The following blog post was created using an excerpt from the Stealthbits Technologies/emt Distribution presentation “Prioritizing Password Security with Troy Hunt: The Good, the Bad, and the Ineffective”. Please see here to view the complete presentation.
Let’s talk about passwords. In particular, let’s talk about where we’ve come from, where we are at the moment, and where things are going in the future.
The history lesson of passwords is enormously important because it helps us understand why we are in the situation we’re in today. Because let’s face it, we do have some problems… Let’s start here:
This is MIT in the 1960s and what’s pictured is the Compatible Time Sharing System. What’s the significance? This is believed to be the first-ever use of a password on a computer system. It’s fascinating to look at this now and think something designed in that era is fundamentally the same principle we use today, 60 years later.
The first thing you notice: it’s an entire room of computer. It’s a massive system you need physical access to in order to authenticate. So that’s important. In terms of the differences of authentication then and now, it’s this point of physical access. And then once you’re in there, you have to know what you’re doing!
And for the folks that were creating passwords back in the 60s, they could use their dog’s name because there was no Facebook. They weren’t putting their secrets out there all over the web. It was a very simple time compared to where we are now, but the same fundamental construct we have today, was born back then: when you log on – you have two strings – a username and a password. If the two strings the user provides are the same as the two strings in the system, you’re good to go.
Now, if we go forward a couple decades and get into the 1980s, we start to get computers in the home. It’s no longer just physical access, its computers in the home that can actually authenticate to centralized services. Here’s a clip about how someone at that time uses their Presto computer and how they would authenticate to their PC. It’s important to note, the Presto was used by about 90,000 people around the world. And when you dial in, it asks you to authenticate. Take a look and watch closely:
[Complete video: https://www.youtube.com/watch?v=szdbKz5CyhA&feature=youtu.be]
As he types in 4 sequential numbers!
This is important because it shows we’ve been making bad password choices for at least 40 years. What’s really fascinating about this: the guy just wants to use his computer! The password is a barrier between him and doing the thing that he’s sitting there to do in the first place.
The lesson is: humans are very good at finding the path of least resistance around the security barriers that are put in front of them. Clearly, this is problematic.
If we have simple passwords that are easily guessed, people are going to figure them out. And in the current era, everyone’s got a computer! Not just in their home, but in their pocket, on their wrist. We’re all sophisticated users now in terms of our ability to understand how the systems work.
We also have lots of problems around the strength of our passwords, so we decided to create password complexity criteria. “1, 2, 3, 4” is not a good password – it’s too easy to guess. Instead, you must have at least 6 characters. It needs an uppercase, a lowercase, a number, and a non-alphanumeric character, ensuring you cannot have an easily guessed password like ‘1, 2, 3, 4’”.
So instead, people create passwords like this: “MySafeP@ssw0rd!”
This solves the problem, right? Except, it clearly doesn’t solve the problem…
Although this meets all our complexity criteria – uppercase, lowercase, number, non-alphanumeric…also 15 characters long… it also demonstrates a clearly recognizable pattern.
Imagine you go to a website and you want to use that terrible 6 characters, all lowercase, password that you’ve been using everywhere else. But the website doesn’t allow it. You’re going to need at least one uppercase character. What do you do?
“Oh, I’ll just uppercase the first character!”
And then what if you need a number?
“Oh, I’ll just put a ‘1’ at the end!”
And what if you need a non-alphanumeric?
“Oh, I’ll just put a ‘!’ at the end!”
It’s fascinating because this user behavior spans cultures. I can go anywhere around the world, and ask the same questions, and get the same answers. This is what people do. So, does password complexity really help? Or does it lead to predictable patterns? And worse than that, if you use this kind of password – what happens in 90 days when you’re asked to update your password? Because a hacker could have gotten it? What do you do? You increment the number, the end!
So clearly, there are problems with this approach, and as an industry, we’re starting to recognize this and starting to change.
For a couple of examples of this, let’s start with the guidance of the National Cyber Security Center (NCSC) in the UK put out a few years ago. The NCSC does some fantastic work for both consumer and business-facing cybersecurity advice, including “only ask users to change the password on an indication of suspicion of compromise”. Get rid of this 90-day rotation stuff! What it does is leads to very predictable behaviors. Ultimately, it leads people to choose weaker secrets then if they were to create a password and then stick with it for a longer duration. Another example is from NIST (National Institute of Standards and Technology). NIST came out with similar advice around a similar time, and they said “Verifiers [anyone creating a system that verifies a password] should not impose composition rules for memorized secrets.” What this means: don’t have composition rules for things like uppercase, lowercase, non-alphanumeric, or the rest of it, because (again), it leads to a predictable pattern.
When we allow people to make those choices they end up making very bad decisions. This is a problem, so what are we going to do differently and why does it actually matter?
The industry itself has become a very, very different environment. We have a huge amount of Transport Layer Security for example – encryption by default on the network. And now, TLS on externally facing web applications is almost ubiquitous. It’s extremely rare that you go to a website, certainly one which takes a password or a credit card or anything like that, and doesn’t implement HTTPS by default.
Other differences, we’re getting things like User Behavioral Analytics (UBA). UBA works like this: Bob works for the Sales Department here in Australia, he logs on each morning, does a few spreadsheets. One day Bob logs on from Beijing and downloads 5 gigabytes worth of marketing data…
Maybe that’s not Bob?!?
So we’ve got more intelligence; then we’ve also got things like two-factor authentication. Everything from SMS, soft tokens, hard tokens, U2F keys… Much less usage of the password. So the industry is changing and we’re adapting to try and make security controls that actually work as opposed to just being a bit of Security Theater.
Now let’s explore why this is a problem. Why do we keep having problems with passwords, what are the big problems we have…
A really good example of this is credential stuffing. Take an industry example: Google Nest, the smart home automation technology provider, had a bit of an issue. The media reported the chilling moment when a hacker cranked up a family’s heat in their home and started talking to them through their Google Nest camera. Now that’s terrifying… to have a stranger in your house… watching you…
For more information on this attack, see here: https://www.businessinsider.com/hacker-breaks-into-smart-home-google-nest-devices-terrorizes-couple-2019-9
The headlines talked about ‘hackers’ being the culprit. The perception most people have when they see a reference to a ‘hacker’ is “Wow, this is someone sophisticated – maybe they found a vulnerability somewhere, maybe they bought a Zero-Day off the Dark Web or something like that”.
But then you read the story and Google’s response, you learn “these reports are based on customers using compromised passwords exposed through breaches on other websites.” So as traumatic as it was, the underlying problem was that they used the same password on their Google Nest camera as they did somewhere else. That password got breached from another system, spread around the web, someone picked it up and logged onto their Google Nest camera. And that’s credential stuffing: credentials exposed in one place and then tested against other places.
People then pose the question “Where do the usernames and passwords come from?”
If we’ve got this problem of credential stuffing with bad actors getting these username/password “combo lists” and testing them against accounts, where did they come from? Do they come from the Dark Web?
There are certainly Dark Web market places where you can buy stolen data. But the thing that’s even scarier than having this data on the Dark Web, is having it on the clear web.
As shown in the picture and link provided, this is where a lot of the credential stuffing lists exist. They sit out there, not on an anonymous hidden service, but literally tweeted out. All of the links listed in the image are now dead, but equally all of those collections are also very easily discoverable. As a point of reference, “Collection #1” released early last year, had over a billion combinations of email addresses and passwords in it!
I’m in there. My email address is in there. A very bad password I used many years ago is in there… But I’m in good company because there is a 10-figure number of other people that are on that same list. Bad actors take these lists and say “I wonder if these work?”
And they automate. They bounce it through proxies so they come from different IP addresses. And then they randomize user-agent strings as not to adhere to any pattern you can easily block. This is why credential stuffing becomes a very difficult problem.
The impartiality of the way this works means that credential stuffing is very easy for attackers to mount the attack but very hard for defenders to stop the attack. At least without posing usability barriers. We see things like captchas or forcing 2FA, but these are things that people really don’t like. So this is a major problem and we will also see this data from credential stuffing lists start to appear in all sorts of other places as well…
A few months ago, we saw Anonymous pop-up and leak a whole bunch of Minneapolis Police Department email addresses and passwords. We know it was Anonymous because they said, “We’re Anonymous”, but in reality, we have no idea. It could be someone who wanted to attribute it to Anonymous because Anonymous represents the ideal they wanted to follow. It was a very tense time in Minneapolis and many people wanted to believe in this leak. So their message was “We’ve hacked the Minneapolis Police Department, here are hundreds of email addresses and passwords of police officers – go forth and spread this!” And Twitter accounts were actively encouraging people to spread this. “Twitter do your thing! Thank you Anonymous!” This is what it looks like. Most of these addresses were at “@ci.minneapolis.en.us” which was the Minneapolis Police Department domain. The domain was correct, and the email addresses were correct, and the passwords were correct.
