Are Passwords Really Secure?

With the advent of technology and the internet, the ability to access information has been increasingly important as the ability to share. Social media, corporate websites and the like all provide a certain level of security to its' patrons in the form of passwords. Most recently, social media hub Linkedin was hacked and its' password database compromised. At the time of this article, this is only one a few in recent months that had been hacked for whatever reason.

How do we better protect ourselves?

To answer this question, we must first understand the password encryption model. Keep in mind, this article is not intended to provide an in-depth knowledge of password generation or hacking.

Hashed Passwords

When a user enters their alphanumeric password into a form on a computer screen, the system takes the plain text alpha-numeric password and generates what is called a hash code and stored in a secure database. A hash (also called a hash code, digest, or message digest) can be thought of as the digital fingerprint of a piece of data. A fixed length hash can be easily generated for any text string using a one-way mathematical process. There are various hashing algorithms such as MD5 and SH-1.

Vulnerabilities of hashed passwords

The hash tables or stored digital fingerprints archive are vulnerable an can be easily compromised if the tables were made available or accessed. This can be in the form of a virus, security hole left open by a computer program that allows a foreign program access. Once an attacker gains access to theses tables, several methods can be employed to decipher the tables and use the information to gain access. Keep in mind, recovering the original plain text password is very difficult if not impossible. However, an attacker does not need to know the original password, only the hash representation of that password.

For example, if a user employs the same "hello world" plain text password in several different locations, the attacker only needs to match the hash equivalent of "hello world".

The attacker will be able to look at your hashes and immediately know that any accounts with the same password hash must therefore also have the same password. Not such a problem if neither of the account passwords is known - or is it? A common technique employed to recover the original plain text from a hash is cracking, otherwise known as 'brute forcing'. Using this methodology an attacker will generate hashes for numerous potential passwords (either generated randomly or from a source of potential words, for example a dictionary attack). The hashes generated are compared with those in your user database and any matches will reveal the password for the user in question.

Modern computer hardware can generate MD5 and SHA-1 hashes very quickly - in some cases at rates of thousands per second. Hashes can be generated for every word in an entire dictionary (possibly including alpha-numeric variants) well in advance of an attack. Strong passwords and longer pass phrases provide a reasonable level of protection against such attacks.

Another method of improved password encryption is to employ a Salted Hash. With a salted hash, an initializer is added into the hashing function before the final hash algorithm is generated. Instead of being able to simply hash all the passwords and keep those in a database for quick look-up, an attacker would have to keep all the hashes, plus all the possible salts. In theory, this becomes an impossibly large number.

How can organizations help their users secure their passwords?

Any organization that utilizes passwords to gain access to vital information should be looking to add additional layers of security to help thwart would-be attackers.

For security practitioners, it's a matter of delaying the breach more than completely avoiding the breach, or simply staying one step ahead.

This could mean locating the password database to another secure location or third party from being damaged. If the system is compromised having a mechanism in place to quickly identify the breach. Then, of course, the best thing you can do is to try to tie authentication to some kind of a secondary device that has also been authenticated such as a security hardware dongle.

The organization can look strongly at using some kind of a third-party authenticator. For example Google's cell phone authentication system for their email access. Once a month, when a user login or use one of the services, instead of getting whatever directed page, a message prompts the user with, "Enter the code that we just texted to your cell phone," and the cell phone beeps and the user enters the code. Access is granted for another month. What Google has done is tied the fact that the user of the phone is most likely the holder of the account as it would be very difficult to steal a cell phone over the Internet.

User education is an immediate remedy

If you're part of an organization that's doing something that really is financially sensitive, a simple notice or suggestion on the password-change page - or the login page - that tells the user, "Please don't use the same password you use on Facebook," or, "Don't use the same password as you do on your favorite blog," or whatever. 'Doing so magnifies the likelihood that things can go wrong.' The user also has the responsibility to employ passwords that cripple the first and the simplest of all hacking methods, guessing. Even the most complicated security system can be compromised by a simple pass-phrase guess. It's important that pass-phrases are complicated enough to avoid the guess attack by avoiding using phrases such as "password", "i hate my job" etc... Here is a list of common pass-phrases:

  • seinfeld
  • password
  • 123456
  • princess
  • peanut
  • shadow
  • ginger
  • michael
  • sunshine
  • tigger
  • bailey

Use stronger passwords, enforcing minimum lengths, mixed characters, digits & special characters all help efforts in delaying the possibility of having the password stolen or compromise. Hopefully the user's account is slowing down the would be attacker enough that they move to another target or victim.

RedScope Enterprises, Inc. © 2017. All rights reserved.

RedScope is a nondestructive technology service provider, supporting asset and component owners with traditional and innovative technologies in their maintenance programs.