Password Security

Introduction

There once was a time that you didn’t have to worry about people trying to steal your personal information...or maybe it was just ignorance or naivety because people just didn't know. Maybe they didn't want to know as life seemed better that way. When computers were coming into the hands of consumers, they didn’t know of any risk of their information getting into the wrong hands. Neither did companies and lawmakers truly understand the security breach risk through the internet. Of course, there was a few people who knew the opposite. Today, we can no longer be ignorant to the way things are. Ignorance gets you stolen identities, lost money, fines for breaking regulation compliance (such as HIPAA and PCI DSS), reputational damage, and other problems. This blog focuses on maintaining password security and discusses topics such as: insecure passwords, NIST password guidelines, cracking passwords, multi-factor authentication, biometrics, password managers, and password compromise resources.

Top 20 passwords (don’t use these!)

Borrowed from a story about the most common passwords from weforum.org. Here are 20 of the most common passwords that people are still using in 2024. Coming up, we’ll explore how quickly password brute-forcing tools can automate the work and crack these passwords. (1)

1. 123456

2. admin

3. 12345678

4. 123456789

5. 1234

6. 12345

7. password

8. 123

9. Aa123456

10. 1234567890

11. UNKNOWN

12. 1234567

13. 123123

14. 111111

15. Password

16. 12345678910

17. 000000

18. Admin123

19. ********

20. user

These passwords are very broad and likely why they made the list. Counting all 50 states of the United States, “123456” is the most used password. But in Arkansas, or Florida, or California, there are likely more specific and relative passwords people use in their respective states. How many people use their favorite sports teams mascot as their password? A penetration tester or a malicious hacker will plan accordingly for their specific target in their specific location, and you should too. Don’t use easily guessed passwords!

NIST password guidelines

The National Institute of Standards and Technology (NIST) creates password guidelines each year to help people and companies stay protected. Currently, in 2024, these are some (not all) of their guidelines (2):

• Use of password managers to store passwords and ensuring passwords haven't been compromised in a breach

• Changing passwords that have been compromised instead of at regular change intervals to prevent common weak complexity conditions

• Passwords 8 characters minimum, allowing for up to 64 characters (encouraging length (15 characters minimum encouraged), over complexity requirements)

• Using multi-factor authentication

• Not using password hints or knowledge-based security questions that could be easily exploited through social engineering

• Not using common complexity conventions that other users use

• Using salted-hashing methods with a work factor for storing passwords

If you planned to use a password that is commonly used, such as those in the top 20 list above, when asked to add an upper case letter to "password", most people would capitalize the "P". Next it asks you to add a number, so you add "1" and that makes your password "Password1". Now you must add a special character and you add "!". Guess what? Countless other people are going to the do the exact same thing. There is nothing unique about that password and it will be one of the first to be cracked. NIST encourages people to be unique in their creation of passwords. Using a password "password" (don't use the word password) would be much more secure by moving the capital letter to a different letter. For example: passwoRd is much better. Using uncommon special characters and locations, as well as numbers also helps create a stronger password. The password could then be something like:

p@s$w0Rd

I still wouldn't recommend using a "password" password because it is likely that these variations are part of password word lists used by attackers. However, the mindset when creating passwords is better. You aren't clever by adding a "1" and a "!' to your password. You aren't clever by changing your password when forced to change it from "Password1" to "Password2". You and millions of others are doing the same thing and you will be a part of that group who has their data leaked.

Additionally, NIST is beginning to recommend length of passwords being more important that complexity. For example, instead of trying to remember a password such as:

dsFa484#&fKd3?

That password is complex and would probably be difficult to break in a reasonable amount of time. But it is still 14 characters and difficult to remember. You might be likely to write this password down or saving it in a clear text document which makes it vulnerable. Leaving a sticky note under your keyboard at work with your password is not secure. Adding length enables you to use passphrases which are easier to remember and may be much more difficult to break, despite being less complex. For example this passphrase is less complex (or at least seems that way), is easy to remember, and utilizes length to be secure:

I love to go to the park on Sundays.

Next, I will discuss how easy it is to break common passwords with the help of tools like John the Ripper and HashCat.

