The Problem With Passwords

Passwords are both the most essential, and, arguably, one of the most vulnerable features of the modern internet. It’s easy to blame people for reusing bad passwords, for example -but since so many people do it, we have to look at the common factor. There are flaws inherent to the mechanism of authenticating users by static password strings.

Link to Cybereason's free Guide On Remote Work: maliciouslife.com/remoteworkforce.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Troy Hunt

Creator of haveibeenpwned.com

Microsoft Regional Director and MVP. Pluralsight author. Online security, technology and “The Cloud”. Australian.

The Problem With Passwords

What’s your password for Apple, Spotify or whatever service you’re using to listen to this podcast episode? Recall it in your head. Does it contain upper- and lowercase letters? A number? How about a symbol? Is it at least, I don’t know, 10 characters long? If you answered “yes” to all of those questions, well…get your own cybersecurity podcast, showoff!

If you answered “no” to any or, let’s be honest, most of those questions I just asked, then you’re not alone. According to SplashData, a security firm which releases a list of the most commonly used passwords every year, 10 percent of all accounts in the world use the same 25 passwords. Some of the favorites: “qwerty”, “7777777”, “football” and, of course, “password”. “password” held the number one slot for a while, until 2013, when it was eclipsed by “123456”. As of 2017, according to the dataset, “123456” is used for approximately 4% of all internet accounts.

Now, this is the point where you’d usually hear something like: “Hey, don’t do that! Use good passwords, don’t repeat them, yada yada….” But I’m not going to do that. You’ve heard it before. In today’s episode, I want to offer the exact opposite. I don’t blame anybody for using bad passwords–I understand why they do it.

Hi, I’m Ran Levi. Welcome to the Malicious Life podcast, in collaboration with Cybereason. Passwords are both the most essential, and, arguably, one of the most vulnerable features of the modern internet. The problem is that they give us, ordinary people, complete control over our own cybersecurity. If you’ve listened to this podcast at all before, you’ll know that most people tend not to be very good at cybersecurity. We forget passwords, create bad ones, and leave little post-it reminders on our desks that everyone in the office can see.

But not all the blame for password security has to fall on our shoulders. In fact, if the majority of people have bad passwords, can we even blame people? As an analogy, imagine you have a terrible roommate experience, so you move out of your apartment. It’s reasonable to deduce that that person simply was a bad roommate. But what if at the next apartment you move into you have another terrible experience, and another that’s even worse than the first two? If the majority of your roommate experiences are terrible…you’re the common factor there, maybe the blame doesn’t fall on each individual roommate.

It’s easy to blame people for reusing bad passwords. But since so many people do it, we have to look at the common factor. There are flaws inherent to the mechanism of authenticating users by static password strings.

Maybe it has something to do with the fact that passwords, originally, weren’t designed for cybersecurity at all.

CTSS

Most historians generally regard the first passwords to have been invented by a man named Fernando Corbato.

Corbato–nicknamed “Corby” by friends and colleagues–was a tall, thin guy, with short black hair. In pictures he’s usually found in a suit and bow tie. Basically, picture Bill Nye with glasses and you’ve got the idea. Born in 1926, he’d transferred from CalTech to MiT to pursue a PhD in physics in the ‘50s, and stayed there in order to lead the development of CTSS–a computer system which would lay the groundwork for not just password authentication, but also everything else from virtual machines to instant messaging.

CTSS was short for “Compatible Time-Sharing System.” It was a big, loud computer system, capable of distributing its computing between multiple terminals. It was expensive, too–using CTSS cost somewhere in the range of 300 to 600 dollars per hour. And this was the early 60s! Adjusting for inflation, that’s about 2.5 to 5 thousand dollars per hour, just to use a computer.

The problem was only compounded by the fact that everybody wanted to use the fancy, expensive machine–more than its capacity allowed. Students wanted it for their projects. Professors like Marvin Minsky–one of the pioneers of artificial intelligence–wanted an uninterrupted, low-latency system to help get their highly important work done faster.

In order to accommodate everybody, Corbato and his colleagues used a system of user accounts, each of which would correspond to a different member of the department. These accounts served a number of purposes. First, to facilitate fair sharing, each one had a built-in timer–four hours, for example, after which the user would be kicked off the system. Second, the accounts could be programmed according to the privileges of the user–a runtime process initiated by Marvin Minsky’s account, for example, might be given precedence over a grad student working at another terminal at the same time. Lastly, the accounts served as a neat way of virtually organizing files according to who owned them, meaning that individuals could maintain personal files while using shared terminals.

These CTSS accounts were differentiated using unique, user-generated passwords–the first recorded instances of the mechanism we still use to this day. But notice: the point of these password-protected accounts had little or nothing to do with security. Nobody at MIT was a danger to anyone else at MIT. In fact, Richard Stallman – the Free-Software pioneer who worked at MIT in the 1970’s – told me in a separate conversation that back then, everybody was reading everyone else’s emails! The passwords simply served organizational purposes–keeping people from hogging time, or allowing some personnel faster processing times than others.

THE FIRST PASSWORD HACK

So computer passwords weren’t invented with security in mind. What’s interesting is that, not one year after they were first implemented, a security incident did occur. In a way, it foreshadowed the mess that password security would become.

In the Spring of 1962. Allan Scherr, a PhD researcher at the MIT computer science department, had the problem everyone else did–he wanted more time than he was allotted with the CTSS system. In a fiftieth anniversary report, he described what happened.

“My PhD research involved measuring, modeling, and simulating the performance of the CTSS system. The performance simulations were very detailed and [. . .] I needed many hours of computer time to run my simulations. Unfortunately, I had only been allocated something like 4 hours of processing time on CTSS per semester. I exceeded this time well before I had completed the simulations.

Because I had embedded measurement code into the CTSS operating system, I had access to the listings of the system. I discovered that the cumulative time usage for each account was loaded into the operating system every time the associated user’s core image was swapped into memory. At the end of the time slice, the usage was updated and swapped out. I simply added an [ . . .] indirect execution instruction to the performance measurement code I had in the operating system so that I could indirectly execute a [. . .] store zero instruction to zero out my usage any time I wanted to. So I would rack up usage time until I got close to 4 hours and then zero it out and start all over.

This worked well until the spring of 1962. What happened was that someone on the CTSS staff [. . .] came to me and said that the space my measurement programs used was needed and [. . .] my privileges to modify the operating system were revoked.

Being desperate, I had to find a way to regain access to the operating system. [. . .] I finally found a way to do it. All of the passwords for the system were stored in a file called UACCNT.SECRET under user M1416. There was a way to request files to be printed offline by submitting a punched card with the account number and file name. Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing out of the M1416 folder. I could then continue my larceny of machine time.”

Alan Scherr, PhD researcher at MIT, was the first person to ever commit a password data breach. He wouldn’t tell his professor about it until decades later.

“I ultimately had the opportunity to confess to Prof. Fano in person at a 25th anniversary get together. He assured me that my PhD would not be revoked.”

TROY HUNT

So password breaches are almost as old as passwords themselves. If there’s anything to be learned from Alan Scherr, it’s that wherever there are passwords, at some point, somewhere, there will be passwords leaked.

If you were to guess one person who’s seen more password breaches than anyone else on planet Earth, it might be the guest we have here on this episode of Malicious Life. His name is Troy Hunt, he’s the creator of the website Have I Been Pwned. Nate Nelson, our senior producer, talked to Troy.

“[Troy Hunt] have I been pwned is a data breach aggregation service. When there’s a data breach and that data then gets leaked somewhere externally at varying degrees of public accessibility, I grab it, I put in have I been pwned and I make it searchable so people can figure out where they have been pwned. And I started it in December 2013 and somehow it became big and popular.”

Have I Been Pwned is one of the most popular cybersecurity websites in the world. If you’ve never tried it, I recommend pausing this podcast and going there now. It allows you to type your email address into a handy search bar, and it’ll tell you whether you were affected by a major data breach. you should also know about a companion service to Have I Been Pwned, called Pwned Passwords.

“[Troy Hunt] pwned passwords is a service within have I been pwned where when there’s a data breach and there’s a sufficient number of passwords available in clear text, I drop them into a great big list and this list has got 555 million records at the moment. And then I make that list either available for download if people would like to be able to run this service offline or accessible via an API that implements an anonymity model.

