The 9/11 attack on the World Trade Center towers killed 658 employees of the Cantor Fitzgerald financial company. Its chief executive, Howard Lutnick, lost his brother that day and also ran into an unprecedented problem. The company’s servers, including the backup ones, were buried under the rubble, but it was not the case: the financial information was partially available but under the hundreds of deceased colleagues password-protected accounts. To hack those accounts Microsoft specialists were called for help, and they used their powerful servers for the fastest brute force: the data was the company's life or death question, and it had to be recovered before the first after the attacks trade opening. The personal data of the deceased colleagues could speed up hacking, so Lutnick had to ring relatives up and, at the most inappropriate moment, to ask them a series of personal questions: their wedding date, the college or university name, the dog's name and so on.
That is the saddest story about passwords’ recovery in the entire world’s history, it was published in 2014 in the New York Times. But it clears up two main characteristics of password protection matter: it may create a bunch of problems, and, in many cases, still does not work.
Passwords are such a bad concept of data protection that media, security experts, and scientific researchers have already buried it down not once, but passwords are still alive and are the main way of the private data protection. That’s why we consider a dead-alive passwords protection routine as a digital zombie apocalypse of nowadays.
In the article, we will analyze what's wrong with the password concept (the short answer is “everything”), what you still can do with it, and will share a couple of interesting historical observations.
Everything was wrong from the very beginning
According to the Wired magazine, passwords were needed at first for time-shared access to computer systems. In the 60's, when computers were very expensive and huge, it was the only way to share computing power for all customers. MIT developed Compatible Time-Sharing System in 1961, that is where the password authorization appeared first, we guess.
Developers of CTSS chose between passwords and what we would call tips (like your pet’s name). The choice was obvious: passwords required less memory to store and process. There was no security system in computers at that time. In 1966, an error appeared in the system code, which changed the welcome text for users and a list of passwords. As a result, every time you logged in, you could see all users passwords. Earlier, in 1962, one of the MIT postgraduates stole the bunch of user's passwords to have additional 4 hours of machine time of their computer time quotas. It was an easy crime: each user could order a file to be printed, by specifying its name and the owner's username. Knowing that the password database is stored in the file UACCNT.SECRET from user M1416, the student was able to print the entire database as a whole (more memories of CTSS is here).
But it became even worse
So what’s the fuss, what happened? The password protection concept was blamed wrong by media for years, but 2016 still became special because of the huge number of password leaks from the number of popular web services. We list just the main ones:
- Yahoo and Microsoft lost about 500 million of customers passwords, that database was, most likely, collected by phishing.
- LinkedIn got on the scene in 2012, there was a leak with mail addresses and passwords hashed without salt (experts are sure that up to 90% of passwords can be decrypted in three days).
- Tumblr leaked hashed passwords with the salt, and the administration initiated a forced discharge, just in case.
- Vk.com lost 100 million of plaintext passwords, there were old passwords, dated 2012, but the social networks says it was not hacked.
- Twitter lost 32 million passwords, presumably it was stolen by phishing and malware usage.
- Ubuntu Forum lost 2 million passwords, it was stolen via SQL injection.
- Another 2 million passwords leaked from the Dota 2 game forum, as in the case of Ubuntu, it was a successful attack on the unpatched vBulletin system. The passwords were hashed and salted, but up to 80% of them can be decrypted.
- Dropbox had to reset passwords after the 2012 leak surfaced. Presumably, a company's employee’s account was hacked.
- It is assumed, that 1.7 million Opera synchronization service passwords are compromised.
Passwords could be stolen from users directly or from web services data centers, or in the process of getting from here to there. Stolen passwords are sold on the black market or lay open somewhere on the web. Have I Been Pwned? is the web service by the well-known security specialist Troy Hunt. It allows you to check if your password and email are among the compromised. At the moment, there are 136 web resources and more than 1.4 billion passwords are on the list.
With a high probability, your four-year-old password is laying open text somewhere on the web. Most people use the same password for different web services, so even well-protected service could be compromised. For example, GoToMyPC service had to reset passwords after they found out about some accounts for the desktop remote access were hacked. The GitHub service was in the similar situation. Did we say, that passwords protection is a huge problem nowadays?
But why?
