Password Security 101

By Noa Bar-Yosef, Senior Security Strategist at Imperva

A Quick Introduction to Passwords

When you enter a gym’s locker room, there are hundreds of lockers. Each locker has its own combination lock. Without giving it too much thought, you open your particular locker using the combination that only you know, which is the same combination you provided when registering to the gym.
 

Similarly, a password is a shared secret between a user and a service. When the user wants to connect to the service, she identifies herself with her username or some other form of account identifier. She then proves her identity by providing the service with the password. The service compares the provided password against what the user supplied during registration. If there is a match, the service grants the user access to the service. We can consider the service as the locker, the username as the locker’s number and the password as the lock’s combination.
 

Problems arise of course if someone else has your combination. It could be that you use a very popular combination, or you use that same combination on your tote, and someone was able to find the combination to that lock. Alternatively, it could be that someone broke into the gym’s system and saw the list of locks with their respective combinations. Let’s take a look at these aspects when it comes to the virtual world. 
 

How Hackers Crack Passwords

Lists of most common passwords are very useful for hackers since they can use these to increase their probability of guessing a user’s password in a quicker and more efficient manner. The hacker tools used to guess these passwords are called “crackers.” Two types of crackers exist: online and offline.
 

Online crackers repeatedly attempt to access a service under some chosen user identity with different passwords until the right password is found. These crackers are limited to the speed at which the service accepts and handles requests, as well as the network capabilities of the "cracking" machine. In most practical cases online crackers are limited to a low number of attempts per account due to account lockout policies in many services. However, by using most common passwords online crackers are effective even with services that have strict lock out policies.
 

Offline crackers are used when passwords are recovered from a service but appear in a “digested” format. A password digest is a safety guard used by services in which they store a mathematical transformation of the password. The digest allows the comparison to the original password, but does not easily disclose the password itself. An offline cracker repeatedly chooses different passwords, transforms them to their digested format and compares the result to the exposed password digests. Offline crackers can reach incredible speed, depending on the CPU power of the cracking machine. Some very powerful offline crackers have been built using gaming platforms (Sony PS) or cloud based services (Amazon EC2). To further expedite their operations, offline crackers sometimes use a technique called “Rainbow Tables” in which a large number of calculations are stored in the computer’s memory.
 

To reduce the effectiveness of offline crackers, services usually add a special step to the process called "salting." Using a salt, a different digest is crafted even if the password is the same. So although “salted” passwords are not completely hack-proof, this makes it much more difficult for crackers to guess numerous passwords within a reasonable amount of time.
 

Securing Your Passwords
 

On a personal level, you should use strong passwords and not repeat them across different sites. Obviously, the choice of passwords is all in context. You want a strong one for your online banking application, PayPal, your health benefits and all other types of applications you consider sensitive. On the other hand, using a strong password to reserve a car tune-up at your local dealership just becomes too much of a hassle.
On the business level, services should realize that they simply cannot trust users to choose strong passwords. If you give users the choice, they’ll simply choose weak passwords. In fact, two years ago a Rockyou database containing 32 million passwords was leaked to the Web. Analysis of the passwords showed that 20 percent of the users chose the same passwords from a pool of 5,000 words. It’s up to your IT administrator to keep the passwords secure. How?

  • Enforce strong password policies. This includes forcing a minimum length of characters, banning common passwords and requiring a mix of characters (digits, letters, upper-case, lower-case, etc).
  • Make sure passwords are not transmitted in the clear. Using network transport encryption (e.g SSL) is strongly encouraged. Some authentication protocols (e.g. NTLM) are even designed in a way that the password itself never travels through the network.
  • Make sure passwords are not kept in clear-text. Salt a password and then digest it before storing to the database.
  • Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials.  By doing this, attacks are made too slow for practical purposes, even when it comes to shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.
  • Employ a password change policy. Trigger the policy either by time or when the suspicion of a compromise arises.
  • Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.