All your passwords are belong to us


The compromise and leak of people’s passwords has become so prevalent and frequent that it is almost accepted as a normal fact of life. Recently the disclosure of a Twitter password bug that allows exposure of user passwords, and the temporary closure of TaskRabbit, represent an apparent never-ending stream of incidents that demonstrate, in companies of all sizes, the likelihood of exposure or compromise  of user information, often going far beyond just password leaks.

Figure shows popular site for account/password compromise

These incidents showcase the slowness of the entire industry to implement alternative mechanisms that can mitigate password attacks. This is necessary since users have now proven that they’ll continually choose the simplest and shortest passwords they can think of – no matter how often they’re warned not to.  Since users also reuse these easy to remember passwords across multiple sites, they can easily become the victim of multiple account compromises from just a single attack.

Figure shows top 10 used passwords in the year 2017 Source Gizmodo

Multiple password dumps and lists that can be found online confirm that password simplicity and reuse is a widespread problem. One significant example is the ROCKYOU password list which includes 32 million passwords. Attackers can leverage these readily-available password lists by employing easy-to-use password attack tools.

There are multiple techniques that can be used to perform password attacks. The most popular one used for internet password attacks is called “bruteforcing,”  which is a trial and error of mix and matching a list of usernames with passwords until the correct match is found. These attacks depend on a target that allows a large enough number of attempts in order to find the right match. The simpler and shorter the passwords, the greater the likelihood that the attack will succeed.

Figure shows popular password attack tool THC Hydra


Passwords as we know them are obsolete 

We can no longer rely on passwords as a main method of authentication. Users are blamed for choosing simple passwords and vendors are pressured due to ease of access demands and  frequently hardcode simple and easy to guess passwords. An example of how this can affect the internet is the rise of the Mirai botnet, where hundreds of thousands of IoT devices were compromised and the main attack vector was simply default vendor passwords.


How can we fix this?

There are a number of password alternatives or complements that can improve security from using passwords as the only authentication/authorization method. These include:  

  • Short Message Service: These have some vulnerabilities, as well, but are useful in cases where users depend on low-tech devices. A user inputs a password and then gets a code delivered via SMS to their phone. This method does not need a smartphone, special application, or token to be implemented.
  • Time-Based One-Time Password (TOTP):Wikipedia defines this as “an algorithm that computes a one-time password from a shared secret key and the current time.” TOTP is usually implemented via an application in a smartphone or token device. Google Authenticator, Microsoft Authenticator and Authy are examples of this.
  • Biometrics: The use of fingerprint recognition or face recognition as password replacement has been applied in specific environments and it is becoming more widespread thanks to its incorporation in mobile devices.
  • Physical Tokens: The use of a physical token like an USB key in a computing system as part of the authentication process provides an additional layer of security on top of  knowledge of a password.
  • Password Keepers/Managers: Password keepers and managers allow users to create complex or random passwords, associate them to a site or application then store them in an application that will detect where the password was used and use it to provide access without revealing the password. Well-known password managers include LastPass or PasswordKeeper.


Credential Monitoring Services:

These  will track your username, email and passwords and often your company Domain name.  Sites like offers tools like SpyCloud and AlertID.  These services alert you when credentials have been stolen and are possibly being bought, sold and traded on the dark web.

The above items are by no means a complete solution to account take over or compromise, they can, however, provide additional protections that can help prevent accounts from being compromised and prevent password reuse attacks from being successful.

There are many other attack vectors that can target each method listed above. An example of how you can bypass dual authentication without much effort was recently shared with the author of this blog: a very large academic organization that implemented dual factor authentication via a well-known vendor saw a number of accounts compromised as malicious actors targeted students at lunch time and would start sending them authentication requests via their application in their phone. This is a social engineering attack that required previous information knowledge of victims. Surprisingly many of the students decided to confirm such requests and their accounts then were accessed and ultimately, compromised.

The above example demonstrates that although we can improve protections against password compromise users still have the last word. We do need to move on from password only as main authentication method. The path forward requires investment and push from vendors and service providers to make an effort to implement such measures. Additionally, enterprises must shift their traditional stances on authentication away from the single method model and demand their vendors support multi-factor authentication.

Share on