Password Security

12 07 2012

Early in June, more than 6 million LinkedIn passwords were posted to a Russian hacker forum.  Lastfm and eHarmony also confirmed that millions of their passwords were stolen.  [1]  LinkedIn’s own blog admitted the breach had taken place, apologized, and then posted some recommendations for how users create passwords.

1)  Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.

2)  Do not use the same password for multiple sites or accounts.

3)  Create a strong password for your account, one that includes letters, numbers, and other characters. [2]

Those three pieces of advice appear all over the internet.  Cisco’s security blog on June 6 reminds people to use “random, long strings” for their passwords, and to make each one unique.  [3] AVG’s blog suggested users “alternate letters, numbers, upper case, lower case.”  Jim Walter, manager of the McAfee Threat Intelligence Service, said “Today’s news of a possible LinkedIn hack is a good reminder to all internet users on the importance of maintaining an ever-changing and complex password.” [4]  After the breach, the blog “Krebs on Security” pointed readers to his primer on passwords. What advice was in that primer?  “Create unique passwords that use a combination of words, numbers, symbols, and both upper- and lower-case letters. […] Avoid using the same password at multiple Web sites.” [5]

It isn’t just a handful of lone security experts offering this advice.  Microsoft’s website has this advice regarding passwords:  “Use the entire keyboard”, “change them often”, “don’t use the same password for everything.” [6]  Don’t want to take advice from Microsoft?  Apple says the same thing:  “[Use] a combination of numbers, letters, and symbols”, “[Change] your password frequently”, “Avoid using the same password for multiple online accounts.” [7]

None of this advice is new.  In 1978, C. T. Dinardo wrote that “Obviously more frequent password changes are desirable”, and discussed the strength of passwords using pseudo-random strings of all allowable characters. [8]  So how is it that in the year 2012 four of the most frequently used passwords discovered in the LinkedIn breach were “1234”, “12345”, “123456”, and “1234567”? [9]

It’s because the traditional advice about passwords stinks.

As Randall Munroe points out in his XKCD comic strip, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” [10]

The fundamental problem is one of scale.  How many systems do you need to log in to?  I asked a few friends, and the consensus seems to be “about a dozen”.  I think that’s low.  Here are all of the systems for which I am supposed to have memorized a unique, complex password:

My school laptop
My home computer
My work laptop
My personal email
Twitter
LinkedIn
My bank’s online website
The website of my student loan provider
My credit card company’s website
Consumer Reports
Lego
Amazon
My web host
The Carnegie Museum
The Nanowrimo website
My cell phone provider’s website
Tivo’s website
A MMORPG I play
The official forums for the MMORPG
A guild website for the MMORPG
A second guild website for the MMORPG
The wiki for the MMORPG
An airline, to keep track of points
ThinkGeek
A friend’s blog
My local Toastmaster affiliate
The national Toastmaster organization
iTunes
the HR system at work
My schema in the production environment of the database at work
The development environment of that database
The payroll website at work.
Our public library (which doesn’t allow consecutive numbers because they’re less random)
The ticket system for tracking tasks at work
An industry blog I follow for work
The main application I use at work
My family christmas blog
The Heinz thunderbolt server
The admin login for my local database on my school laptop
The website the annual conference of a vendor we use at my office
The website for another vendor at work, so I can download updates to their software
Oracle’s website/developer network
My undergrad alumni network website
My kid’s school dashboard
My internet service provider’s website
My credit card PIN
My ATM PIN
My cell phone’s voicemail
My office voicemail
Our Tivo (to escape the “kidzone”)
The code for our garage door opener

Almost all of those are in my head right now.  There are even more that I’ve completely forgotten, like uPromise, and GeoCities, and my Zen Photo installation, and some blog I had forgotten all about until they emailed me to tell me they were shutting down.  I can’t begin to count the number of online shops that have forced me to create a password just so I can buy one item, and then never shop there again.

That’s almost 50 passwords, even if you don’t count the PINs and voicemail codes.  And every single one of them is supposed to be unique.  They are all supposed to contain a mix of upper and lower case letters, with numbers and punctuation, with no dictionary words, no proper names, and no dates.  And I’m supposed to change every single one of them every few months, to something completely new and equally unguessable.  In a world where someone has memorized pi to 67,890 places perhaps memorizing all of those passwords is possible, but there must be a better option. [11]

The XKCD comic I mentioned has a suggestion:  use memorable pass phrases.  Despite the fact that common words are used, the resulting password is still very strong. Passphrases might work well for one site, but memorizing fifty different odd phrases every few months still sounds like an overwhelming mental challenge.

