Friday, January 26, 2007

Password Q&A

Jim from Moline writes, "All the banks, merchants, websites, etc. that I deal with online limit the number of times I (or anybody else) can try (and fail) to log in to my accounts. Why do I need to be concerned about the vulnerability of my online data to "brute force" or other trial-and-error hacker attacks on my password?"

Interesting question, Jim. There's more to it than meets the eye.

For example, some users don't understand what's wrong with using their wedding date as a password. Afterall, if they have a hard time remembering their anniversaries, what are the chances a hacker will be able to figure it out?

A hacker won't have any trouble. A hacker will simply try every mm/dd/yy combination to crack those passwords (before trying every possible combination of numbers, letters and symbols to crack any password).

Similarly, Jim's concept of what a hacker can do is dangerously limited. Jim is assuming that the hacker is outside the network wall, looking at the secure sign-in dialog box.

Unfortunately, there are lots of "holes" in most network walls. And it is not uncommon for hackers to gain access to files containing thousands and thousands of usernames and encrypted passwords controlling access to the networks and systems of banks, merchants, websites, etc.

Your system administrators are some of the biggest violators their organizations' password policies. Administrative passwords are often easy to crack or discover via "social" means.

It is not unreasonable to imagine a disgruntled employee gaining administrative access to his/her company's systems and copying a file of usernames and encrypted passwords. That person can then misuse the information or release it to others to misuse it.

Given that people often use the same username and password combination for many online accounts, imagine that somebody steals the file of usernames and encrypted passwords at a website where you got something once. They crack the passwords, then go to all the major banks and see which username and password combinations open accounts at each bank. If they hit your bank with your stolen username and password, would they get access to your bank account? I'd say yes, unless you can tell me otherwise.

Here's a link to a clear and concise Users Guide to Password Security: http://comm.ncifcrf.gov/security/password.html. It provides a good explanation of the issues and risks. It also endorses certain practices for password security that would greatly improve online security.

But, I am afraid that these practices are too complicated for most users and most situations.

There is a "missing link" needed to enable these practices for ordinary users. It is a class of products to generate, store and properly present unique, secure passwords at each place a user has accounts.

Like a wallet or keychain, it is a product that people could use to keep their valuable account information safe and handy. It could be a piece of software residing on a user's PC or PDA; (see http://www.download.com/3120-20_4-0.html?tg=dl-20&qt=password%20wallet&tag=srch). It could be a database stored on an "ID provider's" secure website in cyberspace (see http://en.wikipedia.org/wiki/OpenID), or it could be an encrypted USB thumb drive a user carries everywhere they go (see http://en.wikipedia.org/wiki/TrueCrypt).

Until you start following recommended password security practices, your online information and accounts at banks, merchants and websites really are vulnerable to hackers. Your privacy could be compromised. Your identity and/or your money could be stolen.

If you are a senior executive in your organization, here's a service you can do for your company and your community. Implement this policy that they have at the National Cancer Institute/Ft. Detrick:

"In order to keep up security on our systems, we run a program called Crack on your password. We figure that if we can find out your password, so could an Evil Cracker. If we discover your password that way, we'll freeze your account to keep anyone else from abusing your account. You will be notified that you have to change your password to a more secure password. He/She will make sure you understand everything discussed in this write-up before unfreezing your account."

2 comments:

Dave Bergert said...

John,

I don't know that you addressed Jim's question fully. Jim is wondering how brute force is effective when those websites implement an account lockout feature/control, disabling the account after x number of invalid login attempts. So from the attack vector of use the website forms and web applications brute force attacks will not be effective here.

I think what you mean to say or state (or it wasn't immediately clear to me), is that there are other attack vectors- that don't appear obvious, including application vulnerabilities, insiders or other methods including social engineering. Some of these allow for accessing the database of usernames and passwords. where an offline attack could occur.

I would state that I'm seeming a trend of many web site storing passwords in the databases and one-way hashes w/ Salt, one way hashes cannot be de-crypted, other them with pre-computed hash/ rainbow table attacks- harder if SALT is used. The trend of banks using multi-factor authentication will also help somewhat here as well.

I agree with all of the other points on password security.

Good read overall.

John Redmond said...

Dave - Your points are well taken. Thanks for the clarifications. - John