Digital security however is a whole different matter. During the last few years we have gotten used to news about many of the largest companies in the world like Yahoo, Adobe, Twitter, Facebook, Nintendo and Apple getting hacked [1]. A big part of the problem with digital security is that our systems still rely heavily on passwords for authentication. Passwords are challenging for several reasons.
The amount of passwords
First of all, we need so many of them. According to Techradar 25 to 34 year old web users actively use 40 different online accounts on average. [2] We are told that each one of our accounts should have a unique password, so that if and when one of them gets hacked, the hackers don’t get access to all of our accounts. Remembering 40 unique username-password combinations is not very easy to do for most of us.
The complexity of passwords
The passwords we choose should be long, random and complex. This is because in a typical hack the attacker gets access to the databases in which usernames and passwords are stored. Luckily most (but not all) system administrators are wise enough to store passwords in encrypted formats, so that the attacker has to crack them first in a process called brute-forcing. This is where the length and complexity of your passwords really comes into play.
The very first thing the hacker will attempt is a so called dictionary attack, in which a dictionary of common words and passphrases is tested for the password. [3] If your password is included in the dictionary, it will be cracked in less than a second. Howsecureismypassword.net estimates the time it would take for a desktop PC to brute-force different passwords. [4] I started the test with with a very common word “Michael” which of course would be cracked instantly. Adding the number one after it (Michael1) still puts it in the top 1000 of most common passwords, which means it’s probably found in every password dictionary. Interestingly adding the number three (Michael3) makes brute-forcing it last 15 hours, which while still being quite weak, is already a significant improvement. Below is a chart of other variations and their brute-forcing times:
Image: Brute-force attack times for a desktop PC for different passwords based on Howsecureismypassword.net results.
The charts demonstrate how important password complexity and length is. By adding special characters like exclamation marks and asterisks to our password, we can improve its strength significantly. By simply adding the letter “d” a few times to the end the word “password” it changes from the worst password in the world to a password that takes days to crack.
What’s good enough?
What is a safe enough time estimation to aim for then? We should remember two things: many hackers have access to botnets that comprise of thousands of computers and secondly computers are improving at an exponential rate according to Moore’s law. [5] Considering this I wouldn’t recommend settling for anything less than hundreds of thousands of years, of course also depending on the importance of the account you are protecting.
Another challenge with passwords is that no matter how good your password is, it is still very vulnerable to two things: phishing and keylogging.
Phishing
Phishing is a process in which a malicious actor masquerades as a legitimate entity in order to have you send your private information to them [6]. To give you an example from my own experience, I once received a genuine looking email from Paypal telling me that I need to log-in to my Paypal account in order to confirm my address. I was suspicious but decided to see what happens if I click on the link. It took me to a website that had the exact same design as Paypal and it asked for my username and password. I entered a completely made up username and a random password and clicked on the login button. The website pretended that it accepted my login information and took me to a page that looked like the usual Paypal interface! You can probably guess what would have happened if I had entered my real Paypal login: this phishing website would have gathered my login information and used it to enter my Paypal account in an attempt to steal my funds.
Keylogging
Keylogging is even worse than phishing: a hacker is able to install a small program on your computer without you noticing which then captures every keystroke you type and sends the text to the hacker in a discreet manner. This way the attacker can learn all the usernames and passwords that you use while the keylogger is active. In a 2010 report, 48% of inspected 22 million computers were found to have malware in them [7] and according to Australian Computer Emergency Response Team (ausCert) 80 percent of all keyloggers are not detectable by antivirus software. In other words this threat is very real and makes relying on passwords for security quite scary.
What can we do?
What can be done to improve the situation? To fight phishing attempts, you should always double check the URLs of the websites you visit. I also recommend using tools like Web Of Trust (https://www.mywot.com/) that will show you community based scores for the websites you visit. If you are about to enter a shady website, you will get a warning. You should never ever click on links you receive in email, unless you are absolutely sure about the sender. Remember that changing the sender-address is a quite trivial thing to do. If a service that you are using asks you to visit their site, it’s better to manually type in the address or google it to make sure you are taken to the right website.
