Password security practices have failed to keep pace
Whether an environment is solely dependent on passwords or includes them as part of a multi-factor model, passwords remain a critical layer of authentication security.
The continued barrage of reports about data breaches and account hijacking, however, make it painfully clear that organizations struggle with password-based security.
The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to the Identity Theft Resource Center. For every breach that is reported, there are many that go unreported because the target never discovered that they were compromised.
When we look at how cybercriminal tactics have evolved, and how compromised credentials have impacted these methods, one answer to the problem of the password becomes clear:
No site should be allowing the use of known, compromised credentials
This policy of restricting of compromised credentials refers to both the authentication of previously exposed username and password combinations and the screening of new user-selected passwords against all previously exposed passwords.
There are two benefits of this simple policy. First, it closes a glaring gap which otherwise leaves the password layer completely open to credentials exposed in third-party breaches. Second, it ensures passwords are unique enough to not be reversible using cybercriminal cracking dictionaries, protecting both the account and the entire database if it were to be breached.
To better understand the problem and the benefits of this policy recommendation, it helps to look at how attackers are working around the security practices that are currently in use.
Assumptions about password strength
Many organizations rely on outdated assumptions that don’t account for modern cybercriminal tactics.
The first assumption is that password complexity policies make brute-force guessing more difficult.
These sometimes comically frustrating password complexity rules were originally introduced to encourage users to select better passwords with greater entropy. In this context, entropy is a measure of unpredictability or the amount of uncertainty that an attacker has to overcome to figure out a password.
Password complexity rules typically require minimum length and combinations of letters, numbers and symbols to increase the total universe of possible password choices.
Passwords that satisfy complexity rules are often described as strong, difficult to guess passwords. However in reality, a strong password may not be a safe password.
Even with a massive universe of possible passwords, people are predictable when their choices are unrestricted. Users munge familiar words with common substitutions and patterns. Based on this, Cybercriminals can be reasonably confident that the password they are targeting will be among those they’ve seen in previous data breaches and common password lists.
NIST acknowledged the limitations of password complexity rules in their most recent guidelines by actively recommending against their use. The research shows that complexity rules make life difficult for users and do little to make passwords harder to guess.
Assumptions about one-way encryption
The second assumption is that when organizations store users’ passwords with a one-way encryption, they’ve created a substantial protection against their misuse.
Organizations will always need to store users’ passwords for comparison with those entered at login. And when the user creates a new password, most systems today will apply a one-way encryption algorithm to convert the password into an irreversible string of characters called a hash.
Most modern authentication systems take this a further step by adding a “salt” to the hash. This salt is a string of characters, unique to each user, added to each password to increase complexity and uniqueness before it is then hashed.
Apart from employing salts, the current best practices approach to storing passwords securely involves using an adaptive work hashing algorithm, such as bcrypt, which can be scaled in complexity over time as computing hardware performance continues to advance. To combat the rise of massively parallel cracking systems which employ large numbers of commercial GPUs, password hashing algorithms have been further enhanced to also be “memory hard” and arbitrarily require larger blocks of memory for computation. Newer algorithms in this category include scrypt and Argon2.
The rationale for these types of hash-based encryptions is that it makes it impossible to unencrypt and computationally infeasible for cybercriminals to generate all the hashes needed for comparison with the universe of possible hashed passwords that they may encounter. The provider thus assumes that user’s passwords would not be discoverable in the event the provider’s database was breached.
The problem again is the presumption of an extremely large universe of possible passwords. The reality is that the population of user-generated passwords is startlingly small. Each time the passwords from a data breach can be studied, we see practically the same list.
As a result, the cybercriminal requires only limited effort to reverse the irreversible one-way encryption.
How cybercriminals make use of strong, encrypted passwords
Even with password rules applied, the relatively small and predictable universe of user-selected passwords allows cybercriminals to generate reliable cracking dictionaries that comprise almost all of the passwords they will encounter.
Cracking dictionaries are typically made up of passwords exposed in previous data breaches. The cybercriminals know that if a password was ever used before, it’s likely to be found again.
With a solid cracking dictionary, the cybercriminal never needs to resort to brute force guessing, and hashed passwords become only an inconvenience.