[Nate] What is the process in collecting this massive amount of password data?

[Troy Hunt] The process pretty much boils down to do I have access to a bunch of passwords in clear text as part of a breach? So for example, there was a couple I’ve just been sent where there’s in one case one million passwords and another one about seven million passwords. And then I grabbed those, I dropped them into a database that I run locally here and I see how many of them are new and where there’s a sufficient corpus of new passwords. So let’s say 20% of them are new. So there’s a couple hundred thousand new passwords. I start to roll that into a local version of pwned passwords and once I get to a sufficiently large size of new ones that haven’t been seen before, then I push out another major release.”

Using his database of over 500 million passwords, you can visit Pwned Passwords right now to check if your own passwords have been included in a breach before. But Pwned Passwords comes with a disclaimer–that you shouldn’t get into the habit of entering your passwords into third-party sites like this.

“[Nate] So in a blog post that I read where you were introducing phone passwords you wrote, and I’m quoting here, “It goes without saying, but don’t enter a password you currently use into any third party service like this.” So let’s not assume for a moment that it goes without saying, why did you Troy build a service and then tell people not to use it or rather how it should be used or shouldn’t be used?

[Troy Hunt] I had the best of intentions. I was like, “I know this looks fishy, so don’t use it in a fishy way.” And I had at the top of the pwned passwords page. So if you go to have I been pwned today and click on passwords, you won’t see it there. But I had at the top, big bold text, “Don’t enter any password you actively use here.” If you had a password which you thought maybe wasn’t too good and you’ve now gone and changed it and you just want to establish the fact that it had been seen before, fantastic do that. And then the things on CNN or mainstream media and reporters are going, “Just go here and enter the password you use.” And I’m like, “Ah, come on. I tried.”

THE PROBLEM WITH PASSWORDS

What makes our passwords so weak isn’t just that we’re picking bad ones–it’s that what we think makes for a good password, usually, does not.

“[Troy Hunt] I think predictability not just in the passwords themselves but in the way that we create them and particularly the way we adhere to arbitrary composition rules is what I find really fascinating. So back in the day when I used to be able to fly places and go and do talks and things, I’d do this talk about the history of passwords and no matter where I was in the world and there’d be hundreds of people in audiences and I’d say, “Okay, imagine you go to a website and the website allows you to register and you’ve got that same terrible six character, lowercase password you use everywhere. And the website says you must have at least one uppercase character. What do you do?” And in unison, the audience across cultures says “I capitalize the first letter.” And everyone laughs because there’s this nervous laughter. It’s like, “Oh no, the hackers have figured this out. We’re all doing the same thing.”

And then I say, “Okay well, now you’ve got to have a number, what do you do?” And they go, “I’ll put a one at the end.” And now you’ve got to have a non-alphanumeric character. What do you do? “I put an exclamation mark at the end.” And everyone’s laughing by the stage because the entire audience is just saying the same thing at the same time.

So I think the really fascinating insight here is that those arbitrary complexity rules were put there because they meet this mathematical definition that signifies greater entropy. And if everyone generated passwords in an entirely random fashion, that would be perfect. But of course they don’t. So I think it’s the human aspect of passwords, which is particularly fascinating. And this just goes to show how predictable we all are.”

It’s easy to tell that the word “podcast,” for example, is a bad password. But if you type capital ‘P’, zero, d, c, @, 5, t, underscore into a website, you might think that’s pretty solid. In reality, it’s hardly much better than doing nothing at all. That underscore might tack on a few seconds for a hacker, but not much. Hackers know all the tricks in the book. So maybe the problem with passwords isn’t that we’re all so helplessly incompetent.

“[Nate] after the first hundred thousand, the first million, what percentage of new passwords that you find are actually unique?

[Troy Hunt] Yeah, not many. So it’s become increasingly rare to actually go through and find passwords that haven’t already appeared in data breaches. And that’s a bit of an alarming, I guess trend in so far as what we see is the same things over and over again. Now passwords which have already appeared in previous data breaches can be there for one of two reasons. Either the same person has been in multiple breaches and they’re using the same password or there’s two people and they’ve got a dog with the same name or they went to the same university in the same year or whatever other natural keys for want of a better term, go into making up people’s passwords. And regardless of how you cut it, every single one of those is obviously a bad way of choosing a password.”

