Passwords Making You Pass Out?

In this age when most of our life is online, not a day passes when we do not have to enter a password somewhere on one of our many devices. Most of us have some form of lock on our mobile phones – whether it is password string or swipe pattern or fingerprint or other fancy biometric scans.

And then we bank on the net, shop on the net, live vicariously on social media on the net – each of these require passwords on websites, however, some of these are helpfully (or unhelpfully) stored on our browser cookies and we do not have to remember them every instant.

At our workplaces, it is possibly even more fun. We are at the mercy of our IT departments who prescribe the number of characters, types of characters, give dire warnings about reuse of old passwords and employ stringent password expiry rules. At one of my workplaces, we were forewarned for fourteen days about password expiry – apparently the optimistic IT department imagined that we would spend the fourteen days devising the most complex password known to mankind rather than doing our jobs that we were drawing our salaries for. Of course, it was always after expiry that most sane people would look around for inspiration when they see the on screen message:

Your password has expired. You must set a new password to proceed

I have read the charming internet tale of the chap who converted this password challenge into a positive experience by setting the password into actions that improved his life. The theme being that when you enter the same phrase every day, you are prompted to take the steps towards actually carrying out what you type.

To each his own ... I am possibly not yet at that plateau of maturity to use passwords as a tool to make life-changing improvements. It may have something to do with the fact that at one point in my life, I would get this message about password expiry from about five-six systems each of which was slyly created to have different password rules (the logic being that we do not reuse passwords). With a 30 day expiry time period, this means that I had to set at least one password every week. Not a day would pass when one of my team did not curse out long and loud after being locked out of some system – we had a subsequent phase where we were required to use a self-service tool to reset the password and if you were really having a run of bad luck, you had to get onto the phone with the help desk (there goes at least 30 minutes of your life) because the self-service tool decided that we were not worthy of “service”. But that is another story in itself.

This close relationship with passwords has encouraged me to delve a bit into the life and times of passwords and one of the questions that I had was about the history of passwords – is there someone the world has to thank for the phenomenon of passwords? There is of course, the history of encryption and usage of passwords in encryption which is very ancient, but I was looking for passwords as we see and use them on today's systems.

It is now over three decades since the time when I had my personal introduction to computers in the classroom. While I recalled bits and pieces about early Unix systems in the US educational networks, I had to dig about to see if there was an authentic owner to the first password. From internet lore, I see more than one pointer to the same owner – MIT. In the mid-sixties (1960s, that is) they had a massive shared computer system called Compatible Time Sharing System. MIT came up with the concept of passwords to segregate the work of different users on this system – the intent was more of a way to put a boundary around each users data on the system. In fact, the passwords were not hidden, there is also discussion of how the list of passwords were printed out and used by a small group of users who wanted additional time-slots on the system. The Wired magazine has published a perspective on this topic in 2012, and there are other discussions available that you can find using your favorite search engine.

Over time, this practice morphed into the popular user login and password onto systems and then with the advent of applications and their widespread usage in the nineties, it slowly became what it is today – the requirement to provide a suitably complex password to do anything useful on the internet.

The need for this complexity in passwords has emerged due to the proliferation of tools that have lead to non-stop attempts to learn passwords from unsuspecting users.

Obtaining passwords of users has almost always been one of the biggest objectives of hackers. Also, given the tendency of users to forget or lose passwords, every system and application has required a mechanism to reset or retrieve lost passwords. In the initial days these required intervention from the system administrator, but over time, due to the exponential growth in the number of password retrieval requests, these have been automated. Of course, authentication of the request and matching it up to the user are done in various forms – most of us are familiar with a set of security questions that we answer in advance, or with the concept of an OTP (One Time Password) sent to our linked mobile phones which we have to provide in order to complete the password change.

With the widespread usage of Microsoft Windows, there came into existence password cracking tools that would help retrieve lost passwords. These paved the way for malicious tools that just helped retrieve passwords, never mind if they were not lost.

There are four types of password attacks:

1. The non-electronic attack: This is the most effective and simplest way. The attacker uses social engineering techniques or eavesdropping techniques (famously called shoulder-surfing) to gain the password directly from a user.

2. The active-online attack: The attacker directly interacts with the system to gain entry with or without a password. This includes the different password cracking mechanisms like guessing, using word-lists or brute-forcing. It also includes usage of tools like key-loggers and other spyware to gain access to user passwords.