It's well-known we prefer to use short and simple passwords usually. Top of the most popular passwords is published almost after each leak, and here is how it looks:
123456,
password,
12345,
12345678,
qwerty,
123456789,
1234,
baseball,
dragon,
football
The WPEngine company’s analysis gives us an information on the typical password’s length: mostly it's about of 6 to 9 characters. 11 or more characters are used by less than 5% of users. Simple passwords are dangerous to web administrators. Nobody keeps an open text password database, but it is not hard to recognize passwords’ hash a-la 111111. The LinkedIn leak, we mentioned above, contained hashed passwords, but most passwords from that database could be decrypted quickly enough. If there were the salt (random data) added, that would complicate the dictionary attack, but would not save completely from the brute-force one: if you are for the password of a specific user, and this password is simple, the success of the brute-force attack is real.
This source claims, that almost two-thirds of users use the same passwords for different web services, store passwords in clear text on their devices; they use simple combinations for passwords to remember them easily. Our research showed that almost half of all users save passwords on their devices. A typical password is about 8-12 characters, only 3 percent of users have more than 20 characters for a password.
Mind that active attempts to steal users' passwords with the help of malicious software or phishing are a daily routine. According to the Kaspersky Lab latest data, phishing pages were blocked by 8.7% of users. The leakage of users’ passwords in plain text is the result of phishing and malware attacks. Usually, hackers target specific services, such as Steam or steal passwords from browsers — anything that could be stolen is stolen daily on the web.
Web servers are not the easy target, meaning passwords interception. Their infrastructure is complex and some breaches and insecurities (like one-time passwords for Google applications) are patched in time. Network interception directly affects passwords when they are transmitted in clear text over unprotected channels, but there are few such channels nowadays. Cookies decoding, as it was recently analyzed using 3DES and Blowfish algorithms, is still rather a theoretical exercise, than reality, and direct session hijacking does not concern the password problem. There remains man-in-the-middle attack danger, but suitable conditions for such an attack are created both by users and the insecure infrastructure of a web server.
And what should I do?
First, you cannot force people to use complex safe passwords. Second, this will not solve the problem of using the same password on different web services. Third, a complex password can be compared in the first approximation with the use of a secure key as for the SSH connections, as an example, keys are not generated manually, and complex passwords also should not be. That could be possible with the active use of password managers — a very reliable method, despite the fact some services were hacked (LastPass was hacked last year). Alas, but their usage is unlikely to become massive. The same is for biometrics: the current implementation (fingerprint authorization for mobile phones, for example) is an additional protection for the password one (and passwords there are even shorter than for desktops!).
Unlike password managers, the only mass method of protecting user data is a multifactor authorization, which might be Implemented via phone or through a special application like Google Authenticator. This scheme either completely eliminates re-use of the same password for different web services or complements it with a random authorization code. This is a cool method, though it means that one password is replaced by another and there is still the possibility of its interception, as in bank authorization codes interception with a remote software. Still, it is a nice but temporary solution for the problem, as well as Microsoft's attempts to limit the use of insecure passwords at work using "big data" on leaks and cyber attacks.
The problem might be solved completely when the passwords be replaced with the users profile data: we lacked in 1961 resources and memory, but now have plenty of it. By the end of this year, Google intends to finish the Abacus project for behavior identification: they would be collecting tons of users’ information, starting from the walking manner up to typing patterns, and that would be the base for distinguishing an authorized user from another person.
There would never be 100% reliability
They are all not perfect: password managers, two-factor authorization, behavioral analysis and biometrics. Biometrics is bypassed with silicone fingers, password managers are cracked or hacked with a stolen master password. Multifactor authorization could be circumvented by some malware on smartphones and fraud SIM cards (or by hacking cellular networks). None of the solutions protects completely from phishing.
But this is normal. The golden age of the Internet, when viruses were white and fluffy, and almost no one broke another person’s mailbox, was caused by the fact that the password protected data was useless. That will not happen again. Try to remember that any method of protection, applied personally by you, your bank or email, will not give a 100% hackers-proof guarantee. The problem of password protection is that it was born unsafe, like a fence without gates. Even the two-factor authorization (still far from common use) will significantly reduce the number of successful hacking attacks. While web administrators, forums and other chat rooms are being scared that additional security measures could lead to users outflow, password attacks are doomed to continue. So a common user should take the responsibility for his security and his data protection to himself. A strong-willed effort of one of the market leaders might change the situation on the market (like Apple with its headphone jack changed), others would follow the right way and then the bright future would come… But listen, guys! Despite all the defectiveness of the password protection concept today, I am not sure that you would be happy in that bright new future time.