To reverse hashed passwords, cybercriminals simply run the same hashing algorithm against a cracking dictionary. The output is called a rainbow table, a precomputed table of the clear text value and the associated hash. Cracking dictionaries and rainbow tables are commonly shared among cybercriminals.
Cybercriminals can then look up the clear text password for any hash they encounter. This approach often works as much as 90% of the time or more because that’s how often people’s passwords are typically found in the cracking dictionaries.
Even when there is a salt used, the clear text password can still be reversed by recalculating all the possible hashes with the salt. While more time consuming, the end result is still the same.
To reverse engineer a salted hash, the cybercriminal needs only to know the algorithm by which salt was applied. Often the format of the hashes or knowledge about what off the shelf software gives this answer immediately.
When the hashing algorithm is not known, the cybercriminal can try various hashing algorithm possibilities on a common password. They can then test their output against the hashes in the breach. If they don’t find a match for the common password it means they haven’t figured out the hashing algorithm yet. Even in this case, reverse-engineering hashes is facilitated by the cybercriminal’s confidence that a common password will always be there.
Once the hashing algorithm is known, the cybercriminal re-runs the hashes for each entry in their cracking dictionary. The hardware typically used includes specialized processors that can generate 13K hashes per second for an OpenBSD bcrypt hash per GPU. An average cybercriminal rig might have 8 GPUs, allowing over 100,000 hashes every second. Speeds to generate less hardened hashes are in the billions per second.
Given the power of typical hardware used by cybercriminals, even with memory hard hashing or adaptive work hashing algorithms, calculating hashes is not a roadblock. It simply encourages the cybercriminal to limit the size of the cracking dictionary they will use. They do this of course by prioritizing the most commonly used passwords.
Many organizations don’t store passwords with salt and use a less rigorous hashing algorithm, and therefore can be reversed even faster.
The consistent theme to these problems is users picking passwords from among the common and compromised passwords found in cracking dictionaries. This gives cybercriminals an easy way to sidestep security hurdles.
While commonly used and compromised passwords represent a significant threat to database security, they are at the foundation of another and larger threat to individual account security due to password reuse.
Password reuse means the key that cybercriminals can use to access a user’s account may be readily available without any security incident at your organization.
The big problem of password reuse
It’s an unfortunate fact that most people reuse passwords across sites.
The fact that users don’t select a unique password for each site means that if a cybercriminal can obtain a user’s password from one site, there is a high likelihood they can easily login to other sites. They have the full, valid credentials and can simply login as the user.
Based on a password reuse study of several hundred thousand leaked passwords from eleven web sites and user surveys; the findings showed: 43- 51% of users reuse the same password across multiple sites.
Facebook CSO, Alex Stamos, has described password reuse as one of the biggest online dangers. In 2016, in a talk at TechCity, Stamos said, “The biggest security risk to individuals is the reuse of passwords, if we look at the statistics of the people who have actually been harmed online. Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords.”
Password reuse has led to a rapid rise in attackers where compromised credentials are used in bulk. This type of attack is called credential stuffing.
OWASP describes credential stuffing as follows: “Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.”
For the downstream sites that are the target of credential stuffing, it becomes extremely difficult to defend against this type of attack because the credentials being used are valid.
The threat of credential stuffing is made worse by the relative ease and lack of sophistication required to execute an attack.
Compromised credentials can often be obtained for free or cheaply from publicly available Internet sites and the Dark Web. Automated tools are also readily available to assist unsophisticated attackers.
New password security methods
Securing against username and password combinations
There are several methods that organizations can adopt in light of current cybercriminal tactics to better secure the password layer.
The first approach, already in use by large companies like Twitter and Facebook, involves detecting username and password combinations that have been compromised and blocking them.
Facebook has been public about their use of this approach. On the Facebook blog, “Protecting the Graph,” Facebook explained:
“We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook.”
For this approach to be effective, a database of known compromised credentials must be collected from the same sources where they would be obtained by cybercriminals. This includes the various marketplaces and hacker sites on the Internet and Dark Web.