3. The passive-online attack: The attacker gains access to the password through “wire-sniffing”: by reviewing the traffic packets between the server and the user’s machine. The technique used could include “man-in-the-middle” attacks where the attacker succeeds in implanting himself in between the communications between the server and the user. It may not be necessary to gain access to the password – if there is a way to replay parts of the communications stream and maintain access to the user’s session, this could lead to compromise of user data.

4. The off-line attack: The attacker works with an off-line copy of the password database and uses tools to crack passwords. Most databases are protected against cracking through techniques of hashing – where a scrambled message digest is stored instead of the password. So the cracking tools include password lists with their appropriate scrambled messages which can be compared against the database. This technique is called a “rainbow table attack”

There are several tools available, both freeware and commercial, that could be used to support the latter three attack types – again, you can use your favorite internet search engine to bring up a listing.

There has been more than one instance of internet password databases getting compromised and published either on hacker mailing lists (like the Yahoo attack of 2013) or publicly on the internet (the most famous being the RockYou attack that published passwords of 32 million users in 2009).

In the aftermath of the RockYou attack, security researchers, both commercial and academic, did extensive research on the published passwords and compiled lists of the most commonly used passwords and figured out the recurring algorithms that people were using. Obviously, the sample size of 32 million was significant enough to make generalized statements about password defining strategies of all internet users. The top five passwords published on many sites at that time were:

1. 123456

2. 12345

3. 123456789

4. Password

5. iloveyou

This also led to the formalization of guidelines from system and application builders on the right complexity level of passwords – this has been in a continuous improvement phase over the last decade.

Despite the guidelines, the human tendency to retain much beloved weak passwords reigns supreme – a recent list for the 100 worst passwords for 2020 retains 3 of the 5 listed above in the top 6.

Most of our systems and applications impose password aging – we are forced to change our password at a set period, most often 30/60/90 days. There has been research into whether the imposed password change cycle is beneficial or harmful and there are conclusions suggesting that it is best not to have a cyclic change simply based on time. If the password is effective for years, why change it to something less effective?

This decade has also seen the rise of “dual factor authentication” - there is an acceptance that a password can be breached, hence the need for a second mechanism to authenticate the user to the system or application. Authentication factors are defined as:

1. Something you know – like a password

2. Something you have – like a hardware token or a one time password

3. Something you are – like your fingerprint, or other biometric based mechanism

Each of these in isolation can be compromised, but the theory of multi-factor authentication postulates that using one of each kind can lead to secure authentication. In most instances, using two out of three is adequately safe, however, that still means you have to commit a fairly complex password to memory and have one of the other factors in play.

The world of cryptocurrency uses blockchains as the basis of its data storage. The concept is one of decentralized storage with an inherent resistance to data modification. By definition, this seems an ideal solution to the centralized password database issue and some IOT (Internet of Things) implementations have already started using blockchains in their authentication mechanism. However, we have to wait and watch to see if this actually gives us the nirvana from passwords as is professed and whether it persists in its trend of being unhackable.

For the vast majority of our transactions where we continue to use passwords we have to strike a balance between the complexity of the password and our ability to remember it. Nowadays, even spaces are gaining acceptance as valid characters in a password, so it may even be possible to use a short phrase or sentence that is easy to remember. If you do not want to make the job of the cracker easy, use at least one character of each type – alphabets, numerals, special characters. Another way to add to the difficulty quotient is to have a longer password – 10 characters or more requires significantly more compute power to crack. And the third trick is to stay away from dictionary words – these are always top of the password cracking tool lists.

There is also the question of whether it is safe to use password manager tools or not – this would be a matter of individual choice. If it is a local tool, with the passwords stored directly on your hard disk, it may make sense if used responsibly; wheras a cloud based tool, where you store your passwords with a third party may have some additional risks. Also to be remembered is that you will most likely need a password to get into your password manager of choice.

There is also the mechanism of storing passwords in the browser cookies – again this has to be done by individual choice understanding the risks involved. If it is a shared computer, you may want to think twice about it, even if the cookies are stored only within your user configuration. Also, if you are using cookies, you may want to periodically check and delete the ones that are not in active use.

And coming up below is a perfect illustration of what not to do with your password..