Another approach to creating and memorizing passwords is the algorithmic method.  My college roommate suggested starting with the name of the system for which you needed a password.  Remove all the vowels.  Count how many vowels you removed, and append the number to the end of the string of remaining consonants.  [12]  That may not be random enough to foil modern cybercriminals, but the idea could be extended to include punctuation and mixed case.

The result should be a strong password, which is unique for each site.  A problem arises when you want to change the passwords frequently.  You could choose a new algorithm every few months, or try to incorporate the date into your algorithm, but if our goal is to find an approach that can be used by the sort of people who think “12345” is an adequate password, then the algorithmic approach seems doomed.

Sometimes the best solution is the simplest:  don’t bother.  Most systems have a quick and simple procedure to reset a password by email.  Choose a very strong password for your email system and memorize that, then forget all of your other passwords.  Every time you want to log in, reset your password.  You can feel free to make all of your passwords extremely complex if you don’t have to worry about memorizing them.

Another simple solution is to write down all your passwords on a piece of paper.  The cybercriminals who broke into LinkedIn didn’t come over to your house and rifle through your desk drawers, did they?  In the world of network security, a piece of paper is marvelously secure.  No one can hack into it because it’s not on the network.  Of course, someone could steal the paper, but anyone with physical access to your work area can cause all sorts of problems, from installing a keylogger to stealing your hard drive.  It’s not a perfect solution, of course.  If someone does fine your piece of paper, all of your accounts will be utterly exposed.

A more sophisticated solution is to type all of your passwords into a computer file, and encrypt the file.  After the LinkedIn breach, Mike Newman, CEO of my1login, claimed that weak password schemes were the 2012 equivalent of leaving your housekey under the doormat.  His solution was to store all of your passwords online at his company’s website. [13]  There are other companies that offer the same service.  There is some irony in the idea of solving the problem of a data breach at one website by entrusting your passwords to another website.  Of course, Newman claims that his website is secure.  The problem is that any website which stores a large number of passwords will be an attractive target to crackers.  If companies like RSA and DigiNotar can be breached, it’s difficult to trust any web site.

Instead of keeping your encrypted password file on someone’s webserver, you could also keep it on your own computer.  If you have multiple computers, including mobile devices, you will need to keep the file on all of them, and synchronize the different versions.  This sounds inconvenient, but there is software written to help manage the chore.  In fact, the very first suggestion security expert Bruce Schneier offers regarding password security is “DO use a password manager.”  [14]

The classic advice to use different strong passwords on every site and change them frequently is impractical for modern users with many accounts.  Rather than repeating those same tired suggestions, users need to be better informed about password managers.

Since password security is critical to network security, the first step in solving the problem is to stop giving out impractical advice. The second is to find a solution that works.  Password managers might be that solution.

________________

[1] http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html

[2]  blog.linkedin.com/2012/06/07/taking-steps-to-protect-our-members/

[3]  http://blogs.cisco.com/security/6-5-million-password-hashes-suggest-a-possible-breach-at-linkedin/

[4]  blogs.mcafee.com/consumer/consumer-threat-alerts/6-5m-linkedin-passwords-reportedly-stolen-what-users-should-do-now

[5]  krebsonsecurity.com/2012/06/if-you-use-linkedin-change-your-password/
and krebsonsecurity.com/password-dos-and-donts/

[6]  http://www.microsoft.com/security/online-privacy/passwords-create.aspx

[7]  support.apple.com/kb/HT4232

[8]  Author C. T. Dinardo, National Computer Conference.  AFIPS Press, 1978.  Page 139.
Title was “Computers and Security”?  Part of the series Information Technology Series v3.  “From the National Computer Conferences” is on the cover.

[9]  community.rapid7.com/community/infosec/blog/2012/06/11/its-time-to-ban-bad-passwords

[10]  xkcd.com/936/

[11]  math-fail.com/2010/03/memorizing-pi-world-records-and-techniques.html

[12]  Conversation, Sendhil Mullainathan, discussion of passwords, Massachusetts, mid-1990s.

[13]  http://www.ingeniousbritain.biz/2012/06/online-password-hacking-victims-asking-it-security-expert/

[14]  http://www.schneier.com/blog/archives/2009/08/password_advice.html

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: