Numeric passwords are ubiquitous. Most of you use one nearly every day, whether it be on your smartphone, your debit card, your voicemail system, or a secure token. But how secure are those passwords? How likely is an attacker to be able to misuse it?
Recently the press reported on a break-in at Lockheed Martin, an intrusion deemed serious enough to have made President Obama’s daily briefing. After much speculation, RSA soon revealed that this was related to an earlier break-in at RSA security, which may have resulted in leakage of sensitive data about their two-factor authentication tokens, SecurID. Although they issued a FAQ at the time of the break-in, and have a best practice guide, they issued a subsequent apology to their customers.
Two-factor authentication works as an additional level of authentication, following the principle of using “something you know and something you have” to strengthen login procedures. The idea is that instead of just a password, you also have to enter an ever-changing code, that is provided to you by something you have, usually either a key fob or a software program running on your computer. These codes typically change every 30 seconds or so, and cannot be re-used, thus preventing a password-sniffing or -guessing attack from easily succeeding. They can mitigate the tendency of humans to choose bad passwords (abc123, qwerty, etc.) or leave their passwords unchanged for years.
One interesting datapoint in that article is that Lockheed Martin is planning, as a result of the incident, to increase their two-factor authentication codes from 4 digits to 8 digits, among other security measures. This may imply that they feel that the SecurID tokens may have been a weak point in their security perimeter.
What was stolen in the RSA attack was not the codes themselves, but the keys (also called seeds) used to generate the codes. Knowledge of a seed combined with knowledge of the algorithm can allow you to predict all the outputs that a SecurID key will generate. So, in effect, it allowed attackers to predict the codes, and perform an end-run around them without having to guess them. If you can predict it, the length of the code becomes irrelevant, so it is still unclear what prompted Lockheed Martin’s desire to increase from 4 to 8 digits. Perhaps it was just a security best practice unrelated to the actual intrusion method.
Even when data isn’t disclosed, two-factor systems aren’t foolproof. If there are no mechanisms for detecting password guessing attempts, or for locking out accounts with many password failures, an attacker can still use automated programs to guess both the password and the code digits at the same time. With 4 digits, it just takes an attacker 10,000 times longer. 8 digits would take 100 million times longer. An attack like this is known as a brute force attack. We don’t know the details of the Lockheed Martin break-in, or why the attackers were successful, but password and code guessing is one possibility.
Smartphone passwords are another place we commonly see 4-digit passwords. These are usually designed to prevent casual users from picking up someone’s smartphone and finding personal information or sending embarrassing data with them. But if the smartphone is stolen, an attacker might have a lot more time to try to guess these passwords. It is unlikely that an attacker will manually try to type all 10,000 combinations, but as these are chosen by the user, they are much more likely to contain patterns. I have observed friends type “1234,” “2684”, “4565” or similar numberpad patterns as their smartphone “passwords.” These may give them a sense of security, but people have been guessing 4 digit passwords since the dawn of voicemail, and there are lists of commonly used passwords. One study indicated that the top 10 passwords could get you into 15% of lock screens. Apple does mitigate guessing by introducing increasing timeouts for incorrect password guesses on an iPhone. There is also a setting to delete all data after 10 incorrect password guesses, but users may disable this if they fear losing data in the event they forget their own password or their toddler finds the phone and taps passwords over and over again. You can also turn off “Simple Passcode” and then use numbers and letters to create a stronger password. Android and Blackberry phones also allow you to choose various password methods to secure your phone.
If you lose your device and it falls into the hands of professional adversaries (be they an unfriendly government or a criminal), they may be able to use software to guess your password. A Russian company, ElcomSoft has developed a forensic program that can copy the encrypted filesystem from an Apple iOS device and do brute force attacks on the password. If successful, it then enables the attacker to decrypt all the files. They claim that with the standard 4-digit password, this takes an average of 20 minutes, and a maximum of 40. An 8-digit password would lengthen this to an average of 4.5 months, and a maximum of 9 months, a significantly longer time. If you use letters, numbers, and special digits, this could lengthen the cracking time to many years, and make it an infeasible attack. Even just switching to 7 random lower case letters can lengthen the average to 32 years, probably long after the data becomes unusable. Of course, this has to be balanced with the usability of having to enter a longer password every time you use your device.
Credit and debit cards have three codes associated with them for security, all based on digits. These are a PIN, the CVV, and the CVV2. The first is a customer Personal Identification Number (PIN), used for withdrawing money or for using the debit function of the card. Some banks allow you to choose these, while others assign them automatically.
ATM cards commonly have 4-digit PINs, but as the lockout mechanism for these is to impound the card in an ATM after a small number of guessing attempts, the risk is generally deemed small. It is unclear what the policy is on unsuccessfully using a debit card at a cash register, but presumably a certain number of incorrect guesses will result in some type of fraud warning. Physical possession of a debit card, however, usually allows someone to use it as a credit card without knowledge of the PIN, so the PIN is generally only important if a thief attempts to withdraw cash.
The Card Verification Value (CVV) is an invisible 3 digit code stored on the magnetic stripe that the customer doesn’t know. Its purpose is to require the card to be present in an in-person transaction. The CVV2 is a printed 3- or 4-digit code that the customer can read, and is designed to prove ownership of the card in online or phone transactions. 3 digits doesn’t withstand guessing very long (1,000 guesses guarantees success), so attempting to guess these values in automated transactions ought to trigger a fraud alert. Attackers do attempt brute force guessing attacks. However, Visa indicates in a best practices guide for card issuers that a mismatch alone shouldn’t necessarily be a reason for declining a transaction:
Do not decline authorizations solely for CVV mismatch. Incorporate CVV mismatches as an additional risk indicator in fraud detection strategies…Limit declines of CVV2 mismatches to transactions with other characteristics that, combined, represent higher risk
Conversely, this best practices guide for Credit Unions that issue cards indicates that failed CVV matches should trigger blocking and reissuing of cards:
Verify card is blocked & re-issued when CVV/CVC/CVI fails – Helps prevent counterfeit caused by “brute force” attacks
In either case, the credit card companies apparently do not see the need for a longer code, for it would be very easy to implement one. Perhaps this indicates that even though an individual transaction shouldn’t be denied for CVV or CVV2 mismatch, excessive mismatches might trigger a card lock or fraud alert via the credit card company (Visa, Master Card, etc.).
Choosing a Code
So, if you have to use a system that has numeric codes, how do you protect yourself? Don’t use an easily guessable code, consisting of sequences, repetitions, or cute patterns across the number pad. If you have a choice, such as on a smartphone, use a code that includes numbers and letters. If you need to write down your PIN (perhaps because it is system-generated) keep it someplace separate from your phone or your card. Don’t choose the same PIN for everything, especially not for protecting financial accounts. If an attacker guesses your favorite PIN by automated guessing against your voicemail account, that may also let him into your bank account.
If you are a systems administrator, you can follow some of RSA’s recommendations:
- Require 8, not 4-digit PINs
- If you must use a short PIN, allow alphanumerics
- Use random PINs, not user-selected PINs
- Configure lockouts after 3 failures. Require manual intervention to unlock.
So, in conclusion, while 4-digit PINs are not very resistant to automated or concerted guessing, they can provide decent security in certain circumstances. Guessing attempts must be limited by lockouts. If they are a second factor combined with a password, they can add additional security. Finally, they are much more secure if used in an application in which they are random and not chosen by the user.