Password Security and The Road Ahead

The fact that websites continue to be hacked and passwords are frequently stolen (and that a computer recently set a record by guessing 100 billion passwords per second) calls in to question how passwords can still be used safely and what lies ahead for them. This article looks at password security now and the progress being made towards a ‘passwordless’ future.

Basic Challenges

Human limitations and the challenges of modern life mean that we can only successfully remember shorter, more uniform, or more memorable strings of characters, and consequently these often end up being partly words, names, dates, or a combination. Also, many people stick to the same password that is then shared between many sites and platforms. Add to this Moore’s law (the idea that computer-processing power available at a certain price doubles roughly every two years) and the fact that cybercriminals are becoming more sophisticated in their methods and can buy cyber-attack tools and lists relatively cheaply on the Dark Web, and the risks of weak passwords become clear. All these factors mean that:

Passwords will need to be changed regularly and made more secure as widely available computer power grows, and the speed at which even well-encrypted passwords can be cracked and brute-forcing tools can find passwords increases.

Using the same password for multiple accounts and platforms is a high-risk strategy because if one of those accounts is compromised, cyber-criminals can steal and sell the login details on and/or use ‘credential stuffing’ tools to try stolen passwords on multiple websites.

Having longer, randomly generated passwords with many different characters in them are likely to be more secure than personally chosen ones that are simply easy to remember.

100 Billion Passwords Per Second Guessed By A Computer

In February 2019, a hashcat Tweet appeared to announce that the NTLM cracking speed record had been broken as a single computer was able to generate every conceivable password at a rate of 100,000,000,000 guesses per second (100GH/s).  Bear in mind that was over a year and a half ago! Add to this the fact that cloud-based technology can enable an eight-character password to be guessed in only 12 minutes (costing only $25 to do so) and it is clear what a threat technology poses to passwords as a means of security.

Buy Computer Aided Brute Force Attack Tools

It is not surprising, therefore, that password brute-forcing tools are now widely available online, and although they are used by penetration testers, they can also be purchased and used by hackers (black hats). For example, these off-the-shelf tools include Cain and Abel, Hashcat, John the Ripper, and Ophcrack.

Too Easy

In many cases, users may still be making it too easy for attackers to guess passwords or to crack them very quickly with the aid of existing password dictionaries and credential stuffing.  For example, back in February 2019, a study by the UK's National Cyber Security Centre (NCSC) into breached passwords revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts.  The study also showed that the second-most popular string was 123456789 and that the words "qwerty" and "password", and the string 1111111 all featured in the top five most popular breached passwords.  Christian names and the names of favourite football teams were found to be widely used as passwords.

Default Passwords

Default passwords being left and not changed to something less easily attainable or easy to crack can also make it easy for hackers. This is a particular problem with IoT devices where users are often unaware of the problem.

In California, however, a tech law was recently passed that not only bans easy to crack and popular default passwords e.g. ‘admin’, ‘123456’ in all new consumer electronics from this year but also requires each device to come with a pre-programmed password that is unique to that device.  The new law also mandates any new device to contain a security feature that asks the user to generate a new means of authentication before access is granted to the device for the first time.

Even Big Companies

Perhaps surprisingly, big companies also appear to rely all too often upon weak passwords. For example, last October, Swiss Web security company, ImmuniWeb, reported that there were over 21 million (21,040,296) stolen user credentials belonging to Fortune 500 companies available on the Dark Web and that more than 16 million (16,055,871) of then had been compromised during the previous 12 months.  The vast majority (95 per cent) of these contained unencrypted, or already brute-forced and cracked plaintext passwords.

Collection #1

In January 2019, the sharing of a massive leak of a staggering 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion email address and password combinations onto hacking forums brought the weaknesses of password authentication into much sharper focus.  Known as Collection #1, the data was made up of many different data breaches from thousands of different sources and it has been calculated that all the stolen data could be put into 1,160,253,228 unique combinations, thereby making it useful to cyber attackers trying to crack login details using credential stuffing attacks.

The data in Collection #1 has, however, also been incorporated into the ‘Have I Been Pwned' service where it is possible to check whether anyone’s login details have been stolen (see: https://haveibeenpwned.com/).

Making A Strong Password

Mathematically, predictability and the size of the ‘password space’ (the “space” of possibilities) figure indicates how good (strong) a password may be. The size of the ‘space’ number is a product of the possibilities.  For example, since a one-character password only contains one lowercase letter, there are only 26 possible passwords – from a to z.  Choosing a six lower case letter password means 26 possible choices for the first letter, 26 possible choices for the second and so on (308,915,776 possibilities). 

If, however, the size of the password is increased to 12 characters and includes lower and upper case and other symbols e.g. %, @, !, this increases the possible number of choices for each letter of the password to 72 and, therefore increases the possibility ‘space’ number to 19,408,409,961,765,342,806,016.  In short, the ‘space’ is 62 trillion times the size of the first space and should take a computer running through all the possibilities 62 trillion times longer to guess the password. This is why many websites and platforms now prompt, encourage and suggest passwords that are longer and contain a mix of characters.

Password Managers

Managing multiple passwords in a way that is secure, effective, and does not have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One easy-to-use tool that can help is a password manager.  Typically, these are installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save login credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when needed and automatically paste them into the right places, as well as being able to sync passwords across all devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

Chrome’s latest browser also has an improved password manager, which can help to stop people from using weak passwords.  The Chrome 69 password manager suggests passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it can add these. Users can also manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 can store the password on a laptop or phone so that users do not have to write it down or try and remember it (if they are using the same device).

Looking Ahead - Biometrics

Two-factor verification, as well as long passwords incorporating different character and case options, are what many people rely upon at the moment, but a passwordless future and biometrics are likely to offer greater security going forward. 

For example, in May last year, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault signalled the corporation’s move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”.  Recognising the weaknesses of passwords and being one of the most-attacked companies in the world means that at least 90% of Microsoft’s 135,000 workforce now log into the company's corporate network without passwords using biometric technology such as facial recognition and fingerprint scanning via apps such as 'Windows Hello' and the 'Authenticator' app.

Also, in August last year, Google announced that users could verify their identity by using their fingerprint or screen lock instead of a password when visiting certain Google services e.g. Pixel devices and all Android 7+ devices.  This was because of Google’s collaboration with many other organisations in the FIDO Alliance and the W3C that led to the development of the FIDO2 standards, W3C WebAuthn and FIDO CTAP that allows fingerprint verification.

Unlike the native fingerprint APIs on Android, FIDO2 biometric capabilities are available on the Web which means that the same credentials be used by both native apps and web services. The result is that users only need to register their fingerprint with a service once and the fingerprint will then work for both the native application and the web service. Also, the FIDO2 design is extra-secure because it means that a user’s fingerprint is never sent to Google’s servers but is securely stored on the user’s device.  Only a cryptographic proof that a user’s finger was scanned is actually sent to Google’s servers.

Also, this month, NatWest announced that, in partnership with Visa, it had added an invisible layer of behavioural biometrics as part of an authentication process that enables compliance with the EU’s new Strong Customer Authentication (SCA) regulation.  In short, since biometrics can be accepted as one of the methods of authentication to comply with the new rules (alongside a password/PIN), NatWest (and Visa) have been working on how they can make things like keystroke dynamics, voice ID, mouse usage characteristics, signature analysis work as an extra means of identification and authentication.

It is clear, therefore, that although password authentication/verification systems can provide just about enough security, for now, biometrics appears to the way forward and the way to stay ahead of cybercriminals using ever-more sophisticated ways to crack or steal passwords.