THIS IS A BETA VERSION OF THIS ARTICLE
We are looking forward to your comments. Tell us what do you like, what you do not like, what should be changed or added to this article – visit the comments section.
The final version of this article will be available in the upcoming Password Attacks issue. You can preorder it here:
You can also send your feedback to the following address: [email protected]
Addressing Password Attacks
Introduction: A lot has been written on passwords and password attacks. We have heard about passwords being compromised, passwords being shared, passwords being misused and even list of most “guessable” passwords of the year.
Password Cracking has been a very fancy word which is very common among the teens where it is regarded as a very cool practice and of high esteem if you know about on how to do it.
Modern movies show that it takes seconds to crack a password which is very big misconception. It takes a lot of time to crack a good password.
There is a lot of science and mathematics which is involved at its background.
Technically the term Password Cracking can be stated as a process of recovering passwords from data that have been stored in or transmitted by a computer system.
Earlier the purpose of password cracking was to help a user recover a forgotten password or to check how strong a password was, but later the attacker or say the fun loving guys (evil fun lovers) used the techniques to gain unauthorized access to a system.
The strength of a good password can be understood as the resistance to be guessed and get brute-forced.
I totally agree that at some point using a strong password lowers the overall risk of a security breach, but on the other hand a strong password cannot replace the need for other effective security controls to avoid getting attacked or breached.
Now when we know on what is password cracking let’s see on how can we make this cracking for the attacker a little more difficult and what are the factors which contribute to it.
Whilst it is fair to say that a password is user’s responsibility and that the user needs to choose a safe and a “non-guessable” password, it would be more appropriate to look at a whole picture comprising the users, the applications, the vendors, education on information security and looking at password as a possible strong control rather than stressing upon it as a weak control.
The strength of a password can be termed as a function of length, complexity, and unpredictability.
So when a password is being framed there has to be consideration for this function to create a good and a strong password.
From an end user perspective there are the following questions that should trouble his mind to make a good password
- How long the password is? –Which states the Length
- How large the character set used is?—Which states the Complexity
- How much predictable it is?—Which states the Unpredictability
If one end user is able to answer these questions he is expected to build a good password for his data.
But here comes the twist. Now when the end user is protected let’s see on the other aspects of the chain of Authentication on how the Password is being handled?
When we say that how it is being handled let us again put two more questions in the tray:
- How the password does travels to the Authenticating Agent?
- How the password is stored and used?
If we see the chain of authentication on a broad basis we see the Application where in the user enters his/her password which travels down to the Authenticating Agent via a medium where it is stored and also cross checked for the authenticity of a particular user.
Let us quickly peek into the reasons why passwords are attacked and the types of password attacks.
Devices / Systems are made of user ids and passwords. Knowledge about the user ids and passwords are gateways to the devices / systems. Once entered into the system, the attacker can set up the system as a bot / zombie / conduct malicious activities / steal data / compromise data etc.
Types of password attacks are:
- Brute force attack
- Dictionary attack
- Rainbow table attack
- Gain control of the hashes
- Shoulder surfing
- Misconfiguration of password files
- Social Engineering
The intention of this article is not to talk about the reasons for password attacks or about the types of password attacks. Let us look at the chain of authentication on a broad basis of user to system and back.
Passwords as treated by users: In today’s world of ever growing internet awareness and usage, the awareness about “User id/Password”, “Login Screen”, “Home Page” has become more common than say ten years back. The usage of online banking, online shopping, online bill payments and not to mention the Social media has tremendously in coming years.
Fig: No of global internet users 
Consequently, password attacks have also increased in proportion in the past years. The users have to be wiser in selecting their passwords and protecting their assets on the internet.
Users, who access internet and need to use usernames and passwords, are of different types and are in all age groups. For simplicity sake let us look at different types of users:
- Employees in IT sector
- Employees in non-IT sector
- Home users
- Users in the age group of 60 years and above
The background and the approach towards internet would be different for each of these groups for example:
It is more likely that employees in IT sector would be more frequently trained on handling passwords, social engineering, phishing, password strengths etc than the other groups. Among the other groups, it is more likely that employees in non-IT sector are more aware of the passwords attacks than students, home users and users in the age group of 60+ years.
Awareness regarding password attacks imparted to these groups would be different for each of the groups. The following question would be as who should be imparting awareness – should it be in the form of training / regular communication / roadshows / wall posters etc.
Whilst it is quite true that employees of IT sector, being closer to the physiology of password attacks, using user names like admin / administrator / test etc and passwords like password123 / test123 / 123456789 are quite common in the IT community as well.
The reasons for selection of such kinds of passwords could be lack of awareness, ignorance or lack of creativity to come up with strong user names and passwords.
Following are some of the areas in which awareness can be imparted:
- Security trainings and password education regarding complexity, length and unpredictability
- Regular communication about commonly used passwords
- Enforcing stronger passwords through policies
- Awareness about not sharing passwords.
Applying the above areas and the awareness forms to the groups of users:
- Students, home users, users in the age group of 60+ years:
Security trainings and password education: Typically, students get to know about computers from schools, colleges and by observing parents, elder siblings. A lot more is learnt from friends and peer group. Students usually access applications like emails, social sites, education sites, financial aid loan calculator etc. In this scenario, a forum for a formal training and password education may not be available unless these trainings are incorporated as a part of the education curriculum or is conducted by the education institution. Password education can be taken up by the application owners by
- Sharing information on how not to use commonly used passwords eg asking students to create innovative passwords that can be difficult to guess. This message can be made available on the “Create User” page, “Change Password” page. Messages can also be posted in form of running banners on selected pages of the application.
- Enforcing stronger passwords through policies. Eg displaying strength of the password
- Awareness about not sharing passwords: this is an important factor in password protection. Compromised passwords can be reused later on the basis of familiarity and the shared knowledge.
- Employees / contractors / third party users in IT sector and non-IT sector
- Security trainings and password education: Security awareness trainings are anyway conducted as a part of training sessions in IT companies. Is not already incorporated, password education should be a part of these sessions, which should include information on commonly used passwords and awareness on not sharing passwords.
Employees need to be aware of password attacks in a more rigorous way as opposed to other groups of users. This is because of the large number of devices that the industry handles, that have passwords as one of their security controls.
- Enforcing stronger passwords through policies, this can be done on the authentication tool.
- Educating users not to use the same user id / password combination for various applications. In the event of compromise of user id / password the attack of accounts with different web application is made easy for the attacker. This is all the more important when user ids and password of professional and personal accounts are mixed up.
- Emphasizing on the importance of passwords and the impact of compromise of passwords.
Passwords as treated by applications:
This is a very important aspect on how the application one is building is treating a password. It has to be kept in mind that this is the most important feature of the application that has to be guarded against the evil people to protect your customer’s assets.
Learning form the pasts and with the event of attacks happening the Application Owners have become more cautious and have introduced many different kind of controls to educate the end user to select a good password like:
- Introducing Graphical passwords more likely in the Mobile devices
- Password Strength Meter
- Displaying Warnings or errors to show the usage of easier guessed passwords
How this information is handled and stored are the major points that has to be taken into consideration.
How safely it is stored and communicated via the medium are big challenges and use of secure configurations on the databases used and the server in question are very important points that an administrator has to keep in mind. A small vulnerability of any of the assets in use can hamper the whole system. Things that should be kept in mind by the Application Owner are:
- Strong password policy: Be it changing of the default password / forcing regular change in the password, password length, complexity, lack of repeatability of previous passwords or password aging, having a strong password policy does provide the first line of defense for password attacks. Never use “password does not expire” option. Account lockouts should be enforced after a specified number of attempts. This is also referred to as password hardening
- Applying patch of the software used timely: any detected backdoor or defect or bug in the application should be patched up in a timely manner to ensure protection of passwords.
- Implementation of the SSL during the transit of the password and not transmitting passwords in clear text: Passwords are important, be it for the network of an organisation that processes sensitive data or be it that of an email id of a student. Passwords are passwords that need to be protected. Hence transmission of passwords in clear text should be strictly not followed.
- Storage of passwords: Passwords should be stored in hashed format. A strong hashing algorithm should be used for this. Also, the keys should be stored in different logical /physical assets. Hashes are vulnerable to rainbow table attacks. Hence it is useful to salt hashes with random numbers and then store them. Passwords to sensitive user ids like admin / root user ids should also be encrypted along with hashing and stored.
- Not using Common user ids: Another vulnerability exposed for attackers is by having common user ids like admin / administrator for an admin role. This leaves the attacker with only the password to be guessed / attacked.
- Split passwords for sensitive roles: For sensitive roles, passwords should be split between two or three people. This makes compromise of passwords by social engineering / phishing more difficult.
- Proper logs for detecting failed attempts: Failed logon attempts and password resets should always be logged, be it for any type of application. This allows the forensics team to t the rate of attacks and the user ids that are under attack.
- Multi factor authentication: is another control that can be used to strengthen password policies. A multi factor authentication is authentication using what the user knows (passwords), what the user has (a PIN generated randomly on a token device) or where the user is (location) or what the user is (biometrics).
THE WEAK CHAIN?
There have been various researches on this topic which reflects different criteria and angle on the way we look into it.
On the basis of a report “ Trustwave’s 2012 Global Security Report “, it was seen that the most used password was “Password1”! .
Our favorite or the end users which is regarded as the easiest member of the security chain that can be hacked are not much creative when it comes to choose a password. They sometime create a password out of hurry or to just meet the minimum requirements that is being asked by the system.
Also there was a study which portrayed that the successive change in the password for one particular account decreases its security.
When done a research on a lot of passwords it was found that the most common password chosen are related to one person’s favorites, likes, dislikes, pets, teams, dates etc..
Here we have to understand one thing that we are not trying to create a strong password (similar to alpha numeric or a blend of some special characters etc.) but we are trying to create a password which is difficult to be guessed.
For example a password which is like a pets name with a special character and a number may seem to be a strong password but for an evil mind out there it will take only some social engineering and some guessing to break it.
If we see the math increasing the number of characters in a password makes it more robust towards Brute Force Attacking.
Studies have shown that adding one single character increases the chances exponentially.
Also a lot of research has been done on how to make users remember passwords and how to help them choose one. Paraphrases was to an extent a very good solution though not so famous yet.
For example a password similar to “ThisIsGoingToBeAGreatRide” will take more time to be guessed in comparisons to “Tarry1”.
For more research and getting data related to passwords, visit  in the references section.
How to Minimize the Risk?
In summary, risk can be minimized by keeping the following points in mind:
Educating the user on choosing a password and the impact of not choosing a good password.
Enforcing Password hardening Guidelines in the organization.
Having security controls on the application that will not compromise passwords.
Shruti Kulkarni is a Service Management and Information security consultant. She is a certified LA ISO27001:2005, CISA, CRISC, CISSP, ITIL V3 Expert and a CCSK. Shruti’s activities include security architecture reviews, implementation of ISO27001 and ISO20000. Shruti also works on risk assessments and on business continuity management
Amit Kumar Sharma commonly known as AKS-44 has a B.E in EC and works in Information Security for a reputed firm. He is passionate about Security and spends his time learning/researching in the wild.