A brief history of passwords from the P to the S: birth, death and the zombie apocalypse
The attack on the World Trade Center towers on 11 September 2001 claimed the lives of 658 employees of the financial company Cantor Fitzgerald. Its Director Howard Lutnick lost that day his brother, faced with an unprecedented problem. And it wasn’t even that the company’s servers, including backup, was also buried under the rubble. Information was partly available, but it was closed behind hundreds of accounts of perished colleagues. For assistance was attracted experts from the company Microsoft, they have used powerful servers for fast brute-force — from data access depended on the existence of the company, and it was necessary to time for the first opening of trading after the attacks. To accelerate the breaking could personal data of the victims. Lutnick had to call relatives, and, at the most inopportune moment, ask them a series of questions: the wedding day, the name of the college or university, the dog’s name.
This is a brief retelling of perhaps the saddest article about passwords in their history, published in 2014 in the New York Times. History provides two major features password protection: it creates a lot of problems, and, in many cases, still does not work. Passwords are so bad protection concept that they have repeatedly buried and the media, and security experts, and scientific researchers. But nothing change, the password still remains the main method of separating public from private, and such a situation, after the funeral, it can be officially considered the digital zombie apocalypse.
Today I will try to analyze what’s wrong with the password (the short answer — all), what you can do with it, and I will share a couple of interesting historical observations.
Everything was bad from the beginning
According to the magazine Wired, the need for passwords first appeared in the construction of computer systems with shared access on the basis of time-sharing. In the 60s, when computers were very expensive and takes a lot of space, it was the only adequate method to share processing power between everyone. From the Сompatible Time-Sharing System, developed in Massachusetts technology in 1961, originate with many modern technologies, including the concept of Unix-like systems. With high probability, the password authorization first appeared at the same place.
In the development of CTSS was a choice between password and what is now called tips, like the mother’s maiden name. The choice of passwords was obvious: it was required less memory for storage and processing. At the time there was no security system. In 1966, there was an error in the system code, which somehow reversed the welcome message for users and a password list. As a result, when each user logs on to the system it was possible to see the passwords of all users. But even earlier, in 1962, account passwords were stolen by one of the graduate students at MIT: he was to receive only 4 hours of machine time, and he thus was able to use other people’s quota. It was simply: each user can request printing of the file by specifying the name of the file and the user name of the owner. Knowing that the password database is stored in the file UACCNT.SECRET of user M1416, the graduate student was able to print the whole database (more memories about CTSS here).
But became even worse
And because of what actually the fuss? News background for many years does not involve any rehabilitation of password protection, but 2016 was special because of the huge number of leaks of passwords to various popular services. I will list only the main ones:
- ru Yahoo and Microsoft, only about 300 million passwords — the base was most likely built as a result of phishing.
- LinkedIn — surfaced leak of 2012, with the email addresses and hashed passwords without salt (experts say that 90% of passwords can be decrypted in three days).
- Tumblr — leaked hashed passwords with a salt, but just in case, the administration of the social network initiated a forced reset.
- Vkontakte – 100 million passwords in clear text, leaked old passwords 2012, the social network say that it was not hacking.
- Twitter — 32 million passwords allegedly stolen through phishing and malware.
- Forum Ubuntu — 2 million passwords were stolen via SQL-injection.
- Another 2 million passwords from the forum of Dota 2, as in the case of Ubuntu, was attacked unpatched system vBulletin. Passwords hashed and salted, but up to 80% decipherable.
- Dropbox — password reset after surfacing leak of 2012. Supposedly it was hacked the account of one of the employees of the company.
- Presumably compromised 1.7 million password of synchronization service Opera.
- Rambler — almost 100 million passwords, also dated 2012.
Passwords steal from users. From the owners of the services. On the way between the first and second. Sold on the black market, and publish in open access. Hack sites or use phishing. Service Have I Been Pwned? of well-known security expert Troy Hunt allows you to check whether the leakage of the password associated with your email address. At the moment there are databases from 136 resources, and the number of passwords exceeds 1.4 billion.
With high probability your passwords four years ago are available online almost in plain text. Leaks cost much for site owners, initially seems to be not affected: they begin to attack, assuming the use of the same password by user for different services. Here are examples of recent. Passwords had to reset the service GoToMyPC after the reports about the hacking of accounts for remote access to the desktop. A similar operation had to carry out the GitHub service. The same Mail.ru (and it not alone) has to monitor for leaks and to reset passwords to access their services on a regular basis. Have I already said that passwords are a problem?
