Today is World Password Day, a day of awareness created by Intel. This year’s theme, #layerup, seeks to draw attention to the importance of strong password authentication. (No, your first name plus ‘12345’ does NOT constitute a strong password).
The tsunami of passwords everywhere in our digital life means that there’s a thriving underground industry trying to get at them. To borrow from Shakespeare’s Macbeth: “Each new morn, new widows howl, new orphans cry, new sorrows slap Internet giants on the face”.
The modern era of mass data breaches perhaps began with 2009 hack of 32 million account credentials held by software developer RockYou. An SQL injection attack revealed that passwords were simple held in cleartext in a database table. 2010 brought a leak from Gawker Media’s servers, with another 1.5 million records exposed. This time passwords were lightly protected by the 1970s-era DES algorithm.
Then, like Premier League transfers, the numbers went up and household names began to appear. 2012 - LinkedIn,178 million records, unsalted SHA-1 hashes. 2013, Adobe, 153 million, home-made obfuscation. Yahoo!, Equifax - I won’t go on, you can play with this visualisation instead.
Taking a password dump from a server isn’t, of course, the only route to compromise. Tricking a user into entering a password into some malicious program or other pre-dates the modern Web. The first mention of “Phishing” dates back to the days of the AOL bulletin board service - a program called AOHell paved the way by automating the process of sending out fake security messages. The discovery that a weak and obvious fraud could still be effective when amplified through mechanisation, and hidden behind online anonymity, was groundbreaking.
If your target users are smart, of course, it may be necessary to steal passwords literally from under their fingers. Keyloggers - programs or hardware which record keystrokes to be retrieved by an attacker - are Cold War technology that is still with us. Back in the Brezhnev Era, US diplomats working in Moscow used electric typewriters to write up memos and reports, with not an Internet connection in sight. Following the discovery of a bugging device in the French embassy, NSA engineers examined some 44 IBM Selectric models in minute detail, dismantling and X-raying the parts. They were amazed to discover - revealed only by a tiny modification to the power switch - that hidden inside them was a sophisticated electronic eavesdropping device which detected the movement of the typewriter’s print head using magnets and relayed the information in short radio bursts. It’s estimated they had been in place, unnoticed, for up to 8 years. The investigation, referred to as Project GUNMAN, has now been published in documents available on the NSA website.
Despite our colorful history with passwords, they’re still what humans trust to give and get access - and for now, they're here to stay. Given the lengths to which people will go in order to get their hands on them, we really should be doing as much as possible to keep them safe and secure.
For organizations, this means having a centralized security policy and effective encryption key management to assure control of data across every physical and virtual server on and off your premises.
For consumers, this means using a password manager app and using unique passwords. Avoid using common passwords, such as your birthday or ubiquitous number sequences that even high school level bots can penetrate easily. For my tips, check out GHCQ’s very sensible password guidance.