X-Industry

Password Security

Prepared by:  Nicholas Dessanti, UNH Cyber Student Intern

Password security has been a major topic of discussion for all computer and web site users.  Today, hackers are exploiting vulnerabilities within user passwords in many ways.  Brute force attacks are the most common way hackers use to find passwords.  Another common method is called a dictionary attack.  Both brute force and dictionary attacks systematically check all possible passwords until the correct one is found.  Hashing algorithms are another essential process in password security, yet more relevant to companies instead of individuals. 

Details
Anyone who use the Internet should have learned the basics of password security.  Whether to use a strong password or to not use the same password twice; still many users often fail to take this sound advice.  This can be due to either negligence or laziness.  Not all computer users realize passwords are just as important to keep secure, as other cyber tools used to verify our identities.  Personal identifiers, such as social security numbers, passports, and driver’s license information are equally important to keep secure.  This report is an overview regarding password security and how different password policies can improve it, or at times, make it worse.

Something to keep in mind when creating passwords, is no matter how sophisticated and advanced an organization’s security system, it always remains vulnerable to hacking due to the human factor.  The key aspects of strong passwords include:

  1. The length of your password.
  2. Having a mix of upper and lower-case letters, numbers, and symbols.
  3. No ties to your personal information.
  4. No dictionary words.

Utilizing these aspects of a strong password will increase the resiliency of your password and decrease the likelihood of your password being compromised.

The majority of users’ passwords are exposed within hours or shorter.  Therefore, if you create a 12-15-character password, you will ensure more security than an 8-character password.  Currently, a 16-plus-character password would be even safer.  Multi-factor authentication is a further layer of security.  Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing a password and an application to prove user identity. 

There are two common attacks hackers use to get your password.  The first and most common way is called a brute force attack.  Brute force will go through every single combination until the password is discovered.  The trick is to ensure the password you chose is complex and long enough that they will not attempt to break the password.  For example, an 8-character password that is case-insensitive with numbers and symbols can be hacked by a brute force attack in about 2.5 hours.  For this reason, an 8-character password should no longer be used.  

A new record was set using eight Nvidia RTX 2080 Ti graphics cards, running the latest beta version of Hashcat, which is a password-cracking program.  This hacking setup cracked 102.8 billion hashes every second.  As password length increases, the number of combinations that need to be brute forced, will additionally increase exponentially.  Utilizing a mix of the 94 possible characters available on the keyboard increasing the complexity of your password will force a hacker to use a larger character set.[1]   Another way to hack passwords is with a dictionary attack.  With this type of attack, it will attempt different words from a predetermined dictionary of usually millions of words until the correct password is found.  The execution time of a dictionary attack is more efficient than a brute force attack because the number of combinations is restricted to just those in your dictionary.

Good password policies are continually evolving.  For example, some companies used to have a password expiration policy.  This forced users to change their password a predetermined time frame.  This researchers believed was more secure.  However, over time companies found that users, who were forced to change their passwords, often did so by altering the existing password using a systematic method, such as adding a digit at the end.  Unfortunately, this technique is unlikely to fool an intelligent hacker and is why it is no longer a commonly used password policy.  

A password policy that should be followed by everyone is not having a pattern to your password, you want to make it random because hackers are always learning new patterns and algorithms. Some more important policies for users to follow: share your passwords with no one, do not let browsers remember your passwords, and chose a security question that cannot be guessed.  In addition, you should never reuse passwords. Another common policy that is widely used today is a password audit policy.  This is where passwords are monitored, and notifications will be sent to you if modifications are made to your password.  If a security breach occurs, this practice will provide crucial evidence for the company and the authorities.

Companies with poor password policies should be identified and appropriate action should be taken immediately to secure their cyber vulnerabilities.  To begin, web services should never be saving your plain-text password into their database.  It should always be hashed; which is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed length.  Hashing is a one-way function, a function which is practically impossible to invert.  Companies using MD5 and SHA-1 algorithms for hashing should look to change them as soon as possible.  This because these two algorithms have been broken with regards to collisions.[2]  MD5 is known for being an insecure hashing algorithm because it is very fast.  The drawback of having a fast algorithm like MD5 is that a hacker can run billions of password combinations per second.[3]

In cybersecurity, a salt is random data that is used in addition to a hash to safeguard passwords in storage.  Even for the same two passwords, the hashed value will be different with an added salt.  This makes scanning a database for generic passwords next to impossible.  The hashing algorithms that are more secure as opposed to MD5 are called SHA-2 and SHA-3.  These combined with a cryptographic salt makes for a very secure hash.  An emerging hashing algorithm called Argon2, “provides security against brute force attacks using a predefined memory size, CPU time, and a degree of parallelism to prevent GPU attacks,” explains researcher Enrico Zimuel.[4]  This algorithm won the Password Hashing Competition (PHC) in July 2015, but is not widely used as of now.  Although, because of Argon2’s exposure and hashing power, it has the potential to become a popular algorithm.

Another important password policy companies should look into is to limit unsuccessful login attempts.  Throttling unsuccessful attempts will provide an extra layer of security from brute force attacks.  The idea behind throttling involves counting how many times a user fails a login attempt.[5]  Once a user reaches a pre-specified number of failed attempts, the server will block that user from executing another login attempt.  This will slow down brute forcing and hopefully alert responders before a successful attack occurs.

Conclusion
The choice of a password is not necessarily easy and it should be one that is carefully thought out.  Your password needs to be long enough so it cannot be brute forced and should not contain any common dictionary words.  Using numbers and uppercase letters are important, however, keep in mind that numbers are used most at the end of passwords and uppercase letters are used at the beginning.  The existence of such trends makes it easier for hackers to generate more effective dictionaries.  As long as your password cannot be attacked by the above-stated techniques and the server your passwords are stored uses an advanced hashing algorithm, you mitigate the risk your password will be stolen. 

However, just like we thought 8-character passwords were secure 5 years ago, the same thing will eventually happen with our 15-character passwords.  As GPU processing power becomes more powerful, our passwords will need to be longer and more complex.  Technology progresses faster and faster each year and because of that, the password credentialing system will gradually become obsolete.  For that reason, new technology such as biometrics will replace this system.
               

Serial: TR-19-190-001
Report Date: 07092019

Country: All
Industries: All

 

[1] https://www.tomsguide.com/us/8-character-password-dead,news-29429.html

[2] https://www.securityfocus.com/bid/11849/discuss

[3] https://crackstation.net/hashing-security.htm

[4] https://framework.zend.com/blog/2017-08-17-php72-argon2-hash-password.html

[5] http://miftyisbored.com/a-complete-tutorial-on-login-throttling-and-recaptha-with-laravel-5-3/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance