hopr's develops stronger and simpler login solutions

The Problem With Passwords - 2020 Update

Passwords are the bedrock of security for many things we want to keep safe; they are as fundamental to computers as water is to human bodies. Without passwords there would be no online accounts, and maybe even no personal computers at all.

That’s why it’s so surprising that passwords haven’t really changed in sixty years. In 1960, the first computer passwords were used at MIT in order to facilitate personal accounts on a shared computer system. Decades before the Internet was even invented, students were creating passwords much the same as we do today.

Is it possible that the system has become outmoded? Passwords are meant to keep us safe in cyberspace, but there are reasons to think that our login systems themselves might be putting us at risk, in addition to our passwords when they are weak.

Problem #1: Passwords Are Hard to Remember

For most of us--especially those without good memory or computer skills--coming up with a complicated password for each individual website we visit, and then remembering all of those complicated passwords, is prohibitively difficult. As a result, we use and then reuse easy-to-guess passwords, placing ourselves directly in harm’s way even when our most sensitive information is on the line.

Let’s consider an example. Think about your accounts on all the websites you interact with on a weekly basis. Which is the most sensitive--the one for which you simply cannot afford a breach? The answer is easy: it’s your bank account (perhaps your credit card account, too). But other accounts can be sensitive for other reasons.

In 2015, the 36 million customers of Ashley Madison--a website designed to help people cheat on their spouses--thought their passwords protected them. The consequences of a spouse discovering an Ashley Madison account would be life-altering, so we might assume that Ashley Madison accounts were among the most highly-guarded on the entire internet, with very strong passwords chosen by the website’s users.

However, when one security expert cracked 4,000 Ashley Madison passwords in August 2015, he found that a full five percent of them were simply “123456.” Another five percent were either “password” or “12345.” Other popular choices included “baseball” (for 27 users), “111111” (for 21), “ashley” (for 28), and some choice words that aren’t appropriate for this publication.

This is how far humans are willing to go to avoid coming up with difficult, hard-to-remember passwords. A reasonable percentage of people would more readily risk their marriages than practice effective cybersecurity. And the result of the Ashley Madison study isn’t an isolated one; the same bad practices are found consistently, worldwide.

Problem #2: Even Strong Passwords Can Be Exposed in Breaches

There’s a reason why those 4,000 Ashley Madison passwords were publicly available in the first place. On July 15th, 2015, a group calling itself “The Impact Team” had breached the website’s internal computer systems. Six days later, all of the company’s user data--names, addresses, email addresses, phone numbers, and more--were leaked onto the dark web in plain text.

This was a nightmare scenario. Like lone gazelles in an open field, 36 million people were now utterly defenseless against any cyberpredator who wanted to scrape their most sensitive information from the open dataset.

There was just one silver lining. Often, when hackers get hold of your login information for one website, they’ll attempt to use the same information to log into other websites you might have accounts with. Ashley Madison email addresses were included in the leak, but passwords were displayed in their encrypted (hashed) form. In fact, they were strongly encrypted, by an algorithm called “bcrypt.” But even then, when a password research collective called CynoSure Prime reviewed thousands of lines of leaked Ashley Madison code, the researchers came across something strange. Of all 36 million bcrypt-protected passwords, just over 15 million contained a variable called “$loginkey,” which hashed those same passwords using the MD5 algorithm. MD5 is an outdated means of hashing passwords, which is easy to beat even with standard-quality cracking software. With simple tools, CynoSure managed to reveal 11 million passwords within just ten days. In this case, then, it took only about 2 months from the initial leak to exploit the MD5 vulnerability and uncover nearly one out of every two Ashley Madison account passwords.

The security team behind Ashley Madison failed not only to secure the website’s systems from hackers, but also to secure users’ passwords once those systems were breached. This failure is a lesson to the rest of us: that our passwords are not ours alone. Every website for which you create an account holds a record of your password, which means that criminals don’t actually have to hack you to get it.

Problem #3: Static Passwords are Vulnerable

The importance of TIME - Hackers have all the time in the world to break a static system

In the movies, we see hackers typing away at keyboards as zeros and ones scroll down their screens with astonishing speed. It all seems very exciting, but in reality, hacking is a slow, gradual process. News of the Ashley Madison hack broke on June 19th, 2015, but The Impact Team would have had to spend months mapping out the company’s systems, and moving through them piece by piece, before all that user data could be fully siphoned out.

Hackers have the advantage of time when static credentials are used. Their victims, on the other hand, do not have this luxury.

As a further example, take the CynoSure Prime study of Ashley Madison users’ passwords. I’ve told you how the group was able to crack nearly half of the passwords used on the site. That version of the story, however, leaves out one important factor: how the CynoSure Prime researchers used time to their advantage. One full month after the leak, leading experts in password cracking were estimating that it would take years to uncover any meaningful amount of data from those exposed, hashed passwords.

CynoSure Prime found the $loginkey vulnerability two months after the leak. They could’ve taken all the time in the world, though, because the passwords were static. In fact, any static credential jeopardizes your security and privacy because these credentials remain useful long after they are obtained by hackers.

Possible Solutions

The customer-side and client-side issues with weak, reused, exposed, and static passwords have inspired cybersecurity experts to rethink this login paradigm that we’ve gotten so used to.

Hardware tokens are one possible means of accessing private accounts. Rather than a string of text that is remembered and typed into a field on a login page, hardware tokens are physical tools that you hold on to, such as USB sticks. However, there’s an obvious problem with hardware tokens: it’s just as easy to lose a USB stick as it is to forget an online password.

In airports, theme parks, and a growing number of other areas, biometric data are being adopted as a substitute for ordinary authentication measures. Since your fingerprint, your iris, and your voice are yours alone, they are as effective at identifying you as any other conceivable form of credentials. However, anybody who’s read science fiction knows of the dangers involved in giving up your biological data--authentication information you can never change--to Big Brother. There’s also no guarantee that biometric information can’t be replicated in other forms with the help of emerging high-tech software.

Whether you’re using software-based, hardware-based, or biology-based data, all of these authentication mechanisms (especially biometric data) are static. Therefore, even your fingerprint is vulnerable to theft and misuse in the same way that a static password is. That’s one reason why two-factor authentication (2FA) has become so popular with security managers. In 2FA, a one-time passcode, generated each and every time you log into an account, fixes the vulnerability of a static password. In order to beat 2FA, hackers must have control over both your computer and a second device you have.

2FA is widely recommended by computer security experts because it makes the job of hacking your accounts so much more difficult. However, it isn’t completely unbreakable, as evidenced by the June 2018 Reddit hack. A hacker used an SMS intercept to breach the two-factor authentication that Reddit employees used to log into their privileged accounts.

Conclusion: Passwords Are Still Useful, But There’s Room to Improve

Experts are constantly improving on existing best practices in cybersecurity. And yet, because static passwords are so ubiquitous, so fundamental to how we engage with cyberspace, they’ve remained largely unexamined; instead, the trend is moving toward replacing them with something else. Even when troves of passwords become exposed in corporate data breaches, we simply blame the human operator and the passwords, and in doing so, we fail to question whether a more fundamental problem exists with the authentication systems that use these passwords.

Since today’s login systems rely on static password inputs, they are exploitable. We cannot merely blame weak passwords for our cybersecurity issues; we must take a hard look at the system itself. 

hopr, the company sponsoring this article, has its own solution to these three problems: dynamic passwords. For more information on Hopr’s Password Hopping® technology, visit gethopr.com.

Be the first to comment