One of the battles in the recent cyberwar between the group Anonymous and Aaron Barr the now ex-CEO of HBGary Federal was the hacking of rootkit.org.
While most of the media attention has been focused on the personalities, egos, and the questionable ethics involved, Joseph Bonneau, a PhD candidate in the Security Group of the University of Cambridge Computer Laboratory, gleaned some surprising information from the leaked rootkit.org database.
In a blog post on Light Blue Touchpaper, the Security Group’s blog, he compares that data with the user database from the recent Gawker incident. He found a rate of password re-use much higher than most previous estimates.
“Of the 456 common users, 161 had their password cracked in both datasets, 46 only had their rootkit.com password cracked and 77 only had their Gawker password cracked, leaving 172 with neither password cracked. Of the accounts for which passwords were cracked at both sites, 76% used the exact same password. A further 6% used passwords differing by only capitalisation or a small suffix (e.g. ‘password’ and ‘password1′).”
He goes on to explain why the 76% is not a valid estimate, but that the real number is somewhere between 31% and 43%. These numbers are a substantial increase over the 12% estimate of Florencio and Herley (Microsoft Research) and the 20% estimate from Gaw and Felten’s user survey at Princeton.
The full blog post is a worthwhile read.
This reinforces my belief that increased consumer education on the dangers of reusing passwords between sites and banning passwords appearing in the rootkit.org top-500 and Gawker top-250 lists would do much more to improve security than setting arbitrary password content standards and forcing periodic password changes.
However, Matthew Slyman, another Cambridge University alumnus, makes an argument for an algorithm uses variable password expiration periods to encourage stronger passwords.
You can follow the ongoing HBGary soap opera on Ars Technica.
; ?>/wp-content/themes/header_images/CC-BY-SA88x31.png)
Copyright © 2008-2013 Richard A. Milewski
What is a “strong” password anyway? The algorithm used at FOSDEM for account registry rejects qh7bu6kf75ldw4xb because it doesn’t include all four of uppercase letters, lowercase letters, digits and special characters, but it accepts You1Make2Me3Puke4!!! which looks much more “guessable” to me.
Both are actually fairly “strong” if you just measure entropy. The fact that various sites rigidly enforce arbitrary rules in the name of “password strength” actually does more damage than help. It encourages users to choose simpler passwords that work everywhere and actually causes more password reuse between sites because users fear not being able to remember what they used where. Most passwords are compromised thru hacks that get the site’s entire user database, not because a single non-admin user chose a weak password. The big danger is password re-use. If you reuse a password on a site that gets compromised, you’re at risk everywhere you’ve used it.
Password rotation policies *suck*. I use a unique password on every site I visit, I let my browser remember those passwords, and I expect them to work forever. Similarly, I use a strong login password for systems I log into via username/password, and I expect that username/password to work forever.
Your security strategy is much better than average, and fine for 90% of systems, but your expectations of perpetual password validity would not be realistic for a high security system.
Firstly, targeted brute-force password cracking is much easier if passwords are valid forever. The bad guys can take their time, knowing that whenever they crack the hash on a single high-value account’s password, they can break into your system.
Secondly…
The U.S. Government forbids the export of any encryption software strong enough that the NSA cannot crack it at-will. In practice (for this reason and for reasons of processing-power economy and threat proportionality), most foreign companies wanting to do business in the USA will standardise on encryption methods that are strong enough to avoid having a system cracked by the average Joe, but not strong enough to avoid being cracked by the NSA.
Think Moore’s Law, think physics, and think semiconductor manufacturing economics. Even with novel bespoke silicon, the NSA can only muster finite multiples of the processing power available on the free market to the average Joe (especially when you consider the possibilities of distributed processing)… And Moore’s law means that the processing power available to all parties is increasing exponentially. In other words, the average Joe is only a certain number of years behind the NSA in terms of being able to crack into secret communications by brute-force alone.
The same principle applies to knowledge of encryption protocols. Half of the money in the world will only buy you a certain proportion of the best mathematicians (who get educated in the first instance, at schools and universities attended by everyone else where information is mostly in the public domain.) So knowledge of encryption/ decryption and code-breaking in the public domain is only a certain number of years behind similar secret knowledge within the NSA.
For historical evidence, observe that:
* Public key cryptography was invented in secret (so it is alleged), and then later in public. (Similarly with many other innovations in cryptography. Once the mathematics has been out for a certain period of time, and has become sufficiently mature, the next step in its development becomes more obvious to the mathematical profession in general.)
* MD5 and SHA1 are no longer considered secure. Single DES? Pointless. Triple DES? Getting a little old.
So… You’ve developed a system that depends on MD5 for password security, and your salting technique is a bit weak—your security regime in general was developed in the late 1990′s for a small website with 2000 users, and you’ve now grown to 2 million. What are you going to do? Carry on as normal and pretend you’re not more vulnerable than your competition? Bad idea. Crack all your users passwords by brute-force attack and re-encrypt them using a new hashing algorithm? Not feasible (and perhaps not even reliable, as a certain proportion of your users might be inadvertently locked out). So what are you going to do?
…
Periodically require all your users to change their passwords, and encrypt the new passwords using the new hashing technique. Don’t let any user reuse exactly the same password as before, because your system might have been compromised (a copy of your hashed password file might be in the possession of an attacker), and if your password file/table has been disclosed (which it probably has been, if it’s been long enough and you’ve turned over enough IT staff), the bad guys will have had plenty of time to crack a password by brute-force and then attack your system.
As for any high-value accounts that have not required you to change passwords or other login credentials for the last ten or twenty years; you should work on the assumption that those accounts have been compromised.
As already pointed out in the comments on that blog post, you might expect that passwords used for posting comments on news/forum sites would be lower quality and more reused.
Most people aren’t going to be too bothered if a handle they used to post a comment once on Gawker gets stolen…
Michael,
True. But it takes a fairly sophisticated user to be able to gauge the risk level associated with using a “throwaway” password on any given site. As the entire HBGary saga illustrates, even very sophisticated experts who know better can fall into bad password-reuse habits. We need to figure out how to move in the direction of simpler, more secure systems that are usable by everyone, not just the technically savvy. How would you explain when it’s safe to reuse a password and when it’s not to your grandmother?
I agree with your conclusions, and suggest that my method will only be worthwhile for protecting high-security systems whose administrators have already taken the measures you describe.