Monday, June 27, 2011

Hackers want your passwords

Password exploitation is the hacker’s most common objective when it comes to compromising a system or stealing information. Why then don’t we pay more attention to securing this critical piece of information?

We are forever being told that we should use complex and difficult (to remember) passwords. This is not the best advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

How to hack a password

The work involved in hacking passwords is very simple. There are five proven ways to do so:

  1. Asking: Amazingly, the most common way to gain access to someone's password is simply to ask for it. As social engineering becomes more pervasive, users are often tricked into providing their passwords by various means, but at the end of the day, the hacker’s modus operandi is simply to ask for it. My experience from social engineering engagements says that as many as 50% of users in a business will willingly give up their password if the request is made in an innocent context. Not only that, but people often tell their passwords to colleagues, friends and family. Having a complex password policy isn't going to change this.
  2. Guessing: This is the second most common method to access a person's account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife's name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
  3. Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. The plethora of free automated brute force attack tools make this method as easy for the hacker as sitting back and letting his computer do the work. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just them).
  4. Common word attacks: A simple form of brute-force attack is where the hacker attempts to sign-in using a list of common words. Instead of trying a different combination of letters, the hacker tries different words. Numerous lists of these “common” passwords exist on the Internet for easy download.
  5. Dictionary attacks: Same concept as common word attacks - the only difference is that the hacker now uses the full dictionary of words. Again, there are hundreds of dictionaries available for free download from the Internet. Many of these dictionaries have been specifically constructed for the sole purpose of hacking passwords.

When is a password secure?

The single most important thing you can do when creating a password, aside from not telling it to someone, is to do so knowing how passwords are hacked and to create one that makes the hacking process longer; i.e. days, months or years. Knowing that a hacker will most likely be using an automated tool or script, you want to make the script take longer to run in the hope that the hacker will give up and move on to a more attractive target.

The measure of a secure password is how many password guesses or requests can be accomplished each second. The number varies, but most web applications cannot handle more than 100 sign-in requests per second. In other situations, especially if the hacker has gained access to a local network, literally thousands of requests can be generated each second.

There are 94 printable ASCII characters on the keyboard (printable characters represent upper and lower case letters, digits, punctuation marks, and miscellaneous symbols). That means each character in a password can have one of 94 possible values.

So, in an 8-character password, there are 6.09568939 × 1015 possible combinations.

Regardless of the number and power of a single or multiple computers for that matter, a password with that many possible combinations will be hard to break.

Making usable and secure passwords

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

  • Password length should be around 12 to 14 characters if permitted, but in no case less than 8 characters.
  • Avoid any password based on repetition, dictionary words, names of any sort, letter or number sequences, usernames, or dates.
  • Include numbers, and symbols in passwords.
  • Use capital and lower-case letters.
  • Avoid using the same password for multiple sites or purposes. For example:

Construct by some random pattern known only by you and prepend it with the second letter of the website or application, then append it with the first letter of the website or application. This way all you have to remember is the base 6-character password – but it becomes unique for each website or application by using a characteristic from the website or application.

No comments: