Every day we read about an incredible number of successful attacks and data breaches that exploited leak of authentication mechanisms practically in every sector. Often also critical control system are exposed on line protected only by a weak password, in many cases the default one of factory settings, wrong behavior related to the human component and absence of input validation makes many applications vulnerable to external attacks.
Today, we are focusing on the attention of a report published by the consulting firm's Deloitte titled “Technology, Media & Telecommunications Predictions 2013” that provide a series of technology predictions, including the outlook for subscription TV services and enterprise social networks. The document correctly expresses great concern of the improper use of passwords that will continue also in 2013, being the cause of many problems, it must be considered that the value of the information protected by passwords continues to grow, attracting ill-intentioned.
The report focuses on the need to reconsider password management processes in the light of technological contexts that we will before Duncan Stewart, Director of TMT Research, declared: "Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust,” “But these can be easily cracked with the emergence of advance hardware and software.”
“Moving to longer passwords or to truly random passwords is unlikely to work, since people just won't use them,” Stewart said.
“An eight character password chosen from all 94 characters available on a standard keyboard33 is one of 6.1 quadrillion34 (6,095,689,385,410,816) possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation. Even gaining access to a credit card would not be worth the computing time. However, a number of factors, related to human behavior and changes in technology, have combined to render the ‘strong’ password vulnerable.”
Using a brute force attack for an 8-character password with a dedicated password-cracking machine employing readily available visualization software and high-powered graphics processing units is possible to discover the password in only 5.5 hours. The cost of such machine is about $30,000 today but as explained in the reports hackers could obtained same computational capabilities from huge botnet.
Not only password length concerns the researchers, also the human factor could expose password management process to serious risks, for example humans never remember long and complex credentials, they tend to adopt password easy to remember and related to their life experience, in many cases the password is re-used and in the time across different services, from movie on line store to banking account. The average user has 26 password-protected accounts, but only five different passwords across those accounts. According a recent study of six million actual user generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts, an information that gives us an idea of how much vulnerable the password management process.
“Once a hacker has a password, he or she can potentially have the keys to the cyber kingdom based on most consumers’ behavior.”
Deloitte Deloitte predicts that in 2013, more than 90% of user generated passwords, even those considered strong by IT departments will be vulnerable to hacking with serious consequences, the company predicts in fact billions of dollars of losses, declining confidence in Internet transactions and significant damage to the company reputations for the victims of attacks.
The reports states:
“How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password. Most organizations keep usernames and passwords in a master file. That file is hashed: a piece of software encrypts both the username and password together. Nobody in the organization can see a password in its unencrypted form. When there is an attempt to log in, the web site hashes the login attempt in real time and determines if the hashed result matches the one stored in the database for that username. So far, so secure. However, master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware, discussed in this Prediction, can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers.”
As described, another problem is related to use of passwords on various platforms, let’s consider that the average user takes 4-5 seconds to type a strong ten character password on a PC keyboard, time increases to 7-10 seconds on a mobile devices with a keyboard and to 7-30 seconds on touchscreen devices. As consequence, a quarter of the people surveyed admitted to using less secure passwords on mobile devices to save time.
SplashData, which develops password management applications, reveals its Annual “25 Worst Passwords of the Year” enumerating the list of most common password chosen by users.
The three worst passwords haven’t changed respect previous year, they’re “password”, “123456” and “12345678” and new passwords have been introduced in the top list such as “welcome”, “jesus” and “ninja”.
Following the top ten list:
abc123 (up 1)
qwerty (down 1)
letmein (up 1)
dragon (up 2)
111111 (up 3)
baseball (up 1)
Have you ever used one of the most popular passwords of 2012 for your own personal accounts? Change it!
What could improve password management? SSO systems represent a good solution to do it, for example allowing in the simplest way the use of long or random passwords respecting the elementary best practices for password management. Also, this system must be protected from hacking attacks.
The implementation of multifactor authentication processes token based (both software and hardware) represents the best compromise between costs and security, that is also the way that security IT security travels in the future.