I have commented before on numeric passwords, and how they can and cannot be used securely. Apparently, not everyone has been reading my blog. Developer Kevin Burke has apparently discovered a phone company that limited customer passwords to a six-digit code, with only the numbers 0-9 as options. Combined with not having any failed password lockouts, nor requiring any other information besides username (your phone number) and the six-digit password, this is a recipe for disaster.
Either someone is doing some serious academic work in researching password strengths, or someone is building a really great hashed password dictionary. The Steam community forum compromise, in which attackers gained access to a database containing usernames, encrypted passwords, and e-mail addresses, is just the latest in a series of compromises targeting a subset of the online community: gamers.
It’s difficult to say whether these attacks are increasing in frequency or whether media reporting and voluntary disclosure has created the illusion of a growing trend. In either case, our activities are continually moving online, often protected only by a username and password, instead of staying safe and warm in hard disks on our home desktop computers. The attack surface is increasing as more web services require more usernames and passwords and the opportunity for password reuse increases.
Read More »
Passwords are the prevalent means of authentication. Even though there have been many complementary authentication mechanisms and schemes, passwords are used almost everywhere that a user wants to prove that he knows a secret that only he is supposed to know. On the other hand, if someone else can guess that password, along with the username (often easy to find), then he could pretend he is the user and do all sorts of things on his behalf. We have seen multiple examples of corporate executives having their personal email accounts hijacked. We have seen celebrities having their Twitter accounts stolen and posting things they would never do. We also have seen studies that show that a vast majority of users still use standard and pretty easy password to guess.
It is common knowledge that passwords need to be hard to guess; that is a requirement. Andy Balinsky’s post describes some guideliness about choosing numeric passwords (aka for handheld devices). In the same context, David McGrew’s post provides a script that can generate random keys that can be used for pre-shared key authentication. Electronic user passwords are a little different because they involve letters and completely depend on the user (system checks are usually also employed). Users need to be able to chose and remember them in order to use them when needed. But the “hard to guess” and the “easy to remember” requirements don’t go well together and that is the basic challenge.
The web, which for many people is more like the internet than a service that runs over the internet, has brought profound changes. While opening a great number of doors and creating opportunities that otherwise might not exist), the web also creates exposure and opportunities for those who would do bad things.
One of the challenges that IT and security professionals constantly face is finding the right balace between access and flexibility on one side and security on the other. The perfectly locked down, 100% airgapped network may be secure, but such an island would be less than useful for most organizations.