People Are Still Using Crappy Passwords in 2018

SplashData looked at the passwords of 5 million accounts that were leaked by various breaches in 2018, and found that many users are still using very simple, easy-to-guess passwords.

The top 10 most common passwords, for example, were:

  1. 123456
  2. password 
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567 
  8. sunshine
  9. qwerty
  10. iloveyou

According to SplashData, 2018 is the fifth year in a row that “123456” and “password” were #1 and #2 respectively on their list of common passwords based on analysis of breaches in that year. SplashData offers sensible steps to better create and manage passwords,

1. Use passphrases of twelve characters or more with mixed types of characters.

2. Use a different password for each of your logins. That way, if a hacker gets access to one of your passwords, they will not be able to use it to access other sites. 

3. Protect your assets and personal identity by using a password manager to organize passwords, generate secure random passwords, and automatically log into websites.

But, fundamentally, the systems that are in widespread use these days are far too difficult for end users to easily secure.

Accepting Variations of a User’s Password on Login Attempts

I ran across this Hacker News thread recently about Facebook’s practice of accepting four different versions of a user’s password. According to an email from Facebook, their system will accept:

  1. The original password – password
  2. The original password typed as if caps lock was enabled – PASSWORD
  3. The original password with the first character automatically capitalized, which is still a “feature” on some mobile phones – Password
  4. The original password with an extra character added at the end – Password2

Researchers at Cornell, MIT and Dropbox published a paper in 2016 about this practice, cleverly titled pASSWORD tYPOS and How to Correct Them Securely. According to the abstract,

We provide the first treatment of typo-tolerant password authentication for arbitrary user-selected passwords. Such a system, rather than simply rejecting a login attempt with an incorrect password, tries to correct common typographical errors on behalf of the user. Limited forms of typo-tolerance have been used in some industry settings, but to date there has been no analysis of the utility and security of such schemes.

We quantify the kinds and rates of typos made by users via studies conducted on Amazon Mechanical Turk and via instrumentation of the production login infrastructure at Dropbox. The instrumentation at Dropbox did not record user passwords or otherwise change authentication policy, but recorded only the frequency of observed typos. Our experiments reveal that almost 10% of failed login attempts fail due to a handful of simple, easily correctable typos, such as capitalization errors. We show that correcting just a few of these typos would reduce login delays for a significant fraction of users as well as enable an additional 3% of users to achieve successful login.

We introduce a framework for reasoning about typo-tolerance, and investigate the seemingly inherent tension here between
security and usability of passwords. We use our framework to show that there exist typo-tolerant authentication schemes that can get corrections for “free”: we prove they are as secure as schemes that always reject mistyped passwords. Building off this theory, we detail a variety of practical strategies for securely implementing typo-tolerance.

LostPass Phishing Attack Against LastPass

Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”

LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.

LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.

LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,

A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”

So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.

Are Lame Password Limits A Problem?

ArsTechnical looked at why there are all of those stupid limits on password length and, sometimes, what characters cannot be used. There is some good information there, but both the author of the piece and some of the folks interviewed seem to misunderstand one of the bigger problems with these artificial limits.

For example, here’s Microsoft’s Eric Doerr on Microsoft’s 16 character limit,

Microsoft imposes a length limit on the passwords its customers create: passwords can include a mix of upper and lower case letters, numbers, and symbols, but they can be no longer than 16 and no shorter than eight characters. Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.

“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars.

Toward the end, ArsTechnica writer Casey Johnson adds, perhaps a bit whimsically,

If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice.

I suspect it’s the opposite–to the extent these arbitrary limits have any effect on overall security, it is to drive people toward reusing the same short passwords on multiple sites.

If the lowest common denominator is 8 characters with no percentage sign allowed, then many people will just make a single password that most of the services they use daily will accept and reuse that.

I prefer to use 20+ character passphrases. For the sites I use on a daily basis, its fairly easy to remember the passphrase outright. For sites I don’t use regularly, I let LastPass keep track of them and then at least when I have to manually type them in they are things that human beings can easily type rather than 7a6waz(4.

But so many sites won’t allow me to use long passphrases and it is tempting to just recycle a number of 8 character passwords I’ve used over the years.

So Doerr is right that securing passwords is hardly on the top rung of security threats, but not allowing longer passwords encourages habits that make the other attacks he’s more worried about even more likely.

The Problems with Biometrics for Authentication

The other day I came across a blog post by someone lamenting a common problem we all have these days–password management. The blog linked to an article extolling the virtues of using biometrics either as a complete substitute for passwords altogether, or as part of a two-factor authentication system.

It sounds like an awesome, appropriately futuristic idea–instead of having to remember some long password, I’ll just look into my webcam and use a retinal scan instead of a password to prove I am really who I say I am. In fact, this would be a disaster.

Consider how passwords work today. A system asks you to create a password and you dutifully tell it to use “password”. The system on the other end then creates a hash of that password. A cryptographic hash is a one-way function that transforms “password” into “7!aceldfg”. Because it is a one-way function even if I have the hash, I cannot easily determine that “7!aceldfg” is the has for “password.”

In reality, hashing is vulnerable to some attacks and so a smart website will salt the password hash. All this means is that when you type in “password” when creating an account, the website adds additional pseudo-random data to your password. So a website might convert “password” to “password12345” and then hash that. The website then stores both the hash and the salt value.

The benefit of doing this is that it increases the amount of work that an attacker is going to need to do if they compromise the website and gain access to the password file.

So imagine you create a username and password for your bank account, and the attackers gain access to the files containing the usernames and passwords of all the bank’s customers. Maybe the bank had very good security and they encrypted the password files in addition to hashing and salting the passwords.

You know what, though…just to be on the safe side the bank is going to ask you to change your password anyway. And you are once again reminded why you should never use the same password on multiple sites. Maybe you were reusing the same passwords and now you go and finally fix that so you’ve got different, secure passwords on all your accounts.

Great.

Now imagine the bank instead uses a retina or fingerprint scan. You swipe your finger or stare into a webcam, and data gets sent back to the bank which compares it to the hashed, salted version of the data it has on file for your eye or finger and then you get access to your account.

Until today when hackers managed to penetrate the bank’s security and access the user and authentication data. Now, your fingerprint or retinal scan data has been compromised. How do you propose to alter those?

As one biometrics news site sums it up,

Paradoxically, the greatest strength of biometrics is at the same time its greatest liability. It is the fact that an individual’s biometric data does not change over time: the pattern in your iris, retina or palm vein remain the same throughout your life. Unfortunately, this means that should a set of biometric data be compromised, it is compromised forever. The user only has a limited number of biometric features (one face, two hands, ten fingers, two eyes). For authentication systems based on physical tokens such as keys and badges, a compromised token can be easily canceled and the user can be assigned a new token. Similarly, user IDs and passwords can be changed as often as required. But if the biometric data are compromised, the user may quickly run out of biometric features to be used for authentication.