December 13, 2012

Passwords: Trojan Zebras of a Different Color

Last month, I suggested that password technology as we know it, is growing increasingly obsolete and dangerous. Its effectiveness is shredding against the Hackerverse's growing onslaught. Using longer, stronger passwords will continue to hold cyberthugs back for a little while longer, but even strings that should take millennia to guess are now falling instantly to phishing attempts and bulk theft. The biggest problem with passwords isn't that they are short and stupid (though many are). It's simply that they are alphanumeric strings, which are growing easier and easier to guess, steal and share.

This is also true of the usernames/IDs that accompany most passwords! Being alphanumeric, they too are very easy to guess, steal and share. And many IT departments aren't helping the problem.  Often what should be a two-stage security barrier rests on passwords alone. 

Dangers Not Discussed

Several dangerous password-related practices aren't often discussed, but should be. Fortunately, these practices can be addressed by IT systems, programmers and webmasters.

The first is the Web's own attempts to force users toward less secure passwords. Before I took my business elsewhere, one of my banks didn't let me use special characters in my password. Either their IT department or their webmaster was actually forcing me to compromise both my account's security and the bank's as well. If your organization slaps similar restrictions on its internal or external users, consider stopping now.

The second issue lies outside passwords themselves. In today's risk environment, usernames/IDs should be as strong and difficult to guess as the passwords that accompany them. Yes, it'd be impractical to expect people to remember codes like:

  • Username/ID: sxi87G_fhs-*b_5v
  • Password: 71_8+#hjI6Nb1_hj

There are password-management systems that could make it easier to implement and enforce high-strength usernames and passwords throughout the organization, without making users struggle to remember them.  I will get into detail about those programs later in this TechNote.

And a third infrequently discussed issue is that corporate access-control systems actually may be endangering their own networks and intellectual assets because they make employees' usernames/IDs easy for hackers to guess. To illustrate, let's say I'm a hacker with your firm in my crosshairs. I want to steal your employees' access codes, your corporate data and perhaps even a few personal identities while I'm at it. And you just may have rolled out the carpet for me. Here's what I'd do:

  1. I'd first look up your firm's "About Us" and "Contact Us" Web pages.
  2. I'd note any employee names and email addresses that they show. (Some email addresses will appear in plain text, while others might open in an email system like Outlook when an individual's name is clicked.)
  3. If your firm is one of the many that automatically assigns employee email addresses (and even internal usernames/IDs) using consistent formats like dracey or dirk.racey, I can now guess the email addresses and usernames/IDs of any other employees and executives whose names I also happen to know. (And I can find many more names... plus perhaps more internal usernames/IDs... by trolling your corporate blogs.)
  4. With this data in hand, I can launch my brute-force hacking tools against your employees' login screens.
  5. And while my PCs are brute-forcing their way into your employees' accounts, the fragments of data I've already got can be leveraged into other sorts of identity theft.

This scenario shows that if you let users create their own insecure IDs/passwords, or your systems automatically generate internal usernames and email addresses with predictable formats like dracey or, you are giving hackers and identity thieves the keys to your servers and networks. For unlike passwords, usernames/IDs and email addresses often appear in plain text on the Web. And if your login formats are consistent, the Hackerverse can guess other employee IDs and email addresses from any single exemplar. In a world where even parts of names or email addresses can be leveraged to steal data and identities, such format consistency is naïve at best.

Tech to the Rescue?

Password-management systems can help to some extent. They let users access multiple resources using very strong (and sometimes even encrypted) codes that need not be remembered. Such systems include:

They're a great idea, and I'd love to let one of them corral my own nightmarish cloud of uber-strong passwords.  But I remain paranoid that some faceless cybernut might crack my access into this gateway system and torch my entire digital life. Yes, vendors assure us that their products are secure. But when hackers and identity thieves steal data (including passwords) even from tightly guarded systems in the CIA and from security organizations like RSA and the FBI-affiliated InfraGard (twice), one suspects that no system or product is ever completely safe.

Other broader systems can also help, by managing passwords and enforcing password policies and procedures. These include (among many others):

But I fear that our future security requires that we thank usernames and passwords for their decades of service, and move on to access controls that depend more on human actions than on alphanumeric strings.

Coming Alternatives

The world is already moving from alphanumeric strings toward "graphical logins," which are usually images that users must manipulate to gain access.

One of the first such tools--CAPTCHAs--displayed text blocks that users had to decipher. But while these were great in the '90s, they can be cracked today

So Google (which acquired reCAPTCHA in 2009) has been testing an updated version, called rotCAPTCHAs, that displays randomly rotated photos of everyday objects. Users must turn each image to within 8 degrees of vertical... a visual process that (theoretically) is tough for hackers to code. But it's a work in progress, as the accompanying photo/caption indicates.

The latest Android and Windows 8 devices are also trying their own new alternatives, but McAfee recently demonstrated security issues with the Android approach. And Win-8's new "Picture Passwords" have also come under fire. These require users to perform predefined taps and finger swipes on an image to gain access. So before bringing Windows 8 devices into the enterprise, check out recent cautions in Computerworld and elsewhere.

Two additional things also bug me about Microsoft's Picture Passwords:

  • One must still enter a traditional password before creating a Picture Password, but only the Picture Password seems to be needed to unlock a device or account.
  • Picture Passwords may simply be too cool for their own good! I could see people showing off their Picture-Password cleverness to friends, relatives or even co-workers. And such sharing would be highly unwise.

The National Institute of Standards and Technology is also getting into the act. They are funding grants (of from $1.25 to $2 million per year for up to two years) to develop and market better controls that are stronger than IDs and passwords. It's part of their National Strategy for Trusted Identities in Cyberspace. This is, at least, encouraging. A promising alternative that's already being suggested is an app that turns mobile phones into physical authentication tokens. In its favor, this wouldn't force people to buy new hardware...which might overcome non-commercial users' resistance to physical tokens and biometric screens. But any such system must be able to shut itself down fast if a phone is lost or lifted.

These are just a few ideas for future access controls. But until any new approach is widely adopted, we can't entirely blame hackers and identity thieves for stealing our digital lives. We're still making it soooooo easy for them! Until we dramatically tighten (or change) the way we authenticate users, alphanumeric usernames and passwords will remain Trojan Zebras of a markedly different color... parked outside (or inside) our digital thresholds, hiding unpleasant surprises within, and of our own making.



What about Open Source password managers like Clipperz, KeePass, Password Gorilla, Universal Password Manager, and Yadabyte Passwords? Are they safe?

This is an area of hot debate, but I’m not a convert because all existing risks to passwords (including those from human error and stupidity) will still exist…along with any additional risks that may come from exposing the code behind their protection. The nature of the code’s visibility is only a small piece of its overall security. Also, other weaknesses have been reported for such systems, including storing or exporting passwords in plain text, not supporting the kind of group-based passwords that enterprises need, and inconsistent behavior when used on different websites and pages.

Are you suggesting people use cryptic User IDs? Personally, I think doing so moves one into the "security through obscurity" realm. Strong passwords, keeping passwords secure (on both ends), and putting measures in place to thwart brute-force attacks all make sense. In some cases, two-factor authentication makes sense too. But if knowing someone's User ID puts your system/network at a significantly greater risk, you're already doing things wrong to protect those resources.

And CAPTCHAs aren't really a security mechanism -- at least not in the same realm of authentication as User IDs. Their role, as you know, is to deal with robots. Perhaps you meant to say that login screens could include CAPTHCAs to help turn away automated cracking scripts?

I'm all for the research of improved authentication methods, but the funny thing is that sometimes the simple methods (IDs/passwords) are best precisely because they are simple. Their implementation is often the problem.

Hi Mitch,

I was actually saying that, in today's risk environment, if one doesn't pay as much attention to the strength and unguessability of User IDs as we've devoted to passwords, their combined two-factor authentication method is effectively reduced to one factor. I added that automated password-management systems like the ones listed would be an ideal way to implement such enhanced, randomized, authentication pairs while also removing the onus of having to remember them.

And when IT departments enforce consistent formats for User IDs and email addresses throughout their networks, they are indeed, as you observe, "doing things wrong to protect those resources!"

I was also saying that CAPTCHAs...a widely used early form of non-alphanumeric authentication...are now crackable, and should probably be phased out (not added to more login screens). So other tools are being developed as described.

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Featured Sponsor Microsites

Recent Tweets



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2015, Distributed Networking Associates, Inc.