Listeners, I think there are two ways of interpreting what Troy just said there. One way to look at it is that people are simply lazy, or just generally unable to do passwords right.

But the other way to see it is that we’re all trying to use good passwords, we’re just not really able to. If someone’s password is their dog’s name plus the year they graduated college, there may only be a small number of other people in the world with the same pet name and the same graduating year. So that seems like the kind of information that would make for a unique password. It’s probably not unique, it’s crackable, and it’s easily socially reverse-engineered. But how is your grandma supposed to know all that? Or your brother, who has a computer but isn’t exactly a security expert?

“[Nate] as we do the research in this episode, we can generally assume that most people know what password best practices are. […] How much of the fault should be laid at our imperfect human feet or versus rather the system of static text passwords itself as an authentication mechanism?

[Troy Hunt] Well, I think part of the observation there is that people know that they’re adhering to weak practices and they feel a bit guilty about it. And look, I certainly know every time I drill someone on this, it’s like, “How are you actually creating passwords?” The answer is usually pretty sheepish. So I think there’s an interesting sociological observation there that people know that they’re doing air quotes the wrong thing.”

Easy-to-remember passwords are easy to guess. Hard-to-guess passwords are hard to remember. So pick your poison: do you want to constantly forget all your passwords, and have to reset them each time? Or do you want to run the risk that your accounts might be hacked? Most of us have opted for the latter option, whether we realize it or not. Should we feel bad about it?

I’m not sure. Think about all the accounts you have online. Actually, you probably can’t–it’s probably a lot more than you realize. Dozens, at least, probably over 100. I started using the internet in the late ‘90s, so I have over 190 different accounts. I’ll never be able to remember all their passwords.

CURRENT SOLUTIONS

That’s where layered security solutions come in. Password managers store all your passwords locally on your device, protected by a single, master password. Two-factor authentication, where available, involves sending a one-time code to your phone or email every time you log in. There’s also U2F devices–little USB-type sticks that you can leave at home or carry around on a keychain.

“[Troy Hunt] U2F is a beautiful mechanism. It can’t be fished like a soft token or even a hard token. We don’t have the problem of sending SMS, so we’ve got enough problems with SMS and SIM hijacking. It’s pretty elegant in terms of just having the key on your person and inserting it and pressing a button, job done. But the problem is is that it is a very foreign concept to most air quotes again, normal people. My parents would have no idea what a U2F key is. They’re very unlikely to carry one around and also they would either have to purchase one or someone would have to purchase it for them. So here’s a case where we’ve got technology which is beautiful in its execution, but it just fails miserably in terms of affordability and usability.”

Password managers, multifactor and universal two-factor authentication are all effective tools at covering up the inherent weaknesses in passwords. But they each come with their own downsides, as well. Hardware devices are easily lost and stolen. Password managers collate all your risk into one place–if you lose the master password that allows you to get in in the first place, suddenly you’re locked out of not just one but all of your accounts.

It’s always a good idea to turn on two-factor authentication where possible, but it’s far from an unhackable solution. A number of individuals and companies have already been hacked, despite 2FA, by hackers who’ve breached the email domains where they receive their one-time codes.

The main problem with all of these solutions is, well, they’re not obvious to most people. Most people don’t think about cybersecurity much, or simply don’t have time to. I’m talking about your granddad, your kids, your brother or sister. Have you ever got a call from your mom, when she had a problem with her computer? It’s a nightmare! Half of you just got PTSD flashbacks just from me reminding you about it. You’ve got to explain the simplest concepts to her–type this, move your mouse there, no, not there, there, click that, no not that, that! Now imagine trying to explain to your mom how password managers work.

there’s the bigger macro question of, well, should we not be moving beyond passwords already? Because we know that this is a weak means of authentication compared to some of the other technical controls we have in place. And that the simple answer to that is as yet, we just haven’t found a better way of authenticating people that doesn’t pose barriers that are insurmountable in most cases such as usability or cost. And for all their flaws, the one thing that passwords do exceptionally well is everyone knows how to use them and they’re simple and they’re free.