But this seemed off to me… It didn’t look like a typical data breach. I wanted to figure out what had actually happened with this data so, because I run the data breach service “Have I Been Pwned” with nearly 10 billion accounts, I had a sizable corpus of information to compare it to.
My analysis eventually popped up in the news – there’s a blog post on my blog about it – as well as this article from ThreatPost with the headline “Minneapolis Police Department Hack Likely Fake, Says Researcher” (i.e. “me”).
One of the first things I found was there were 689 unique email addresses. That’s a very, very small data breach. The average-sized data breach on “Have I Been Pwned” would be many 100s of 1,000s of records. Not only that, but 654 of those addresses are already in “Have I Been Pwned”. Now that’s a really, really, high percentage (95%). Normally when I load a data breach into “Have I Been Pwned”, about 60 to 80% of the accounts are already in another data breach. But to be at 95% was really unusual. It didn’t smell right…
I also found 795 passwords in the system. The number of passwords was greater than the number of email addresses because sometimes it’s the same account with multiple passwords (more on this later). Now of those passwords, 709 of them were already in “Have I Been Pwned”, and “Have I Been Pwned” has a feature that just lists passwords that have been previously synced. Again, a very, very, high percentage. Regarding the same email address with multiple passwords – this doesn’t happen in a normal organic system. If you try and go and register a second time in a system you’re already registered in, it usually says “No – you are already here”. So what I concluded: this was just a collection of email addresses on that Minneapolis Police Department domain, which had already been seen in a credential stuffing list. Someone bundle them up, put them out there at a highly emotional time, and encouraged other people to redistribute it. But it was disinformation.
All this stuff makes you wonder – when are we going to get rid of passwords? Is biometrics the way that we’re going to do it? I remember a decade ago that people were saying “When are we going to get rid of passwords? 10 years from now they’ll be gone, right?”
Maybe not… a great example of this: I have an iPhone 11 Pro. When I picked up my phone last year, I unboxed it, (very excitedly) and I went to set it up. Now because it has FaceID, it has a biometric authentication scheme. But before I could do that, I needed to first put it on the Wi-Fi. So I’m one password in already. Then, I wanted to restore everything from my iCloud, so then I have my iCloud password – so there’s a second password. And then finally I get to set up the biometrics, and when you set up the biometrics you have to have a fallback position which is a pin… so I’m three passwords in before I can even start using a very modern device with biometrics. And you have to have a fallback position!
Recently, there’s been a great example of why a fallback position is needed – how many people have been using masks? Doesn’t work with many facial recognition tools, does it? I’ve got fingerprint sensors on my laptop… but I live in Australia by the beach. I’m in the pool a lot. My fingers often don’t work when I get out and I try to use them on my laptop. So biometrics are fantastic; I use them on all my things, there’s a fantastic usability experience in fantastic privacy experience too because I unlock my things in front of other paper without disclosing a reusable secret. But they don’t replace passwords – not yet anyway.
I want to conclude with something which I think is reflective of many of the challenges we have in the industry around passwords and secrets and authentication. There’s an account on YouTube called “The Lock Picking Lawyer”. He does physical penetration tests on padlocks. It’s really fascinating to see just how easy it is to actually open a lot of things that most of us think are very secure. He was reviewing the Uervoton Fingerprint Padlock, a biometric padlock, that instead of unlocking with a pin or a key, you unlock with your finger. When he looked at the padlock, he found a screw, on the side. He takes out his screwdriver and what you think would happen, happens. Undoes the screw, padlock comes apart.
Now that’s just another day on the internet – these really, really, easily exploitable flaws, whether their on padlocks or web applications – it’s the same thing that happens over and over again. But the bit that blew me away with this: he exercises responsible disclosure. He gets in touch with the company and says “I took out my screwdriver, undid the screw, padlock came apart, you should probably fix this”. And the company responded in the most epic way, which illustrates the attitude of many organizations to digital security these days, the company said “…the lock is invincible to people who do not have a screwdriver.”
And that is a great reflection of where we are in the industry at the moment. This attitude of just really fundamentally not understanding the practical impact of how easy it is to exploit security systems.
Troy Hunt is a Pluralsight Information Security Author & Instructor, Microsoft Regional Director, and Most Valued Professional (MVP) specializing in online security and cloud development. He speaks at conferences around the world and runs workshops on how to build more secure software within organizations. He is also the creator of the data breach aggregation service known as “Have I Been Pwned”.