General security

Password Security: Efficient Protection of Digital Identities

Daniel Dimov
October 30, 2015 by
Daniel Dimov

Section 1. Introduction

Almost all devices we own and online accounts we create deploy an authorization system, a crucial element of personal data security. Bank accounts, social networks, music playlists, emails, work and study material, chat history—these and much more data stored online is protected by passwords.

However, although every new account created online requires submitting a strong and unique password, many users still use simplistic password combinations and easily identifiable credentials, thus endangering the protection of their sensitive information.

This article will contribute to the fields of personal data protection and information security awareness by exploring generation of secure passwords (Section 2), studying the five most common methods for password cracking (Section 3), discussing personal data breaches related to vulnerable passwords (Section 4), and providing suggestions for efficient protection of personal data (Section 5). In Section 6, a conclusion is drawn.

Section 2. Generating Secure Passwords

Technological innovation today offers an increasing number of new access control systems. For example, fingerprint scanners are installed not only in government and corporate security gadgets, but also in consumer goods, including iPhones and Android smartphones. Other authentication systems are based on voice identification, retina scanners, and USB tokens. However, passwords and PIN codes still remain ubiquitous tools for protection of applications and online accounts, even though the weaknesses of password-based security are widely discussed.

Addressing the issue of ensuring data security, governmental agencies and companies managing data protection frequently issue material about dangers related to unsecure password use and recommendations for improving personal data security. On a yearly basis, the Internet users are familiarized with most popular and least secure passwords. As for 2014, the worst passwords, according to the annual list issued by password management company SplashData, were simplistic "123456," "password," "qwerty," and "baseball." These and similar lists are created by analyzing millions of passwords that are leaked during a year. Although the importance of security awareness is increasingly being highlighted, the list of most unsecure passwords hardly changes over the years.

Another report about online credentials, "Mobile Identity – The Fusion of Financial Services, Mobile and Identity," highlights the growing skepticism about password use in financially sensitive applications, like online banking. According to the study, customers would rather protect their banking operations with other types of biometrics, such as fingerprint or voiceprint, than with passwords. The study also highlights the patterns of password use. The report claims that a big percentage (44%) of people use several identical passwords to protect their digital identities. One of five persons uses the same password across numerous online accounts. Moreover, in order to create and manage passwords, only 5% of users trust a random password generator, and a mere 12% employ password management utilities.

The observation of challenges regarding vulnerable passwords and data breaches allows identifying the most common mistakes related to choosing, saving, and managing passwords for digital identities. The publication "Password Security, Protection, and Management," issued by the U.S. Computer Emergency Readiness Team, suggests three types of mistakes commonly made while creating online credentials.

  1. Using a weak password. The use of passwords that reflect the user's name, birthday, or common phrases found in a dictionary increases the chance for password cracking. The examples of weak passwords include "p@ssw0rd," "John1983," "monkey," "abc123," "master," "superman," etc.
  2. Using the same password for all accounts. Such use of one password that allows accessing multiple accounts significantly increases the chance of personal data breaches. For example, a cyber-attacker who cracks the password of user's Facebook account can also easily access billing, banking, healthcare, or other types of private information stored under the same password.
  3. Exposing passwords to others. The passwords that are saved on public computers, written on a note, or discussed with other people lose their protective power. Physically accessible passwords can become an object of a theft. Similarly, online credentials that are saved in a web browser as well as passwords stored in public recovery tools can be easily decoded by skilled hackers.

In order to address the challenges of password weaknesses, web developers offer a variety of tools to assess the strength and safety of passwords. For example, the app "Password Strength" designed for iPhone and iPad is available on iTunes for less than $5. The app helps not only to estimate a password by using algorithms and CPU power processor, but also offers additional functionalities. The app will try to hack the chosen password and estimate how long it takes for iOS to guess the password. Another feature of the app allows generating secure random passwords for user's accounts. Similarly, a number of websites, including Microsoft Safety and Security Center (https://www.microsoft.com/es-xl/security/pc-security/password-checker.aspx ), How Secure is My Password (https://howsecureismypassword.net ), and Rumkin (http://rumkin.com/tools/password/passchk.php ), offer password strength estimation services.

