Wednesday, January 04, 2012

Passwords: uniqueness, not complexity

Hacktivists recently broke into the StratFor website and dumped details of 800,000 accounts, including e-mail addresses and password-hashes. Since the password-hashes were simple MD5, it meant that almost all the passwords were easily cracked. People have looked at the passwords, and found that most people chose simple ones, such as "password123". This has led to articles like this one (Breach shows that even experts chose bad passwords) that claims "Security experts recommend building long, complex, case-sensitive passwords with multiple characters".

Nope. That's wrong advice. Your password for a free or cheap StratFor account doesn't need to be complex, because there is little to lose if hackers guess it.

Instead, what's important is that the password be unique. Most sites are like StratFor and have poor cybersecurity. (StratFor wasn't even close to good cybersecurity, they were horrible on almost any measure). Any information you give them, such as your password, will eventually get stolen by hackers. If you use the same password for all websites, then eventually hackers will break into one of those sites, then gain access to all your other accounts.

There are essentially three tiers of websites. At the first tier is your e-mail account. Since a hack of your e-mail account means hackers can reset passwords on all your other accounts, it would be terrible if that password were lost. This should both be very complex, as well as wholly unrelated to any other accounts.

At the second tier are important e-commerce sites, like Amazon.com, NewEgg,com, Apple.com, and so on. The major sites are unlikely to be hacked. You could probably share the same password for all these accounts.

At the third tier are the unimportant accounts, like StratFor, where it wouldn't be catastrophic if your password were lost. Again, you could choose a third, simple password, like "passwd1234" for all these accounts. It'll probably get stolen within a year, but who really cares?

Thus, you really only need three passwords for each tier, so it's not too much trouble. However, even then, you might consider adding uniqueness. For example, on the last tier, you might use the domain name as your password, like "passwdStratfor1". When a hacker breaks in and runs an automated script to see if your password is unique, the script will fail to find a match on any other site. Sure, a hacker looking at the password individually will figure out your scheme, but in a huge hack like the 800,000 StratFor accounts, hackers are unlikely to manually check every password.

In conclusion, your first password policy shouldn't be complexity, but uniqueness. When hackers break into a site like StratFor and discover your password is "password1", you shouldn't be embarrassed. You should instead say you don't care about your free StratFor account, or that hackers break into it, and that knowing this password doesn't help break into any account you do care about.


Updates:

Somebody also suggested Stiennon's article on Forbes Fallout from the Christmas Hack of Stratfor. His analysis is wholly incorrect == unless Stiennon has also tested those passwords to see if they were reused.

Rob Lemos criticizes password reuse at InfoWorld New year, same old security passwords

XKCD has an evil plan at https://www.xkcd.com/792/.

Nick Selby writes about Blaming The Victim in the STRATFOR Hack, how we need to stop blaming the people whose passwords were revealed, and start blaming StratFor for it's incredibad cybersec.

7 comments:

Robert Graham said...

BTW, this is what frustrates me with full-disk encryption. I need one level of complexity to protect "sleep mode", and a much higher level of complexity to prevent offline brute-force cracking of the encrypted password on the disk.

Unfortunately, I can't choose two passwords, and have to choose the more complex one. Therefore, every time my notebook goes to sleep, I end up having to type a long password to bring it out of sleep. It usually takes me more than one try. This is very very annoying.

Unknown said...

I have been using a different password for every site that I have an account. I can recommend everyone keepass, runs on android/win/linux and supports storing of the password vault on an ftp.

Anonymous said...

Well said. The near hysteria over this leak is funny. Analysis of this leaked DB isn't going to help many people unless they are attacking throw-away accounts.

now if people are also using these passwords on their gmail/twitter/blah accounts or on their personal systems...

Reminds me of the genius of xkcd: https://www.xkcd.com/792/

securitynirvana said...

I've blogged a response for your blog post, available here: http://securitynirvana.blogspot.com/2012/01/errata-for-errata-security.html

While I do agree with your overall conclusion, I think you have parts of it wrong.

As for the hysteria over the #stratfor leak, the interesting question is more about whether the hackers got the passwords a long time ago, and whether the users at #stratfor used the same passwords at other and more important sites.

The blog post in 2011 from Troy Hunt on password reuse between Sony and Gawker showed a 67% reuse rate. If the stratfor leak is anywhere that, hackers may have gained access to much more valuable data than a few million USD in credit card data and the apparent "fun" of displaying bad security practices to the world.

securitynirvana said...

Oh, and somebody should buy Nick Selby a beer. He's got it right.

Robert Lemos wrote about the same things here: http://www.infoworld.com/t/password-security/dont-blame-users-dumb-passwords-970

(and the summary from Cormac Herley at Microsoft at the second page of that article is pure genius.)

Anonymous said...

Maybe just me, but better to create and manage complex passwords across the board (using the right tools). "Any" info obtained by subterfuge could be used to compromise those interests at any time.

Hackers tools like "Purpose-built password breaking machines" provide hackers with advanced algorithm calculation speed abilities.

If too much for the average user, moving away from "easy" to using unique passwords, combined with "complex" for the important ones - is fine, as long as one makes note of the info included in messages (sometimes read by hackers, spammers, malware makers...)

Jordan said...

I prefer a modified form of the unique password generated by keepass per site. I use super genpass, available as a bookmarklet that runs on every browser, from my iPhone, desktop, and even my old palm treo back in the day. I remember one password, each site gets A unique password. Best of both worlds. (it just hashes my "master password" with the domain name to generate a unique PW. Works great for things like Internet cafes since I can generate the PW on my phone and not care too much if it gets key logged.