Introduction: A lot has been written on passwords and
password attacks. We have heard about passwords
being compromised, passwords being shared, passwords being misused and even
list of most “guessable” passwords of the year.
Password Cracking has been a very fancy
word which is very common among the teens where it is regarded as a very cool
practice and of high esteem if you know about on how to do it.
Modern movies show that it takes seconds to
crack a password which is very big misconception. It takes a lot of time to
crack a good password.
There is a lot of science and mathematics
which is involved at its background.
Technically the term Password Cracking can
be stated as a process of recovering passwords from data that have been stored
in or transmitted by a computer system.
Earlier the purpose of password cracking
was to help a user recover a forgotten password or to check how strong a
password was, but later the attacker or say the fun loving guys (evil fun
lovers) used the techniques to gain unauthorized access to a system.
The strength of a good password can be
understood as the resistance to be guessed and get brute-forced.
I totally agree that at some point using a strong
password lowers the overall risk of a security breach, but on the other hand a strong
password cannot replace the need for other effective security controls to avoid
getting attacked or breached.
Now when we know on what is password
cracking let’s see on how can we make this cracking for the attacker a little
more difficult and what are the factors which contribute to it.
Whilst it is fair to say that a password is user’s responsibility and that
the user needs to choose a safe and a “non-guessable” password, it would be
more appropriate to look at a whole picture comprising the users, the
applications, the vendors, education on information security and looking at password
as a possible strong control rather than stressing upon it as a weak control.
The strength of a password can be termed as
a function of length, complexity, and unpredictability.
So when a password is being framed there
has to be consideration for this function to create a good and a strong
password.
From an end user perspective there are the
following questions that should trouble his mind to make a good password
- How long the password is? –Which states the Length
- How large the character set used is?—Which states the Complexity
- How much predictable it is?—Which states the Unpredictability
If one end user is able to answer these
questions he is expected to build a good password for his data.
But here comes the twist. Now when the end
user is protected let’s see on the other aspects of the chain of Authentication
on how the Password is being handled?
When we say that how it is being handled
let us again put two more questions in the tray:
- How the password does travels to the Authenticating Agent?
- How the password is stored and used?
If we see the chain of authentication on a broad basis we see the
Application where in the user enters his/her password which travels down to the
Authenticating Agent via a medium where it is stored and also cross checked for
the authenticity of a particular user.
Let us quickly peek into the reasons why passwords are attacked and the
types of password attacks.
Devices / Systems are made of user ids and passwords.
Knowledge about the user ids and passwords are gateways to the devices /
systems. Once entered into the system, the attacker can set up the system as a
bot / zombie / conduct malicious activities / steal data / compromise data etc.
Types of password attacks are:
- Brute force attack
- Dictionary attack
- Rainbow table attack
- Gain control of the hashes
- Shoulder surfing
- Guessing
- Social Engineering
The intention of this article is not to talk about the reasons for password
attacks or about the types of password attacks. Let us look at the chain of
authentication on a broad basis of user to system and back.
Passwords as treated by users: In today’s world of ever
growing internet awareness and usage, the awareness about “User id/Password”,
“Login Screen”, “Home Page” has become more common than say ten years back. The
usage of online banking, online shopping, online bill payments and not to
mention the Social media has tremendously in coming years.
Fig: No of global internet users [1]
- Consequently, password attacks have also increased in proportion in the past years. The users have to be wiser in selecting their passwords and protecting their assets on the internet.
Users, who access internet and need to use usernames and passwords, are of
different types and are in all age groups. For simplicity sake let us look at
different types of users:
- Students
- Employees in IT sector
- Employees in non-IT sector
- Home users
- Users in the age group of 60 years and above
The background and the approach towards internet would be different for
each of these groups for example:
It is more likely that employees in IT sector would be more frequently
trained on handling passwords, social engineering, phishing, password strengths
etc than the other groups. Among the other groups, it is more likely that
employees in non-IT sector are more aware of the passwords attacks than
students, home users and users in the age group of 60+ years.
Awareness regarding password attacks imparted to these groups would be
different for each of the groups. The following question would be as who should
be imparting awareness – should it be in the form of training / regular
communication / roadshows / wall posters etc.
Whilst it is quite true that employees of IT sector, being closer to the
physiology of password attacks, using user names like admin / administrator /
test etc and passwords like password123 / test123 / 123456789 are quite common
in the IT community as well.
The reasons for selection of such kinds of passwords could be lack of
awareness, ignorance or lack of creativity to come up with strong user names
and passwords.
Following are some of the areas in which awareness can be imparted:
- Security training's and password education regarding complexity, length and unpredictability
- Regular communication about commonly used passwords
- Enforcing stronger passwords through policies
- Awareness about not sharing passwords.
Applying the above areas and the awareness forms to the groups of users:
- 1. Students, home users, users in the age group of 60+ years:
Security training's and password education: Typically, students get to know about computers from schools, colleges and by observing parents, elder siblings. A lot more is learnt from friends and peer
group. Students usually access applications
like emails, social sites, education sites, financial aid loan calculator etc. In
this scenario, a forum for a formal training and password education may not be available
unless these training's are incorporated as a part of the education curriculum
or is conducted by the education institution. Password education can be taken
up by the application owners by
a. Sharing information on
how not to use commonly used passwords e.g asking students to create innovative
passwords that can be difficult to guess.