Section 3. The Five Most Common Password Cracking Methods

Hackers aimed at acquiring personal information of online users usually employ one of the popular password cracking techniques that are concisely discussed below.

  1. Dictionary attacks. Using this method, hackers are able to defeat password-protected authentication systems and decrypt encrypted information by continuously entering a supposed password. Such passwords are words, phrases, and other likely possibilities that can be found in a dictionary.
  2. Brute force attacks. Similarly to dictionary attacks, this method is used for decryption of a cryptographic hash (breaking a cipher) of a password by trying to guess every possible combination of the encryption key.
  3. Rainbow table attacks. For this type of password cracking attack, hackers use rainbow tables, large pre-computed sets of hash values that are matched to potential plaintext passwords. Rainbow tables help the hackers to reverse the hashing function for identifying a potential plaintext password. In comparison with dictionary or brute force attacks, the rainbow table attack can be committed in a much shorter period of time.
  4. Phishing. Phishing, an especially popular type of social engineering attacks, aims at obtaining user's login details and password by using a fake webpage that is strikingly similar to the legitimate website. As soon as the victim clicks on the link in an email or enters the requested online credentials, the hacker acquires user's protected data.
  5. Malware. By installing a malware (e.g., Trojan "Password Stealer") in user's computer, a hacker becomes able to record or take screenshots of activities performed by the targeted user. Thus, any online credentials entered using a contaminated computer can be stolen by an attacker.

Section 4. Password-Related Security Breaches

Not only individuals, but also big corporations are vulnerable to privacy breaches and password cracking. A number of companies, including, Apple, Sony Pictures, Twitch, and Ashley Madison, have recently faced data security issues.

To begin with, a recent large-scale iCloud hack caused a leakage of nude photos and other private images of Hollywood celebrities, including Kirsten Dunst and Avril Lavigne, among others. Although Apple investigation claims that separate accounts of celebrities and not the iCloud system itself were targeted, the hackers managed to publicize celebrities' photos of an intimate nature after cracking their usernames, passwords, and security questions.

Further, Twitch, a video platform that allows Xbox and PlayStation gamers to stream their game videos live online, was hit by a data breach. Hackers accessed the online accounts of the users by intercepting account passwords. The information obtained by the hackers included gamers' IPs, emails, credit card types, phone numbers, addresses, etc.

In addition, in summer 2015, a hacker group, which aimed to shut down the potentially immoral dating website Ashley Madison, committed an attack related to cracking website users' passwords. A total of 15 million passwords were affected by the attack, which has significantly impacted the website's operations. The data obtained by the hackers included not only users' online credentials, but also their names, addresses, and phone numbers. Although the cracked passwords were encrypted, some shortcuts and an error in programming made the passwords vulnerable to the cracking attack. While a single properly encrypted password takes years to be cracked, the group of hackers managed to break millions of Ashley Madison passwords in only 10 days.

The Hollywood giant Sony Pictures Entertainment was also shaken by a data breach in the end of 2014. A team of hackers exposed company's confidential data (e.g., information about employees' families, emails, and salaries) online and disturbed the releases of a number of films, such as Still Alice, Mr. Turner, and To Write Love on Her Arms. The investigation revealed that employees of Sony Pictures did not properly protect the company's privacy. For example, Sony saved thousands of important passwords to company's internal computers in a separate folder called "Password." Moreover, the exposed passwords used by company's employees were weak, including examples of "password" and "s0ny123", among others.

Section 5. Recommendations for Efficient Passwords

Although the panacea against hacks has not been yet invented and all online accounts are vulnerable to cyber-attacks, the tips discussed below will help to create a secure password that will be a powerful protector of confidential information stored online. In order to create secure online credentials:

