Skip to main content

Security by Incompetence: Why your password isn't the problem

User error may be the most common reason people get hacked, but there are many more factors at play.

Many security experts claim that user error is the most common way people get their accounts compromised. This has been a common stance on security, and is entirely correct - a weak password will ruin your day as soon as someone decides they're interested in you, at least, enough to let one of their computers sit for a few hours guessing the passwords you thought were secure.

For example, the rules of secure passwords are generally considered to be:
  1. A good password is 8 characters or longer
  2. A good password should use both uppercase and lowercase
  3. A good password should use letters, numbers, and symbols
  4. A good password should not contain an English word or phrase
  5. A good password should not be your username, or any public information about you
 According to these rules, we can look at some of the common ways people write passwords, and see how secure they are. Many "secure" passwords can be broken in a few minutes, while many "insecure" passwords are actually very hard to break. For example:

  • "P@55w0rd" might seem relatively secure, according to these rules, but any security expert will urge you to avoid this one - it's just a simple variant of the word "Password".

    Any malicious hacker will guess this shortly after they try "letmein1" and "stupidhacker", and although it technically follows the guidelines, passwords like this should be avoided at all costs.

  • "handwrite nature ramrod treading" breaks rules #2, #3 and #4, but an attacker would be left waiting a good hundred years to break it. It's just 4 English words, but someone trying to break it still needs to guess every 4 English words until they get the right combination. There's no shortcut, since I had my computer generate them for me, and there are enough words to choose from that I don't have to worry about the fact that I chose words.

  •  "sU;m=p5/" is a truly random password (I had my computer use quantum mechanical magicalness). It's also 8 characters long, uses both uppercase and lowercase letters. It includes numbers and symbols, and avoids English words/phrases, as well as not using any public information about me. It's so secure that most people will never remember it, anyway.

    It's also a crappy password. Don't get me wrong, it's better than "P@55w0rd", but the 8 character minimum hasn't been relevant for years - the revised rule is 10 characters, or for higher security, like banks, to use 12 to 15.

    To explain why, let's say someone wants to log into your Windows computer and tries to break your password. The ASCI White supercomputer was the most powerful in the world from 2000-2002. It's also less powerful than the $500 card currently used by PC gamers. As of today, every 8 character password not only can be cracked, but has already been cracked and posted online.

    Even without access to the Kewl Sup3r Haxker P@ssw0rd Database (which can be obtained freely on Google), someone can crack your password again within the scope of 1 hour, on a device less powerful than your iPhone X!

But none of that matters.

From this point, I'm not even going to mention the security of passwords. Here's why: Let's say you have the most secure password ever. Let's also assume that you follow proper security practice, don't fall for scams, and remain vigilant online. There's a good chance that all your security is irrelevant. Not because it's futile - anyone who says you don't need all that should be sued for slander, or at the very least, be banned from giving security advice. But even with that, many services not only fail to properly secure their systems, but they barely manage to include security at all.

Many services will use vastly outdated security mechanisms, and describe it as "cutting edge" or will use the mechanisms in a way that every reputable expert would look at, trying to decide whether laughing or crying would be more appropriate of a response. In my personal experience, I was asked to test an app to see whether someone could break in. So I got to work, and less than 4 hours later I had a neatly packaged version of it that would bypass the password. After all, what if you forget it? You can't be expected to call the IT help desk, when you could just not use a password, right?

My version of the app, which was basically the original, minus the need for any kind of authentication at all, didn't use a clever exploit. All it did was pinky promise to the server that you really should be logging in, and because of that, I was able to log in as every user with an account, including the admins. It might also be good to note: I never had any clue what their passwords were, and for all I care, the users were the foremost experts in cyber security (although the developers certainly weren't). They weren't, but that's irrelevant, anyway when it comes to an app like that.


But that's just one app, right?

 In security, we like to use anecdotal one-off examples to communicate the nature of many things, or at least I do. This way, I can show a real-life case where it actually happened, but it leaves my point to the argument of "well, that's just one case - the majority of the time the security's fine" after which I take 15 seconds to copy and paste a link from Google of a major incident that hit the news.

Iran Reportedly Hacked US Drones in Iraq, Syria, Got Intel From Them
How Iran hacked super-secret CIA stealth drone
Insurgents hack U.S. drones using $26 software

Yes, you read correctly - $26 to hack a multi-million dollar top-secret drone, and I'm sure the CIA would rather us not have anything near remote access to them. Yes, I admit that's not exactly recent, but we can stop living with the false confidence encouraged when people claim it was the "exception" and not the norm. That's also just the first example that popped into my head. If you want a more comprehensive list, I could waste a couple hours putting together a list of similar security incidents that really should never have happened anyway.

I could also use the example that the website https://example.com/ (yes, that's a real website) has significantly better security than my bank at https://www.chase.com/. It's not that Chase has bad security, but should example.com really be one-upping a bank? I could point out also, for anyone in the United States, that the Defense Intelligence Agency (http://www.dia.mil/) gives an error when you try to visit securely. Update: The DIA has fixed their website to allow secure connections, after this article was posted.


I'm not a developer, why should I care?

If you're just a user, consider this a cautionary tale, explaining the dangers of the word "secure" in marketing campaigns. Many companies will use buzzwords like encrypted, decentralized, anonymous, secure, and more; all while having precisely zero security offered by their product or service. Is Windows secure? If you go by their rather impressive track record of nearly every released version of SMB allowing attackers remote access, I'd hesitate to use their system for anything more than playing the latest and greatest Solitaire. SMB also happens to be a remote administration protocol. It's enabled by default, and users generally don't know how to disable it.

As a developer, I'm offended. Real developers actually have real security!

I've heard this one before - someone saying if developers don't care about security, how did we get stuff like VPNs, firewalls, proxies, intrusion prevention systems, OpenPGP/GPG, and Tor?

Although that's a valid point, it's important to realize that everything on that list is specifically designed for security, and while you'd hope my bank uses the same security-first philosophy, they just don't. I can debate all day about this, but the fact is credit card numbers are little better than a weak password, and I can generate a valid social security number in 40% of my guesses, just picking them randomly. In a world like this, the impressive part isn't that hackers can access so much - I'm impressed by how much they can't do.



Although the problem is usually the user, that doesn't mean there aren't just as impactful issues built into the service you're using. That statement really just says there are more issues on the user-side, not that there aren't problems behind the scenes, too; there are.

Comments

Popular posts from this blog

Hashes and passwords: Not quite as oversimplified

An overly technical brief introduction to hashing and passwords
I've been spending too much time on HackForums lately (and it hasn't even been a full day), explaining stuff like zero-days, hash-cracking, anonymity and secure deletion, wireless hacking, and reverse engineering. One recurring theme I've already seen is relating to password hashes and what they are.

People often think of hashes in the same terms that they think of encryption - encryption takes data and makes it unreadable, and hashes do much the same. The problem is that although they operate in much the same way and do, for the most part, the same thing at the overview level, they're 2 entirely separate things.

What are hashes? To understand what we're really saying when we say "crack a hash" you need to understand what they are, and what the differences are between hashing and encrypting information.

Encryption is meant to hide data from anyone without knowledge of some secret value (aka …