How are passwords stolen? What are common password flaws? What are the security techniques to enhance the security of passwords respectively the security of the login-services? What authentication methods provide long-term security? How often should a password be changed? Which methods achieve good security while not being too complicated to be used by end-users?
This blog post discusses several methods of how passwords are stolen and provides approaches of how login-services can be secured.
I first list the common methods on how an attacker might steal a password or which security flaws are related to “bad” passwords, followed by the techniques to secure passwords respectively the login-services. In the third paragraph I combine these two listings in one table that shows which countermeasures help against which password flaws.
How are Passwords Stolen?
Or: Who has access to my passwords directly? Who can brute-force my passwords? Who can guess it? Who can recover it? What are bad strategies for password security?
- Keylogger (Malware) installed on a Computer: This might be the classical example when talking about stealing a password. If malware is installed on the computer the user is typing in his password, the attacker can read it out directly and gains it in plaintext.
- Malicious Service-Provider: The service provider has access to the passwords because at every login event the user sends his password to him. Even though he might not store them in plaintext but as hash values (with or without salt), he could generate lists with the real passwords.
- Hack on the Service-Provider: History has shown that user and password lists from reliable service-providers will probably be stolen one day. Even in the case of (only) stolen hash values, the attackers community will try to recover the used passwords via brute-force, rainbow tables, or simply Google. However, it might take some time (or will never come to an end) for the attacker to recover it.
- Easy-to-Guess Password Recovery Functionality: Many service-providers use password recovery methods such as asking one or two simple questions about the legitimate user. If these information are publicly known (Facebook) or at least findable via Google the user account can be stolen without hacking the real password.
- Trivial Passwords Used: If the user has really trivial passwords such as “password”, “12345”, the name of his wife, etc., an attacker can simply guess it. Even dictionary attacks with the most commonly known passwords can be used by the attacker. In this way the password protected service is almost unprotected.
- Same Password on many Systems: If the user has the same password on many different systems all services are broken once the attacker owns this single password.
- Social Engineering/Phishing: Social engineering is the process in which a user receives a serious looking mail or telephone call in which he is pleased to send/dictate his password. If the guy on the other side claims to be the new IT security person who wants to update certain password records he might have success with this strategy.
- Session Hijacking: Session hijacking is not directly a password theft but an attacker could change the password from the user for a particular service.
- Brute-Force against the Login-Service: The attacker probably knows the login name (e.g. the mail address) of the service the user uses and tries to brute-force this login password. Once the authentication is successful the attacker knows it. However, since this attack runs over the Internet it is thwarted by the network bandwidth and is therefore slow compared to other offline attacks.
- Passive Sniffing on the Network: If the attacker resides on the path from the user to the Internet destination, and if the user uses no secure connections such as TLS or SSH the attacker can simply read out the transmitted password. E.g., this is true for unencrypted mail traffic (pop3, imap, smtp), www traffic (http) or file traffic (ftp). This attack can be executed with rogue hotspots for instance.
- Man-in-the-Middle on the Network or at the Application: The attacker could also execute a MITM attack in which he can see the passwords in plaintext. For example, he might spoof certificates in order to look into a secured connection. Even though this will display a certificate warning on the user’s PC the attack might be successful if the user continues the login session.
Techniques for Secure Passwords
Or: Which countermeasures exist against the theft of passwords respectively the mentioned security flaws?
- Password Complexity: An increased password complexity (entropy) makes them more secure. This means that longer passwords must be used which are chosen randomly from many characters. (Blog post about password strength here.)
- Usage of Different Passwords for all Services: For every single login-service a new (unique) password must be used.
- Regular Change of the Passwords: After a certain amount of time a password must be change to another one which is not related to the previous ones. (No incremented counter, etc.)
- Two-Factor Authentication: A two-factor authentication (also called multi-factor authentication) is a method in which not only the username + password is needed to authenticate against a service but also a second factor is mandatory, e.g., a hardware token. Access is only granted if both factors are entered correctly by the user. Even if the password is stolen by a third entity, access to that service is only granted if the token exists, too.
Combined: What helps against What?
The following table summarizes the usage of the mentioned countermeasures against the password flaws. Some techniques provide an enhanced security against the actual login service during the attack while some others provide an enhanced security level for all login services after an attack (if the password is already stolen).
To order the attacks and their relevance I differentiate between a few login events:
All attacks/flaws that are mentioned in the first column are executed during the “Duration Attack” of the login event on service A. For example, if the service provider A has an “easy password recovery function” and the user uses different password on all systems, his login on service provider B is still secure. However, a regular password change for provider A does not gain any security effort if the same password recovery questions are still in use. (However, not all cases in the following table can be explained directly. Some require an interpretation by the reader.)
Finally, I list a usability solution for the security techniques and if there are extra costs for that, and also give an analogy to the usage of normal door keys.
on OTHER sites
on SAME site
* If the attacker has not changed the initial password already.
** If only the password is released and not the current token value.
*** E.g. key + chipcard or biometric authentication.
Concerning the change of a password on a regular basis: This technique does not help against the theft of a password but limits the misuse after a password is stolen. For example: If the attacker already owns a password and does not destroy any data but only collects information in a really silent way he will keep collecting information forever if this password is not changed one day. This means that a regular change of passwords is a security enhancement but it cannot directly been measured.
How to Recognize a Theft?
This is a general problem: How is a theft recognized? If the attacker has stolen a password and waits a while before using it the first time the user has no chance to recognize this theft. Furthermore, if the attacker silently uses the password just for information gathering the user will not recognize it either. That is: The IT-Security (network, application) must take care of anomalies in its login services (keyword: SIEM). If the login credentials from user X are always used within the same time range and Internet locations but are nowadays used from several time ranges on various Internet locations there might be something wrong.
(Of course: If the attacker directly uses the gathered password for harmful actions the user will know the theft.)
In one sentence: Use all four techniques to gain the most secure password policy. ;)
In a few more sentences:
- The best practice for password security is to have complex passwords that are generated randomly. Furthermore, a unique password should be used for every single login service. Users should use a password generator for generating random passwords while using a password safe for the secure storage of the different passwords. For example, KeePass can handle both cases.
- The best security is achieved if a two-factor authentication based on a hardware token is used. Independent of the attack against the password the attacker will not be able to login into any service unless he does not own the hardware token.
- A periodic change of passwords does not gain an enhanced security level for the actual passwords. It is only useful if a password is already stolen and used silently by an attacker. That is: In order to have a balance between security and usability of passwords it fits if the end-users must change their passwords once a year (and not all three month, or the like).
- User Awareness: It is much more relevant to explain why users should use complex passwords and to be careful with them. They should also report any strange behaviour within their systems which could indicate a stolen password or an intrusion at all.
- IT-Security: Administrators must protect their login-services against brute-force attacks, e.g. via “max attempts then disabled” policies, and must recognize anomalies in the login events.