Many organizations have password creation standards that force you to create a ‘complex’ password when creating an account or profile, based off of the assumption that a complex password will be much harder to hack than a simple one. Turns out that assumption may be faulty, according to the computer security company Hold Security and Wired magazine’s Robert McMillan, in the wake of the massive theft of 1.2 Billion online credentials by Russian cyber-criminals recently.
Some of these may be incredibly complex passwords—with lots of jumbled numbers and symbols. And some may be incredibly simple—using just the simplest of English words, like, say, “password.” But after the hack, most all of them have left their users vulnerable to attack. According to Alex Holden, Hold Security’s founder, the “vast majority” of the passwords he uncovered had been stored in plain text on company servers.
If hackers can simply steal passwords stored in plain text, that complex password you spent 10 minutes trying to set up through an organization’s strict password creation guidelines will be just as useless as ‘password’ or what Mel Brooks’ character ‘President Skroob’ in Spaceballs uses as the combination to his luggage.
Big, nasty, complex passwords have other drawbacks, too. As Wired points out, passwords force the user to do all the work, and the more work a user has to do, the more likely they are to circumvent the system with that famous yellow sticky note on the computer monitor with the password on it. This situation becomes even more likely if you have to replace that complicated, hard to remember password every 3 months. Additionally, sometimes “complex” passwords turn out to not be that complex after all, at least for some password cracking tools:
Here’s an example: some systems force you to chose an eight-character password, using capital letters, numbers and at least one number. That sounds pretty secure, but it’s not. The word P@ssw0rd fits these criteria and password cracking tools such as JohntheRipper or hashcat will guess it in minutes. That’s because they use something called “mangling rules” which take dictionary words and substitute letters such as a for @ or s for $.
The only way to make a good, truly complicated password is for it to be randomly generated according to Cormac Herley, a Microsoft researcher with expertise in passwords and security systems. However, us humans are really bad at being random, and even worse at remembering something that is randomly generated. And even if you do have photographic memory, all will be for not if that password is stored in an unencrypted plain text file on an insecure server.
McMillan believes that System Admins need to shoulder more of the identity and access management burden, specifically by finding “other ways” to secure their systems. A good place for Sys Admins to start, however, is by making sure those passwords stored in their servers aren’t so easily snatched.
Nevertheless, it may be time for you to think about moving beyond password only systems of authentication, according to McMillan:
pinning your security on an insanely complex password is a fool’s wager. Just ask the people running the airline, travel and social networking sites that got hacked by… Russian hackers.
Good words as any to end on.
For the Wired article by McMillan, click here.
- Yahoo Goes Passwordless to Access Account Services - April 6, 2015
- The Identity of Things Could Streamline Government Services - March 30, 2015
- The Third-Party Threat: Are You Safe? - March 18, 2015