It’s simple: we use too simple passwords. A selection of the most popular passwords do almost after every leak, here’s an illustrative example:
Here is the analysis of the company WPEngine gives information on the typical length of the password, most often from 6 to 9 characters. 11 or more characters use less than 5% of users. Simple passwords cost much for server owners. Almost nobody keeps database passwords in clear text, but to recognize hashing passwords like 111111 is simple enough (read more about hashing in simple language here). The above-mentioned leakage LinkedIn contain only hashed passwords, so it is assumed that most of the passwords there can be decrypted fairly quickly. Adding salt (random data) complicates the attack using the dictionary, but does not protect from brute-force — when you need to get the password of a specific user, and this password is simple, the attack remains real.
But that’s not all. According to the data from here, about two-thirds of users use the same password for different services, retain the passwords in clear text, including in electronic form, forget their password, which prompts the use of more simple combinations. According to our data (PDF) about half of users store passwords on their devices in one form or another. A typical password length is 8-12 characters, 20 characters use only 3 percent of users.
Add to this active attempt to steal user passwords as through malware or through phishing. According to the most recent data of the “Laboratory”, a phishing page was blocked 8.7% of users. Leaking passwords in clear text usually occurs as a result of phishing and malware attacks. Steal passwords from browsers, target individual services such as Steam. A typical tactic is to steal all that easy to steal — will understand it later.
On this background the problem on the side of the servers, especially the questions of interception of passwords on the way seem not so serious. On the server side adds chaos infrastructure complexity and nuances of work, you can recall at least (fix) the insecurity of one-time password for Google apps. The network interception directly affects passwords when they are transmitted in clear text over unsecured channels, but it is possible less and less. Deciphering cookies, as it was recently analyzed by the example of algorithms 3DES and Blowfish remains a purely theoretical exercise, and hijack the session is not directly related to the problems of passwords. Remain attacks man-in-the-middle: the conditions for them are created on the user side, and unsafe due to the security infrastructure. An example of the last – unsecured access point.
And what to do?
Immediately reject the attempts to force people to use more secure passwords. First, it does not turn to force. Second, it does not solve the problem of password reuse on different services. Third, the complex password can be a first approximation to compare with the secure key for the same connections over SSH: the keys are not generated by hand, and complex passwords also don’t have to. The last is possible by using password managers, it is quite reliable method in spite of the break-ins have these services (such as Lastpass in the past year). Unfortunately, it remains highly specialized and is unlikely to become a mass. There also is biometrics: it has long been clear that in the current implementation (fingerprint on phones, for example) only an additional method of protection along with a password (even shorter than on desktops!).
Unlike password managers, the only mass method of protecting user data remains multifactorial authorization. Implemented over the phone or through a special application, like Google Authenticator and Yandex.Key — this scheme or completely eliminates the use of reusable password, or complements it the random authorization code. This is very cool, but in this concept, a single password is replaced by another, and so is the possibility of interception. Examples of interception of bank authorization codes malware is already there. I assume it’s working, but a temporary solution, as, for example, attempts by Microsoft to limit the use of insecure passwords at work with “big data” about the leaks and cyber attacks.
But the real future will come when the password will replace the data about the user — in 1961 did not have enough resources and memory, and now of both in abundance. Google until the end of this year is going to finished project Abacus, identifying user by the behavior — essentially, about us will be to collect a large amount of information from the manners of walking to patterns while typing, and on the basis of a variety of signs enough reliably to distinguish an authorized user from God knows whom.
100% reliability will never be
Yes, to all the suggested methods – from password managers, two-factor authentication and to behavioral analysis and biometrics can make a complaint. Biometrics bypass silicone fingers, password managers crack or stealing a master password. Multi-factor auth bypass using malicious software on smartphones and fraud with SIM-cards (and in the future more and hacking cellular networks). None of the solutions do fully protect from phishing – with it any case will have to fight separately.
And this is, unfortunately, normal. The Golden age of the Internet, when viruses were white and fluffy, and mail almost no one broke, was caused by the fact that data stored behind a password was useless. It won’t happen again. You have to understand that any method of protection used by you, your bank or email service, does not give absolute guarantees against hacking. Problem of password protection is that in the case of default, it is in principle unsafe, like a fence without a gate. Even the widespread adoption of two-factor authentication (it is far, unfortunately) will greatly reduce the number of successful attacks. While the owners of sites, forums and other chats are worried that additional protection measures will lead to an outflow of users, plums passwords will continue. At the moment, the rescue of drowning in the hands of drowning, the user is by and large responsible for the security of its accounts. Change the situation can only effort one of the leaders of the market (like Apple with a headphone jack, only meaningful), followed by others. And then comes a bright future. And you know what. Despite the inferiority of the password protection today, it is not the fact that it’s a future we will like.
This text is a translation of the article “Краткая история паролей от П до Ь: рождение, смерть и зомби-апокалипсис” published by @f15 on habrahabr.ru.
About the CleanTalk service
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).