This message can be made available on the “Create User” page, “Change
Password” page. Messages can also be posted in form of running banners on
selected pages of the application.
b. Enforcing stronger
passwords through policies. Eg displaying strength of the password
c. Awareness about not
sharing passwords: this is an important factor in password protection. Compromised
passwords can be reused later on the basis of familiarity and the shared
knowledge.
2. Employees / contractors / third party users in IT sector and non-IT sector
a. Security training's and
password education: Security awareness training's are anyway conducted as a part
of training sessions in IT companies. Is not already incorporated, password
education should be a part of these sessions, which should include information
on commonly used passwords and awareness on not sharing passwords.
Employees
need to be aware of password attacks in a more rigorous way as opposed to other
groups of users. This is because of the large number of devices that the
industry handles, that have passwords as one of their security controls.
b. Enforcing stronger
passwords through policies, this can be done on the authentication tool.
c. Educating users not to
use the same user id / password combination for various applications. In the
event of compromise of user id / password the attack of accounts with different
web application is made easy for the attacker. This is all the more important
when user ids and password of professional and personal accounts are mixed up.
d. Emphasizing on the
importance of passwords and the impact of compromise of passwords.
Passwords as treated by applications:
This is a very important aspect on how the application one is building is
treating a password. It has to be kept in mind that this is the most important
feature of the application that has to be guarded against the evil people to
protect your customer’s assets.
Learning form the pasts and with the event of attacks happening the
Application Owners have become more cautious and have introduced many different
kind of controls to educate the end user
to select a good password like:
- Introducing Graphical passwords more likely in the Mobile devices
- Password Strength Meter
- Displaying Warnings or errors to show the usage of easier guessed passwords
How this information is handled and stored are the major points that has to
be taken into consideration.
How safely it is stored and communicated via the medium are big challenges
and use of secure configurations on the databases used and the server in
question are very important points that an administrator has to keep in mind. A
small vulnerability of any of the assets in use can hamper the whole system.
Things that should be kept in mind by the Application Owner are:
- Strong password policy: Be it changing of the default password / forcing regular change in the password, password length, complexity, lack of repeatability of previous passwords or password aging, having a strong password policy does provide the first line of defense for password attacks. Never use “password does not expire” option. Account lockouts should be enforced after a specified number of attempts. This is also referred to as password hardening
- Applying patch of the software used timely: any detected backdoor or defect or bug in the application should be patched up in a timely manner to ensure protection of passwords.
- Implementation of the SSL during the transit of the password and not transmitting passwords in clear text: Passwords are important, be it for the network of an organisation that processes sensitive data or be it that of an email id of a student. Passwords are passwords that need to be protected. Hence transmission of passwords in clear text should be strictly not followed.
- Storage of passwords: Passwords should be stored in hashed format. A strong hashing algorithm should be used for this. Also, the keys should be stored in different logical /physical assets. Hashes are vulnerable to rainbow table attacks. Hence it is useful to salt hashes with random numbers and then store them. Passwords to sensitive user ids like admin / root user ids should also be encrypted and stored.
- Not using Common user ids: Another vulnerability exposed for attackers is by having common user ids like admin / administrator for an admin role. This leaves the attacker with only the password to be guessed / attacked.
- Split passwords for sensitive roles: For sensitive roles, passwords should be split between two or three people. This makes compromise of passwords by social engineering / phishing more difficult.
- Proper logs for detecting failed attempts: Failed logon attempts and password resets should always be logged, be it for any type of application. This allows the forensics team to t the rate of attacks and the user ids that are under attack.
- Multifactor authentication: is another control that can be used to strengthen password policies. A multi factor authentication is authentication using what the user knows (passwords), what the user has (a PIN generated randomly on a token device) or where the user is (location) or what the user is (biometrics).
There have been various researches on this topic which reflects different
criteria and angle on the way we look into it.
On the basis of a report “ Trustwave’s 2012 Global Security Report “, it was seen that the most used password was
“Password1”! .
Our favorite or the end users which is regarded as the easiest member of
the security chain that can be hacked are not much creative when it comes to
choose a password. They sometime create a password out of hurry or to just meet
the minimum requirements that is being asked by the system.
Also there was a study which portrayed that the successive change in the
password for one particular account decreases its security.
When done a research on a lot of passwords it was found that the most
common password chosen are related to one person’s favorites, likes, dislikes, pets,
teams, dates etc..
Here we have to understand one thing that we are not trying to create a
strong password (similar to alpha numeric or a blend of some special characters
etc.) but we are trying to create a password which is difficult to be guessed.
For example a password which is like a pets name with a special character
and a number may seem to be a strong password but for an evil mind out there it
will take only some social engineering and some guessing to break it.
If we see the math increasing the number of characters in a password makes
it more robust towards Brute Force Attacking.
Studies have shown that adding one single character increases the chances
exponentially.
Also a lot of research has been done on how to make users remember
passwords and how to help them choose one. Paraphrases was to an extent a very
good solution though not so famous yet.
For example a password similar to “ThisIsGoingToBeAGreatRide” will take
more time to be guessed in comparisons to “Tarry1”.
For more research and getting data related to passwords, visit [2] in the
references section.
How to Minimize the Risk?
In summary, risk can
be minimized by keeping the following points in mind:
Educating the user
on choosing a password and the impact of not choosing a good password.
Enforcing Password
hardening Guidelines in the organization.
Having security
controls on the application that will not compromise passwords.
References:
- http://en.wikipedia.org/wiki/Global_Internet_usage
- http://passwordresearch.com/
- http://www.google.com
No comments:
Post a Comment