While some automation can be applied to collect compromised credentials from a few sources, many sites have restrictions that prevent scraping and require different levels of group participation to gain access. Therefore, the vast majority of credential collection can only reasonable be done using manual research.
Only a limited number of credentials are found in clear text. In most cases, the credentials found are hashed or in salted hash formats. While cybercriminals would reverse these to clear text for a credential stuffing attacks, there is no need for organizations to crack passwords. Instead, they can take the clear text password (at the point it is given by the user) and hash it to the formats in which the exposed credentials were found.
The ideal implementation of this use case occurs at the login event, since the password should be encrypted at all other times.
This offers the following advantages:
- Comparisons can be made against credentials found in different hash algorithms or salted hashes as described above.
- Assuming the compromised credential database is kept up to date, checking at login provides the most real-time method of protection, reducing the attack window as much as possible.
When compromised credentials are detected, users can be prompted to change their password. However to really harden password-based security, all new passwords should be screened against common and compromised password lists.
Securing against common and compromised passwords
To address the password weakness issues outlined above, newly created passwords can be screened against lists of common and compromised passwords.
This is the exact approach outlined by NIST in their most recent authentication guidelines.
NIST special publication 800-63B section 5.1 recommends checking new passwords against those used in cybercriminal dictionary attacks:
“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.”
This approach uses cybercriminal’s cracking dictionary against them.
Passwords not found in cracking dictionaries are substantially harder for cybercriminals because it forces them to revert to brute-force guessing tactics.
Besides inherently stronger passwords, when the database uses a blacklist to exclude all passwords found in cracking dictionaries, it can be a form of insurance in case the database is breached.
A database that contains no passwords from cracking dictionaries is substantially less useful to the cybercriminal. This is because:
- The database of passwords cannot be rapidly reversed in bulk using pre-calculated lookups. Cybercriminals would need to revert to brute-force methods for each password.
- The exact format of salted hash is substantially more difficult to identify. When common passwords aren’t available, it becomes much harder for cybercriminals to discern the exact algorithm for salting the hash.
To achieve these benefits, all new passwords would need to be compared against a comprehensive blacklist that includes: multiple cracking dictionaries, all words (such as from a scrape of all Wikipedia articles in all languages along with Guttenberg project books) combined with dates, characters sequences, numbers, common substitution characters, and all compromised passwords from data breaches.
Based on PasswordPing efforts to maintain such a blacklist, the list size would be approximately 1.75B entries to be comprehensive. To continue to be effective over time, such a list would need to be maintained as additional passwords were exposed.
How compromised credentials fit in a MFA environment
Multi-factor authentication (MFA) provides better security by making sure there isn’t a single point of failure.
The three authentication factors recognized for MFA are: something you know (e.g. password), something you have (e.g. physical device), and something you are (e.g. biometrics like fingerprints). There are multiple methods of accomplishing each layer.
Each layer has it’s own balance of convenience and risk for compromise. In practice, no authentication layer is invulnerable.
Not long ago, the use of SMS messages to a registered phone number was considered a reliable layer of security, but there have been frequent enough evidence of vulnerability when using public telephone networks that NIST is now actively discouraging the use of voice or SMS based authentication as a “something you have” layer.
Another common authentication approach involves one-time passwords (OTP) sent to a registered email address, however this is only viable if the email account has not been compromised.
The bottom line is that improved security results from more than one layer and yet when the password (something you know) layer is compromised, security is again dependent on just a single-factor.
What’s more, a system that imposes the burden of multiple layers but fails to adequately secure each creates a false sense of security.
Adapting password-based security to current threat practices
Passwords continue to be able to provide an important authentication layer alone or in combination with other factors. However, password based security like all security measures, needs to regularly evolve as threat methods change.
By continually checking user accounts against compromised credentials and screening new passwords to ensure they are not exposed, organizations dramatically improve efficacy of password-based security.
PasswordPing’s innovative compromised credential and breach notification services were created to protect corporate networks and consumer websites from unauthorized access and fraud. PasswordPing helps organizations screen user accounts for known, compromised credentials and block unauthorized authentication. PasswordPing Ltd. Is a privately held company based out of Boulder, Colorado. For more information, visit: www.passwordping.com.