  1. Generate incomprehensible but still memorable passwords. The password that does not make sense is impossible to guess and is less likely to be attacked using dictionary or brute force attacks.
  2. Use long passwords. A strong password should consist of at least 8-9 characters and should be completely different than the username.
  3. Combine different characters. The use of different characters in a password, such as uppercase and lowercase letters, numbers, and symbols, makes the password more complicated to guess.
  4. Create passphrases instead of passwords. The passphrases are safer than regular passwords and can be created by taking the first letter of each word in a sentence in order to create an illogical code. For example, the sentence "In autumn 2012, I moved from Dallas to Boston" would become a passphrase "Ia2012ImfDtB."
  5. Use different credentials for different websites. Using separate passwords for emails, social network websites, and banking systems makes the user more resistible to a multi hack. In case one of the user's accounts is hacked, the hacker will not be able to access other important online records.
  6. Employ password manager. Password generating software offers a possibility to create and manage strong passwords consisting of random characters. A number of websites (e.g., random.org, passwordsgenerator.net, strongpasswordgenerator.com, or lastpass.com) also offers similar services.
  7. Change passwords regularly. A frequent change of passwords limits the amount of time during which the password can be used after cracking or stealing it. Thus, if the password is updated regularly, the attacker cannot utilize it for a long period of time.
  8. Disable the "Remember password" feature in all systems. The enabled function of remembering passwords on a browser or other software makes the account vulnerable. For example, if a computer, smartphone, or a tablet is stolen or contaminated with a malware, the attacker is able to use the saved password and recover information protected by it.
  9. Don't physically save or share passwords. Passwords, similarly to other private identification data, should remain confidential. Thus, writing a password down on a piece of paper or discussing it with other people increases the chance of security attack and personal data theft.
  10. Avoid public computers and public Internet. The public computers in libraries, Internet cafes, or universities often remember the credentials typed by users and record their activities. Thus, the data saved by a public computer can become a tool for a personal information breach. Similarly, the use of a public Wi-Fi increases the potential threat of a cyber attack, because the devices connected to the same network are significantly more vulnerable to a cyber attack and data theft.

Section 6. Conclusion

With a growing amount of information stored online, the reliability of security systems that protect personal information is receiving more attention from private and public sectors worldwide. Although the advance of technology offers a number of new authentication systems, such as voice recognition or retina and fingerprint scanners, passwords still remain the most popular form of data protection methods. The widely discussed cases of data breaches, which affect individual users and large corporations every year, highlight the necessity of users and software developers awareness regarding password security.

This article has discussed various aspects of password management online. It has shown that online accounts are endangered by hackers who employ the methods of dictionary, brute force, and malware attacks for password cracking. Moreover, the article has overviewed the recent major personal data breaches related to password vulnerabilities. Finally, the article has offered tips that can help to better protect users' credentials and data stored online. Although a number of software and online password generators can help to create, assess, and save passwords, the crucial part in data security is user's awareness. The ten recommendations provided in the article can help to protect the growing number of our digital identities.

References

  1. https://www.us-cert.gov/sites/default/files/publications/PasswordMgmt2012.pdf
  2. https://atlas.qz.com/charts/NyL3uhCp
  3. http://www.telegraph.co.uk/technology/news/11864004/The-most-popular-passwords-for-Ashley-Madison-users-are-very-funny.html
  4. http://www.ggsit.com/risk-and-unsafe-password-and-how-to-choose-a-good-one/
  5. http://gadgets.ndtv.com/internet/features/hacking-the-real-world-how-your-keys-are-as-unsafe-as-your-password-650718
  6. http://www.eweek.com/small-business/consumers-keep-track-of-passwords-in-unsafe-ways.html
  7. http://www.techtimes.com/articles/27615/20150120/here-s-the-list-of-2014s-worst-passwords.htm
  8. http://blog.etelesolv.com/it_assets_16_tips_to_secure_passwords
  9. https://www.bigbrotherwatch.org.uk/wp-content/uploads/2015/09/Passwords.pdf
  10. http://www.speedypassword.com/articles/changing-your-password-on-a-regular-basis-pros-cons/
  11. http://www.computerweekly.com/news/4500253313/Ashley-Madison-data-breach-escalates-with-password-encryption-failure
  12. http://www.theregister.co.uk/2015/03/23/twitch_hacked/
  13. http://www.wsj.com/articles/apple-celebrity-accounts-compromised-by-very-targeted-attack-1409683803
  14. http://www.telegraph.co.uk/technology/sony/11274727/Sony-saved-thousands-of-passwords-in-a-folder-named-Password.html
  15. https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack

Co-Author

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.