How passwords work, different types of attack
TL;DR: Most of the time when I write a blog post, I try to keep it pretty simple, geared toward the layman, and even include a super fast “Too Long; Didn’t Read” (TL;DR) summary. For this post, I’m going to do a slightly deeper dive in the hopes that a few of our readers will strap themselves in and learn a bit. So unfortunately the TL;DR of this post is “there is no TL;DR, keep reading.”
Pretty much everyone who uses a computer nowadays is familiar with the concept of usernames and passwords. The idea is a simple one: you’ve got two pieces of information, one of them semi-public (your username), and one of them secret (your password). Someone wanting to get into your account has to know both to prove that they’re you (or, rather, that they’re authorized to get into the account). A website will have a list that holds these pairs of information, and when you try to log in, it checks to see that they match. If they do, you’re in. If not, you’re not. Pretty simple, right?
There are two primary ways that a website’s user access system can be compromised: targeted attacks and compromised databases. A targeted attack is when an attacker targets a single user and tries to access their account. However, if a hacker doesn’t have a particular target they may try to decode an encrypted database to gain access to many individuals’ data. This type of breach can affect hundreds, thousands, or even millions of people at once.
The general formula for a targeted attack is pretty straight forward: pick a target, guess the username, then guess the password, and you’re in. It’s fairly easy to get a hold of someone’s email address, which is the most common username for most websites. Sometimes you pick a username separate from your email address, but most people use some variation on their real name: firstlast, first.last, firstlast77 (year of birth), etc. So really it’s not terribly complicated to get that part of the puzzle.
Passwords are meant to be much more random – the idea was that they’re supposed to be secret – something that another person couldn’t guess without a lot of effort. 20 years ago at the dawn of the internet era, the idea of running a script that tried every word in the dictionary against an online login system was fairly daunting. The internet was slow, computers were slow, attackers were much less coordinated, and there wasn’t a whole lot of value that they could get a hold of anyway. Today, many people have their entire identity residing online. Banking and other significant accounts have high value to a hacker. Computers and internet connections are much faster, making it possible for a hacker to try every word in the dictionary as your password in a matter of seconds. So one way that attackers gain access is through what’s called a “brute force” attack where they simply run a script on their computer that tries every single word in the dictionary, plus hundreds of thousands or millions of variations and commonly used passwords. So if you think you’re being clever by turning the “o” in “password” into a zero, I have bad news for you: that’s one of the most common tricks that people do to fool themselves into thinking their passwords don’t suck.
Within the targeted attack category are three common subcategories: brute force attacks, dictionary attacks and keylogging attacks.
Brute Force Attacks
Brute Force attacks are the simplest and, as the name implies, the most crude. An attacker will try every possible combination of characters to get into the account, starting with single characters and working their way up through dozens of characters.
Fortunately for us, this kind of attack is no longer realistic against most modern online systems. A website will recognize when an account has had multiple failed logins within a certain period of time and lock the attacker out for a certain (usually longer) period of time. For example, some sites have a policy where three failed login attempts will lock you out for an hour. While this doesn’t prevent someone from trying a brute force approach, it slows it down to the point where it would take hundreds of thousands of years to guess even a mildly sophisticated password.
A Brute Force attack is more likely when your password protected computer is stolen. Most computers don’t have any function to protect them from a brute force attack, and once someone has your computer it’s only a matter of time before they can figure out the password.
To protect yourself from Brute Force attacks against your online accounts, always use a unique, strong password. If you’re concerned that an attacker might be able to slowly peck away at your account, you can change your password periodically – every 6 months or so is probably good, unless you’re expecting heavy targeting. For your personal computer, talk to an IT professional about setting your system up to automatically erase itself after a certain number of failed login attempts. Of course, you should have that conversation AFTER you’ve already set up automated backups!
