mark Burnett, a whopping 40% of all passwords appear in a list of the top 100 most common passwords. As expected, the dictionary attack is much more efficient than brute force and can be executed quickly.
The third attack, hybrid, is as the name denotes, a combination of both brute force and dictionary. “[The] hybrid approach involving permutations of dictionary words can crack passwords that meet the bare minimum of otherwise complex password policies. ‘password1’ or ‘letmein!’ and ‘s3cur3’ are such examples.”
As mentioned, both power and efficiency play a large role in the effectiveness of password cracking. The previously mentioned suggestion from the DoD to change a password periodically is to combat the possibility that if leaked, the password would be changed before a program could crack the encrypted credentials. Specifically, the goal was for a strong password (9 characters of only uppercase characters) to “resist a year’s worth of dictionary attacks with a cracking probability of 10-6.” If the same standard for a “strong” password were to be applied today, Cheswick claims that it would need to be changed every 31 milliseconds to resist compromise. It’s no surprise with current hardware that there have been reports of cracking software churning through 8 million password permutations per second.
Technical aspects aside, there is another vector of attack which has become more prominent with the advent of cloud services and social networks: social engineering. Through Google, Facebook, and several other services, attackers are able to gain a range of information on a target such as name, birthdate, birthplace, address, family member’s names, and so on. With this information, attackers can then proceed to use a service’s “forgot password” system to gain entry to a service. Alternatively, they may call a services customer support, acting as their target, gaming the system with the information gained from their digital sleuthing. For example, the only information necessary to gain access to an AOL account is the name and city where the target was born, which can be gained through Google or similar service.
The damage caused by such attacks can be devastating. Upon suffering an attack on several of his own cloud accounts, Mat Honan of Wired was able to contact and interview his attacker as well as several security experts. He was able to piece together the series of events which lead to his Amazon, Twitter, Gmail, and iCloud account being compromised within an hour:
“This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.”
Passwords are as old as humanity and so is the art of cracking them. While they have had their place throughout history and especially throughout computer history, they were designed for different systems than those used today. There weakness lies mostly in users. It is difficult to remember complex, unique, ever changing passwords for dozens of services. The advance of computers has increased the speed at which passwords can be cracked or guessed via software. The rise of personal information on the web has given way to attackers finding alternate routes to gaining access to accounts. In his article on the need for an alternative, Honan suggests the following:
The ultimate problem with the password is that it’s a single point of failure, open to many avenues of attack. We can’t possibly have a password-based security system that’s memorable enough to allow mobile logins, nimble enough to vary from site to site, convenient enough to be easily reset, and yet also secure against brute-force hacking. But today that’s exactly what we’re banking on.”