Monthly Archives: May 2009
User Names and Passwords: Part Duex
Earlier this year, many of us were surprised to discover that several famous Twitter accounts were compromised, including President Obama’s and Britney Spears’. Even more surprising was the simple trick used to gain access to these accounts: a simple password-guessing scheme. Like so many other emerging social networking sites, Twitter failed to provide even the simplest password-protection techniques, such as locking an account and resetting the session if multiple incorrect passwords are entered.
Why are we still discussing passwords in 2009?
I thought that by now we’d be using fingerprint scans, digital certificates, or retinal scans of some kind. Instead, we’re still primarily using passwords, a secret combination of keyboard characters that uniquely identifies the user as that specific person. (At least, that’s the theory behind passwords.)
Password-guessing scripts became commonplace years ago. These scripts would attempt to log in to a account using a known ID and a word from a dictionary file as a potential password; tirelessly, patiently trying one word after another.
These scripts could pretty much guess any password eventually. So we humans became a little smarter and started substituting punctuation characters for letters. The word “password” became “p@$$w0rd” because that’s not a dictionary word, right? NOT!
Soon, vast dictionaries of “script kiddies” passwords were available for download. As a secondary response to this threat, operating system and application vendors began increasing the length of acceptable passwords as the old systems of eight uppercase characters for passwords was too limiting. Additionally, some vendors decided to implement a system that would automatically lock the account after too many incorrect guesses, thereby rendering it useless to an attacker.
Is this really enough?
Considering all these factors together, here’s the current password protection system:
•More complex passwords
•Account lockup after too many incorrect guesses
These controls made passwords reasonably secure, for a while.
Now that we connect to a world full of websites that implement security inconsistently, we all need to review website security carefully. You don’t want to become (or remain) a member of a website that has weak security policies. To make matters worse, if you use the same or similar passwords on all websites, the website with the poorest password capabilities will force you to have a lowest-common-denominator password, significantly weakening your security across the Internet.
I always advise that you use a different password for each site you join but even using different passwords may not be the end all solution. If you have an email account on a system with poor password capabilities, that still weakens your security a great deal. How? Many websites send password-reset email to your registered email account. So if your email can be compromised, that email account could be used to receive password reset notices, for those accounts that have stronger password policies.
Before joining or remaining with an Internet site, review its password security practices and capabilities.
•Is the password sent over an encrypted connection? It does you little good to create an unguessable password if it will be sent across the Internet unencrypted. Find out whether encryption is used with the application.
•What is the password’s minimum and maximum length? Beware of websites and applications that don’t insist on a minimum length, or that declare a maximum password length in the single digits. I no longer recommend anything less than 12 characters – the more characters, the more secure your password.
•What characters does the site support? Is the password limited to uppercase or lowercase? Are punctuation characters allowed in the password? If not, these limitations may force you into using passwords that are more guessable than you want.
•Are the password-reset challenge questions predictable or easily researched? Once the challenge answers are guessed, what can the attacker do? Vice-presidential candidate Sarah Palin’s Yahoo! account was cracked because the hacker simply learned all he could about her. Thus, he was able to answer all of her challenge questions and then take control of her account.
A Few Words Of CAUTION
Consider very carefully whether you should share so much of “you” with the Internet. In the old days, hackers were good at asking you to take surveys that would ask your children’s names, favorite sports teams, and so on. Why? These were likely passwords. As you go online (and reveal every detail in your life), you allow people to guess your challenge-question answers, (or at least allow them to claim to be you when talking to Help Desk staff half a world away).
•Is the account locked if too many incorrect responses are given? Beware of assuming that this feature is implemented and that it will work. Many systems cannot implement a persistent counter, so hacker tools take two tries at your password and then skip to another account. When the tool returns to hacking your ID and password, will the system “remember” the past two incorrect guesses?
•What are the automated password-reset mechanics? Is the password reset info sent to an email account with weak password policies?
•Is the account lockout permanent or temporary? I’ve got good news and bad news for you. Good news: Your account is locked. Bad news: The lockout resets automatically after 20 seconds—enough time for the hackers script to work on three other accounts before trying your account again.
Passwords are very easy to break or guess, because people choose simplistic values. Even those applications with account lockout features often create breakable backdoors with ineffective challenge questions or weak temporary timeouts.
So here’s the bottom line…
•Use complex passwords/passphrases whenever possible.
•Ensure that password-reset functionalities are configured to use your email account with the most secure password policies. Avoid using “free” email accounts – remember the old saying: you get what you pay for.
Here’s a link to the Password Generator program we discussed last year. You can download it for use on your PC.
Or, you can simply generate secure passwords online:
Here’s some additional information on Pass Phrase’s from Wikipedia. This will be the next wave of security once websites and application programmers adapt their security procedure to accept them.