Defending against keylogging is much more difficult, because these type of infections can be hard to detect. Naturally you should have an up-to-date virus scanner and you should be performing scans regularly, but that doesn’t really guarantee anything. One of the most efficient defenses against keylogging attacks is two factor authentication. It means that you use not only your password to log in to a service but also a code sent to (or generated by) another device, typically your mobile phone. Many of the big web companies like Google and Yahoo offer two factor authentication these days and I really recommend it for greatly improved safety. To perform a successful attack, the hacker would need to have control of both your computer and your phone, which is quite unlikely.
Password managers
To help remember all your unique passwords you can use a password manager like Roboform or KeePass, but those are kind of double edged swords. On the other hand they make life quite convenient by keeping track of all your passwords, but they also create a single point of failure: If the attacker learns the master password that protects your password manager, then suddenly they have access to all your online accounts all at once. I personally have Roboform installed, but only on my workstation that I keep “sterile” which means it never touches the internet. At the moment I have 980 different user accounts saved in those files and I would never be able to remember all those logins without Roboform.
Coming up with a system
If you do not have an offline computer to store your passwords safely, I recommend creating a system that allows your passwords to be unique, long and yet easy to remember. Let me give you an example. You could create a single random password to memorize, let’s say “XyZ##!:):P” and make it unique by adding the letters two and three from the service you are using it for to the end of the password. So your Facebook password would be “XyZ##!:):Pac”. Even better, you could do something like adding the first letter from the top-level domain (like .com .org or .fi) in all caps at the end to hide your pattern a bit more. So Facebook password would become XyZ##!:):PacC and that one would take 111 million years to crack. In my view this would provide good enough security for you non-critical online accounts. Your main email account and other highly important accounts should probably still have completely unique passwords (and thus not use a system like this).
Speculation about the future
What might the future of online security have in store for us? Many used to believe in biometric identification methods such as fingerprint- and eye scanners. The problem with these solutions is that just like passwords, malicious actors can use clever ways to obtain copies of this information in order to falsely prove their identity. Fingerprints might in some cases be even easier to obtain than passwords, as we leave copies of them pretty much everywhere. Unlike your password, you can’t really change your fingerprints if you fear a hacker has managed to get a copy of them, which in my opinion makes it an awful system for security. My prediction is that in future we authenticate with combinations of something we have (perhaps a smart watch or a ring) and something we know (a simple password), but hopefully the systems also analyzes our typical behavior and adjusts the requirements based on our behavioral patterns. For example, the login-system should demand higher degrees of verification if the login attempt is made from an unknown computer at an unfamiliar location. Many two factor authentication systems already allow you to mark commonly used computers as safe, removing the need to do a full two factor sign-in on those. Of course I am hopeful that all the smart security engineers will come up with something even better than I’m able to predict.
Many companies are already working hard to solve this problem and there are big incentives for a solution. According to popularmechanics.com the National Institute of Standards and Technology is offering a 10 million dollar reward for coming up with an alternative to passwords. Even Ford is working on a system that would automatically log you in based on the proximity of your smart phone. [8] The ones who can finally solve the password problem by coming up with more convenient and secure authentication methods will surely be applauded by internet users around the world.
Sources:
[1]
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
[2]
http://www.techradar.com/news/internet/online-fraud-too-many-accounts-too-few-passwords-1089283
[3]
http://searchsecurity.techtarget.com/definition/dictionary-attack[4]https://howsecureismypassword.net/
[5]
http://en.wikipedia.org/wiki/Moore's_law[6]http://en.wikipedia.org/wiki/Phishing
[7]
http://www.zdnet.com/blog/security/report-48-of-22-million-scanned-computers-infected-with-malware/5365
[8]
http://www.popularmechanics.com/technology/how-to/computer-security/solving-the-password-problem-14993917-2
I had no idea that with adding the same letter after a password makes it so much harder to crack! :o Now I'm so ashamed of my passwords, I'm so lazy trying to come up with complicated passwords, I'm so worried that I won't remember them. :D (usually I don't)
ReplyDeleteDon't feel ashamed, this is very common! :) Passwords are a challenging concept for us humans. Coming up with different "systems" can help with making them a bit more complex while still keeping them somewhat memorable!
ReplyDelete