FUTURE SOLUTIONS

We may be stuck with passwords for a while. But plenty of companies are working towards solutions that get rid of them entirely. Some of the ideas floating around are just odd, like dynamic passwords–codes generated based on riddles or formulas, which incorporate your personal information or what’s displayed on your screen.

“[Troy Hunt] The whole principle of riddles or creating passwords based on other website based data. Some people say I use part of the domain and then you do this and then you do that. That really feels like a bad middle ground so it’s a recognition that we need to do something better with passwords but then not using the one tool that we’ve got that well and truly solves the password weakness problem which is password managers. The riddle-based examples always fall down when you start to push people. So they fall down in areas such as, well what happens when there’s stupid arbitrary complexity rules that won’t let you use a number? Oh well, then you have to adapt your formula so now you’ve got different formulas for different sites.”

The most common, fastest-growing alternative to the text password is biometric authentication: fingerprints and facescans. Your iPhone is a pretty good example of where we’re headed: Some years back, Apple changed the iPhone’s home button to accommodate fingerprints. Then, more recently, they got rid of the home button, essentially forcing users to authenticate with facescans. So, it may be the way of the future–the thing that kills off text passwords.

Are we better off now, with biometrically-secured iPhones, than we were before? Yes and no. It is, certainly, much more difficult for a hacker to fool a biometric sensor than it is for them to crack web passwords.

But, then again, cyber security isn’t only about stopping hackers. Are you confident where your biometric data is being held, and who’s doing what with it? Maybe today the answer is yes, but if fingerprints, facescans and vein readings become more common–less futuristic–it’ll be as tough to keep track of where your biological data is as it is keeping track of your text passwords today. And unlike a text password, you can’t change your biometrics.

You see, there are two sides to any password other authenticator: there’s you, and the entity which stores your key. That entity can be your local machine, but in most cases, your information sits in a database halfway across the world, owned by the company you’re logging in with.

Companies and governments, of course, get hacked all the time. If they didn’t, Malicious Life wouldn’t exist. Oftentimes, they’re blatantly unsecure–in such a way that puts all of us at risk, no matter what we do. We can look to Pwned Passwords, which only collects dumped data from breaches where the passwords were stored in plaintext. Plaintext–that is, no security whatsoever. Troy has over 500 million leaked passwords, from organizations that didn’t even bother to add a single layer of security to their users’ stored data. And it’s not even an old site–the project’s been going on only a few years.

Malicious Life listeners will recall the episode we did on Ashley Madison, one of the most private sites in the world. When they got hacked, almost half of their 30-plus-million user passwords were revealed to have been encoded by MD5–a hash algorithm long since irrelevant by 2015. It allowed researchers, and, probably, hackers, the ability to crack them all in a matter of days.

“[Nate] I mean I am amazed at how many instances of MD5 passwords we see even today.

[Troy Hunt] Just yesterday, I loaded a data breach from a vBulletin forum, which inevitably someone just hadn’t updated or patched for years and years and years, which is still MD5. So I have a sense that organizations don’t understand that… Let’s say in the case of vBulletin or any other software package that people get off the shelf and run, software is a living, breathing thing for all intents and purposes. So that needs watering and feeding and caring that needs to evolve.

I find even in cases where I speak to people in organizations, I had another one from a breach just last month where I was speaking to someone in the organization involved and I said, “Look, are you aware your passwords are MD5?” And in their mind they said, “Well, that’s only going to be a problem if someone’s using a password that’s in a dictionary.” I was like, “Well, first of all you can calculate something like 20 billion MD5 hashes a second. So no that’s not right and second of all, just about every password’s in a dictionary these days.” So I don’t think that there’s enough understanding within organizations about what the actual risks are.”

There’s no reason to believe that if the mechanism of authentication changes, the organizations which store them will become any more secure than they are today. So what would happen if in the future more companies held your biometric data, and just one of them got hacked? We already have some idea of how it might go down.