Cracking passwords

Hackers are not likely to sit at a login screen to try to login until they are successful. That would take forever. Many login screens prevent that kind of attack these days. Instead they use freely available tools that can very quickly try countless usernames and passwords. Recently, an attacker might use a special-built password cracking computer full of powerful components like high end graphics cards. Today, with the abundance of cloud solutions, an attacker can spin up a powerful password cracking server out of thin air and decommission it when the job is complete. On top of the computer sits tools such as John the Ripper that run through massive lists of common passwords. These word lists are built up over time through engagements and user credential breaches.

"Commonly, passwords are salted with a random value and hashed, preferably using a computationally expensive algorithm. Even with such measures, the current ability of attackers to compute many billions of hashes per second in an offline environment that is not subject to rate limiting requires passwords to be orders of magnitude more complex than those expected to resist only online attacks." -NIST discussing password strength (3)

The truth about password cracking is that there is not a single user trying one password at a time to break into an account. Passwords are transformed using complex hashing algorithms and stored as hashes which may be salted (adding random strings of characters). These salted hashes are a fixed length string of characters, regardless of the length of the password. An MD5 hash will always be 32 digits. A SHA1 hash will always be 40 digits. A value that is hashed, such as a password, will always give you the same hash. And even a minor change will create a drastically different hash value. Here are some examples, courtesy of MD5 Hash Generator (4):

A password of "1" produces the following hashes:

MD5: c4ca4238a0b923820dcc509a6f75849b

SHA1: 356a192b7913b04c54574d18c28d46e6395428ab

A password of "p@s$w0Rd" produces the following hashes:

MD5: d08c742b5424ca7b16a515af5c12444a

SHA1: a358d6942a2b606240f1388e1c02696680d699d4

A password of "I love to go to the park on Sundays." produces these hashes:

MD5: 6811268fb7d81c61766b124ba6bedd35

SHA1: bfcc8fed6da819a2f968882e1d9cdf56a6855c3f

Regardless of the length of the password, hashing algorithms produce the same length string of characters. If the hashing algorithm and salting techniques are known by the attacker, then they can run offline attacks against these hashes to determine the password. This type of attack is known as a rainbow table attack. Tools such as HashCat combined with a powerful computer can run through these rainbow tables to match the appropriate hash to a matching password. Now let's think about some considerations at the consumer and IT staff levels.

IT considerations when setting password policies include setting login attempt rules that prevent brute-forcing login attempts, meaning trying countless passwords for a given user, forcing the attacker to wait a certain amount of time before trying again, and eventually locking out the user. Passwords shouldn't be stored in clear text form which could be compromised by an attacker. Referring back to the NIST guidelines, passwords should be stored using a currently secure hashing algorithm and those hashes salted. Considerations for the consumer when considering not knowing how a company manages their passwords include: not reusing passwords. What happens if a company has been breached and your stored password has been leaked? Is that password also used for your email accounts, social media, bank accounts, etc.? We must limit the blast radius of an information security compromise by limiting the scope of the credentials we use.

Multifactor Authentication (MFA)

Let's face it, no matter our security planning such as ensuring password strength and choosing the best password manager and whatever other security precautions, breaches still happen and are out of our control. So then how do you prevent someone from accessing your accounts and information if they have your login credentials? Multi-factor authentication. Complex passwords are a great precaution until the attacker has that password in their hands. So accounts requiring more ways to prove you are who you say you are helps ensure that only you have access. Companies and applications are requiring this more and more. It is not 100% effective though. An attacker could still authenticate as requested with the other required factors, like intercepting an authentication code, but it is much less likely. It becomes even less likely when there might be multiple ways that could be used to authenticate (hints "multi" factor) instead of just 2 factor authentication.

Biometrics

Biometrics in smartphones make life really easy. All you need to do to access a phone is to look at it or provide your fingerprint and you have full access to your info. This is great and ensures that only you can access it. But there still lies the possibility of compromise in the right situation. For example, I heard a story of a child who wanted this expensive game on his dad's phone, but knew his dad wouldn't buy it for him. So the boy faced the phone towards his dad's face and was able to order the game. How true is this story? I'm not sure. But it is a worthy consideration when thinking about password security. Using a similar attack method, an attacker could gain full access to a phone owner's password manager.

