Home > Articles > Security > Network Security

Technical Advances Make Your Passwords Practically Worthless

Passwords are supposed to be kept secret, but due to continuing advances in technology, they are becoming weaker every day. The threat has grown to the point where using a password as the sole form of authentication provides you with almost no protection at all. Randy Nash outlines the dangers facing passwords and suggests some additional measures needed to protect even ordinary digital assets.
Like this article? We recommend

Like this article? We recommend

Your password is a form of authentication, or identification, used to control access to a given resource. Passwords are supposed to be kept secret, thereby controlling access to important information. But due to continuing advances in technology, passwords are becoming weaker every day. The threat has grown to the point where using a password as the sole form of authentication provides you with almost no protection at all. Cracking a password has become a task that can be accomplished in minutes instead of weeks or months. Additional measures need to become commonplace now to protect even ordinary digital assets.

Why Your Password is at Risk

Your password is used to identify you and provide access to your computer resources. It is a form of authentication that is necessary to determine what rights you have within a system. Digital authentication is generally broken down into three classifications:

  • Something you know: your password, a pass phrase, or your PIN number.
  • Something you have: a security token or a smart card.
  • Something you are: biometrics (such as a fingerprint or a retinal scan).

When used as the sole form of authentication, passwords are generally considered the weakest form of authentication. Why? Let's face it; most folks tend to get lazy with their passwords:

  • They devise simple passwords, such as the names of their pets or the names of their favorite sports teams.
  • They use the same password for multiple systems.
  • They write their passwords on sticky notes and stick them next to their computers.

Once your password is no longer secret, it no longer uniquely identifies you – which means it no longer protects access to your valuable information. Unfortunately, even if you do protect your password, there are other ways of obtaining it.

Sniffing Around in Your Data

Bad guys can sniff passwords as they are transmitted over the network by using specialized hardware or software that allows them to access network traffic as it's transmitted over the wire.

Sniffing can provide direct access to passwords if they are transmitted in the clear (without some form of encryption). Even today there are many technologies, applications, and protocols that transmit this sensitive information in clear text without any form of protection. Some examples are:

  • Websites (HTTP)
  • Email (POP)
  • Telnet and FTP

By sending this authentication in clear text, it is immediately available for exploitation without any further level of effort.

Encryption: Speaking in Tongues

One method of protecting passwords is to apply cryptography to encode the password so it cannot be observed in a readable form. There are many different methods of encrypting passwords, each with varying levels of protection and security. Some more commonly used examples are:

  • Windows LAN Manager and NT LAN Manager hash (LM and NTLM): NTLM is a Microsoft authentication protocol that uses a challenge-response sequence requiring the transmission of three messages between the client and the server.
  • NTLM v2: An updated version of NTLM that addresses weaknesses in the original implementation.
  • Kerberos: Kerberos is a network authentication protocol that allows individuals communicating over an insecure network to prove their identity to one another in a secure manner.

Each method works by simply applying a one-way cryptographic algorithm to the password, which creates an encrypted hash. In simpler terms, the algorithm is a form of very complex math that is used to create an encoded version of your password (a password hash). There is generally thought to be no way to mathematically reverse the math to get the original password from the encrypted hash, thus it is considered a one-way process. This encrypted hash can still be sniffed from the network, but it cannot be used in the encrypted form.

Passwords are usually stored in a local system database. This is necessary to allow the system a method of verifying passwords when a user is trying to gain access. These passwords are usually stored in an encrypted form based on the cryptographic hash previously discussed. Unfortunately, this database represents the proverbial pot of gold for anyone wishing to gain access to your information systems.

Various computer operating systems store their passwords in some well-known standard locations. Many Unix systems store their passwords in the location \etc\passwd, whereas Windows stores them in a local security accounts manager (SAM) database. If attackers gain access to these files, they can easily launch attacks against this cache of information in their efforts to obtain (or crack) the passwords.

Attacking with Dictionaries and Brute-Force

Password attacks have taken many forms, the first of which was probably as simple as trying to guess passwords. The simplest form of guessing passwords was accomplished by manually attempting to log into a computer system and taking your best guesses at the password. Many people choose simple passwords that are easy for them to remember – but that makes them easy for others to figure out as well.

People may also forget or neglect to change default system or account password. A quick Google search for default passwords provides extensive listings of default passwords for various systems. Manual password guessing is very slow and tedious, and is further complicated by the fact that many computer systems lock out an account after a number of failed login attempts. The bad guys have reacted to this challenge by automating their password-cracking attacks.

But how is guessing automated? There are two common methods of automated guessing:

  • Dictionary
  • Brute-force

A dictionary attack uses a dictionary of common words and names as the source for guessing passwords. Again, many people choose simple passwords that are easy to remember. This means they will choose common words, names, places, and so on. Dictionaries have been created using these common words and they are available for download and immediate use.

A brute-force attack is a little more complex and can take much longer to execute. In simple terms, a brute-force attack attempts all possible character combinations until if finds a match. This total number of combinations is referred to as the keyspace. To know how many possibilities need to be calculated, we need to take the number of allowable characters (y) raised to the power of the password length (x) in the form of yx. As an example, let’s look at using just uppercase alphabetic characters to create an eight-character password. The following example shows 26 characters raised to the power of 8:

uppercase alphabet

26

password length:

8

keyspace (268)

208,827,064,576

Now, what happens if we expand this to all possible characters on the standard keyboard? That’s 96 characters:

All characters

96

password length

8

keyspace (968)

7,213,895,789,838,340

As the possible character set is increased, the potential number of combinations increases exponentially. This means the computational time to crack these passwords increases in proportion. NIST Special Publication 800-63 provides excellent discussion on password strength and how it is affected by the password attributes (password length and possible character sets).

So, realistically, how long might it take to crack some of these passwords using a brute-force attack? Instead of recreating all the math and scenarios here, I’ll refer you to an article (How Long Does It Take to Crack Passwords?) that provides a detailed explanation of the time breakdown. According to this article, it would take up to 2.1 centuries to evaluate the entire keyspace associated with an eight-character password (based on the entire character set on a standard keyboard). Taking a couple of centuries to crack a password is of no value to anyone. This was an obvious weakness to the brute-force attack, so the bad guys developed new techniques, including distributed computing and Cryptanalytic Time-Memory Trade-Off.

Using Distributed Computing to Become Faster

One of the first attempts at developing faster attack methods was the use the distributed computing model. There are many well-known examples of this technique, such as SETI@Home and Folding@Home. These projects make use of a screen saver that uses dormant computer cycles to perform complex calculations. This concept was also used in the creation of a distributed password cracker known as distributed john or djohn. An excerpt from that site explains the process:

"With Distributed John (djohn) you can crack passwords using several machines to get passwords sooner than using a single machine. The cracking in itself is done by John the Ripper and djohn's server (djohnd) divides the work in work packets and coordinates the effort among the clients (djohn), which are the ones who do the work."

This approach gave hackers almost unlimited cracking power. They were limited by only the number of computers that could be assigned to the task.

Using Cryptanalytic Time-Memory Trade-off to Become More Efficient

Eventually the idea arose that these lengthy calculations need not be done repetitively. In other words, why do the same task over and over? Why not do it one time and save the results for re-use? This concept eventually led to the concept of Cryptanalytic Time-Memory Trade-Off. I don’t have the space here to discuss the concept in any depth, but it needs to be mentioned because it later led to the implementation of Rainbow Tables for password cracking. Rainbow tables use generated password hashes stored in a lookup table. Thus, they need to be created only one time and then stored for future use. But again, there are difficulties with this approach:

  1. There is still a huge time requirement for creating the tables. This has again been addressed with the application of distributed processing for Rainbow Tables.
  2. The storage requirements for this sort of project are immense (on the order of hundreds of gigabytes). Until recently, this would have been very cost prohibitive. Now, however, it’s possible to buy half-terabyte drives for slightly over $100.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020