What will it take for more people to finally take passwords seriously?
See Also: Secure Access in a Hybrid IT World
For years, information security experts have been warning users to create long, complex online passwords (see Why Are We So Stupid About Passwords?).
The latest evidence that too many users are continuing to fail to heed that advice comes via the breach of online dating website Ashley Madison. Given that the website is marketed to those who want to conduct discrete affairs, you might think that users would work overtime to keep their participation in the site a secret.
But according to an analysis of cracked Ashley Madison passwords, more than 100,000 users opted to make their site password the following six-digit string: "123456."
A group of password-cracking hobbyists who call themselves CynoSure Prime shared with me a review of about 12 million passwords that it cracked from leaked Ashley Madison password hashes. The group obtained those hashes - earlier this month - from data leaked by the Ashley Madison site's attackers, who called themselves "Impact Team." Inside that data dump, the password researchers say, they found evidence that the dating site had used an insecure implementation of the MD5 cryptographic hash function to generate password hashes for about half of its 36 million accounts. While such hashes are meant to be irreversible, the group nonetheless successfully cracked them (see Researchers Crack 11 Million Ashley Madison Passwords).
Based on CynoSure Prime's analysis of the 11.7 million passwords that it's now recovered - and the group warns that these results should only be used as a "rough estimate" because it is still attempting to crack 4 million more passwords - these were the top 10 passwords chosen by Ashley Madison's users:
- [slang for female genitalia]
Also included in the top 100 most-used passwords - of the ones fit for print, anyway - are such gems as:
CynoSure Prime also found some choice, one-off password selections, including:
The researchers also found that at least 630,000 users made their username double as their password, meaning all of those accounts could have been hacked without having to crack the password. In addition, 8 million of the cracked passwords used just six to eight characters, and the vast majority "appear to be quite simple, either being lowercase with numbers or just lowercase," CynoSure Prime says. "Passwords containing purely numbers also appear to be relatively popular."
CynoSure Prime's findings are interesting in part because, for years, information security experts have been advising users to employ a long, unique password - preferably mixing upper and lower-case letters, plus numbers and special characters - for every different site they frequent. That way, if the site suffers a data breach, then attackers can't use the stolen username and password combinations to log into other sites.
Using complex passwords also makes it difficult for attackers to employ brute-force dictionary attacks, in which they use tools that automatically attempt to plug in a vast number of well-known phrases to see if they will work with known usernames, or rainbow tables - pre-computed tables that can be used to reverse unsalted cryptographic hash functions and thus easily crack passwords.
To generate and keep track of all of those complex, unique passwords, security experts recommend using a password manager. Such software can run on PCs, mobile devices or via online portals.
Death to Passwords
What can be infuriating, however, is that even if users do pick long, complex and unique passwords, they won't be protected if the site they're using fails to properly secure those passwords. In June 2012, for example, a breach of LinkedIn came to light after a hacker uploaded 6.5 million LinkedIn users' password hashes and requested help in cracking them. Analyzing the leaked data, security researchers reported that LinkedIn had been using the SHA-1 algorithm, which has known flaws, and failing to salt passwords, meaning that they would be easy to crack.
That same month, according to leaked Ashley Madison source code repositories that were created using the Git revision-control system, the site's developers eliminated their insecure use of the MD5 hashing algorithm. But according to CynoSure Prime, the developers then failed to regenerate 11.7 million login tokens that had been generated using the insecure method, which ultimately allowed the group to crack those password hashes when they were leaked three years later.
As with so many past breaches - including the famous RockYou breach in 2009 that leaked more than 32 million passwords, many of which were laughably insecure - the Ashley Madison breach is a reminder that too many organizations, as well as end users, continue to fumble password security. Of course, alternatives exist, such as adding two-factor authentication via smartphone software - many sites now offer this - or tapping the FIDO Alliance - for "fast identity online" - specification to create a "bring what you've got" authentication approach that can mix mobile devices, USB security tokens, one-time passwords and more. Given our ongoing, collective inability to grasp proper password security, more than ever it's time to eliminate the need for passwords.