Last summer, the Guardian reported on two Israeli security researchers running port scans over the internet to find potential vulnerabilities in companies’ IT infrastructure. They eventually came across a database belonging to Suprema, a company whose software allows organizations to control access to private facilities. The software allows organizations to use biometric data as a means for allowing personnel access to facilities. Suprema’s service is used by corporations and government entities, such as the U.K. metro police.

When the Israeli researchers found the database, they were able to trick it into allowing them full access, where they found over 27 million records. Those records included not just usernames and plaintext passwords, but also fingerprints and images of people’s faces, largely unprotected and unencrypted. They were able to alter the data, and even view real-time information. And by real-time I mean real-time–like, watching specific people enter specific facilities around the world, as they did it.

The researchers reported their findings to Suprema. Suprema was largely unresponsive and uncooperative for a while, but eventually, the vulnerability was fixed. Still, can you believe how lucky they were? And how lucky all their clients, and those clients’ employees and users, were? Millions of fingerprints, facescans, real-time tracking of real-life people. By luck or by the grace of God, two researchers just happened to stumble upon it while doing routine searches. But what if a malicious actor beat them to it?

In the end, text passwords may be flawed. They’re tough to remember, easy to crack, complicated to improve upon. But if biometrics really are the future, we might come to a day when we’ll reminisce on how simple life used to be–when data breaches exposed your dumb, little password, like ‘123456’ or ‘bigfalafelballs420’, not your fingerprint, or your face.

PINs

I admit, this all sounds very gloomy: every alternative to passwords that we covered so far seems to come with its own set of drawbacks and shortcomings. Yet there’s one interesting development that’s worth mentioning, and which might point us – if not towards a brighter future, than at least to a less gloomy one.

A few years ago, Microsoft announced that they intend to replace the passwords users have been using to log into Windows machines, with 4 digit PINs. When I first heard about it, I was perplexed: a 4 digit PIN is much easier to guess than, say, an 8 character password – so Microsoft’s move seemed, on the face of it, to be a step in the wrong direction. But it’s not, of course. As Microsoft explains it, several factors work together to make PINs, in certain situations, more secure than passwords.

The first is that the PIN used to log in to a Windows device is tied to that specific device: it can’t be used to log in to any other Windows machine owned by the same user. Also, that PIN is saved locally, on a dedicated crypto-processor called a Trusted Platform Module chip, or TPM for short. This means that to break into a device, a hacker needs physical access to that device – and even then, a brute force attack won’t work, since the TPM will lock the device if too many incorrect guesses of the PIN are detected.
Once a correct PIN has been entered, the TPM authenticates the user with Microsoft using public-key encryption: Microsoft has the user’s public key, while the TPM holds the private key. This ensures that the communication with the server is secure, even if the transaction is intercepted in some way – and it also means that the user’s credentials can’t be stolen even if Microsoft is breached.

This technique does have it’s weaknesses, of course. For example, PINs have the same problem passwords have when it comes to users’ creativity. In 2011 Daniel Amitay, a New York City-based software engineer, gathered anonymous passcode data – ‘passcode’ is Apple’s term for PINs – from over 200,000 iPhone owners. He found that approximately 15 percent of them used one of the 10 most popular passcodes–including ‘0000’, ‘1111’, and ‘5683’ the numbers whose corresponding letters spell out the word “love.” He found that over 4 percent of them were using the most popular password. Can you guess it? ‘1234’, naturally.

Still, what I like about this idea is that it kinda turns our relationship with physical devices on its head. When we talk about smartphones and laptops in Malicious Life, we often talk about them in the context of security risks, like how your phone can give away your geolocation and such. But in this case, mobile devices act as an alternative to – or maybe an extension of – the U2F devices I mentioned earlier: those USB sticks that Troy Hunt described as ‘beautiful in its execution, but fails miserably in terms of affordability and usability.’ U2Fs fail because most users don’t have them, or have no idea that they even exist. A mobile phone, however, is something that most of us carry around 24/7 – to the point that if I step out of my house without my phone, I feel like I forgot to put on my pants or something. In that sense, mobile devices can finally enhance our security instead of only compromising it.

I have no idea if PINs and TPMs will be adopted in the future as an alternative to passwords – but it’s nice to know that as technology advances, it not only creates new security problems for us – but also provides the opportunity for novel solutions.