A second story I am aware of involves a friend who believed their spouse cheated on them. The alleged cheating spouse was high on pills one day and the accuser used that person's fingerprint to gain access to their phone while the alleged was passed out. Thus the accuser verified that the spouse was indeed cheating on them with many people after finding many chat logs. The point is that there are many considerations when it comes to password security.

How secure are password managers?

LastPass password manager company's security breach:

"LastPass" reveals attackers stole password vault data by hacking an employee's home computer" (5)

Password managers are a great way to store and safeguard your login credentials. However, and this is a big "however", they are only as secure as they, the company, are secure. We must remember that these password manager companies are run by humans and humans are not perfect. They may be more security focused overall, but they may not take the same medicine they prescribe when it comes to security. This begs the question of "should I use a password manager?" I think so. Password managers, like every other security measure, are imperfect but are better than using weak passwords and storing them in insecure ways. Password managers work to make using complex passwords easier as you need them and encourages you to use better passwords. In fact, some (maybe all) have password generators and they can even warn you if a password has been leaked in a security breach. Perhaps at this point it is important to research the reputation of password manager companies to make an informed decision on which to use.

What about the password you use to access your password manager? Do you have amazing passwords for each of your accounts that are stored in your password manager which are all protected by a simple, single compromised or weak password which opens that whole password vault? We have to look at the whole picture when it comes to password security. Malicious people are counting on you to think in obvious ways. They know that they no longer need to break complex passwords if all they need is one simple password that gives them the passwords to all of your accounts. Additionally, if there is a security breach, quickly change all of the affected passwords to reduce/prevent any damage to your accounts.

Have you been pwned? .com

haveibeenpwned.com (6) is a great resource dedicated to helping people become aware of their information being compromised such as emails, passwords, etc. The operator finds the proof of a data leak and then posts the information to the website which enables you to see if your data has been leaked. If it has, then you know it is time to immediately change your passwords. You can check by your email, individual passwords, etc. Let us try the password we created earlier: p@s$w0Rd

Clearly that password is not clever enough, but my point is that it is working towards a better password. Do not use that password as it is just an example, and it is useful to check your password ideas or currently used passwords against the "Have I been pwned?" website. If you don't think that that is better, since it has been part of a breach (likely many), let's try the basic password "password" to see how it compares.

Clearly, that data speaks for itself. If someone uses a password for one account, odds are good that it will be used for many accounts. When, not if. When an attacker learns this, you and your life are now "pwned". Do better because you are better.

Summary

The threat landscape is constantly evolving. If you pay attention to password guidelines over the years, it constantly changes. One day it is "you need a password", the next it is "you need a complex password with an upper case character, a number, and a special character", and today you need longer passwords (pass-phrases). Password security is not an exact science. The methods we use to create, encrypt, and store our passwords (such as password managers) will be insecure the next day. Malicious actors will find new and creative ways to break password strength and safeguarding mechanisms (such as the LastPass breach) and we will be constantly having to learn and readjust our thinking to what is in front of us.

I think the important mindset to have is that we must be our own password security advocates. We are who creates our passwords. We have the ability to change our passwords if their is a breach. We have the ability to use different passwords for different accounts to limit the blast radius of a security breach. We have the ability to set up multiple ways of authenticating to accounts, and maybe we even run companies or are part of IT teams where we can make this the standard. We must advocate for and protect ourselves through education and research. Perhaps we can help teach others to be safer. We cannot use the excuse of ignorance any longer. Thank you...

Sources

(1) https://www.weforum.org/stories/2024/07/popular-passwords-cybercrime-digital-safety/

(2) https://cybersecuritynews.com/nist-rules-password-security/

(3) https://pages.nist.gov/800-63-4/sp800-63b/passwords/

(4) https://www.md5hashgenerator.com/

(5) https://www.theverge.com/2023/2/28/23618353/lastpass-security-breach-disclosure-password-vault-encryption-update

(6) https://haveibeenpwned.com/Passwords