A Dictionary attack doesn’t necessarily refer to the standard dictionary you may be thinking of. Rather, it refers to a limited set of likely values that could be your password. A standard password cracking dictionary will contain every word in the English language, plus the million or so most commonly used passwords, including things like “123456,” “passw0rd” (where the o is replaced by a zero), movie and song titles, and so on. This may seem like a lot, but if you look at the amount of time it takes a computer to crack a completely random password via Brute Force, a Dictionary attack is far more likely to succeed because it’s playing the odds that you’ve used one of a couple of million common passwords. So… were they right?
Protecting yourself against a Dictionary attack is very similar to protecting yourself from a Brute Force attack – don’t use weak passwords. Use a unique, strong password.
Keylogging is an altogether different beast. Unlike the previous two attack types, a Keylogging attack relies on getting a piece of malware onto your computer that watches what you’re doing and keeps track of what you type, sending that information to a hacker. It records your passwords as you type them so the attacker doesn’t have to guess anything.
Protecting against keylogging is both simpler and more complex than the other forms of attacks. If you copy and paste your passwords from a password manager, or use an auto-fill, you’re never actually typing the password, so you don’t have to worry about the keystrokes being logged. Keyloggers are malware, so good browsing behaviour is important to avoid picking up something nasty (for example, don’t download and run files from an untrusted source).
If a hacker doesn’t have a specific target in mind, they may try to gain access to the whole database that stores usernames and passwords. In the olden days, passwords were often stored in plain text. So if a hacker managed to get access to that database, they simply had all the passwords. Now, passwords are stored in a format using high grade cryptography called a “hash.” A hash is best described as a one-way scramble. It takes your password and messes it up, but in a predictable, repeatable way. If I hash “MyAwesomePassword” today, it’ll come out the same tomorrow. When the website is checking your password, it’s actually not checking the password itself, it’s hashing the password you sent it, and comparing the hashed values.
For example, if I use the SHA-256 hashing algorithm on “MyAwesomePassword” I get the value: 7a972abda7f64701644c028c728524f54d6684d70827a2baf48661c12255b8ea. That’s what’s stored in the database. When I go to log into a website and enter “MyAwesomePassword” in the password field, the website hashes that value and then checks to see if the hashed value is the same as that really long random looking thing above. If it is, the system knows I supplied the correct password, without actually storing the password. It’s a bit more complicated than that, but for the purposes of this post it covers the basics.
However, if a hacker manages to get their hands on that data, it’s only a matter of time before that encryption is broken. The reason for this is bad passwords. In any system, there will be a certain percentage of users who insist on using “password” or something similar. This becomes what’s referred to as a “crib” in Cryptographic lingo. It means a value that, if seen, indicates a successful decryption. How will they know when they’ve hit the jackpot? Instead of getting random looking results, they’ll get a large percentage of matched hashes. As the hacker’s decryption tools chug through hundreds of thousands of hashes per second to try to match some of those hashed values, eventually they’ll find one that shows results that look like passwords. Dictionary words have a high degree of pattern similarity (think how many words have “ion” “tion” “ea” “qu” and so on), and if you compare a large data set (like a big ol’ pile of passwords) to a list of common patterns in the English language, you’ll see that it’s really hard to make them look different enough to be both random looking to a computer and memorable to a human.
There have been many prominent cases in recent years of hackers gaining access to large amounts of personal information from major data breaches, including passwords. What happens in that case is that the service provider will notify everyone whose data was breached, allowing them time to reset passwords before the hackers have the time to decrypt the password database. This works fine for anyone who is maintaining good security protocols by not re-using passwords across their online accounts. Where it becomes most problematic is for the large number of people who don’t follow good practices.
Let’s imagine Bob. Bob has thought up a really killer password that nobody can guess. He’s mashed up his high school football team name with his childhood address and his first girlfriend’s cat, and thrown in some numbers and symbols to boot. [email protected] Looks like a pretty good password, right? He can remember it and it checks all the boxes for security. There are reasons that it’s still not ideal, but that’s an even deeper post that I’ll get into another time (I touched on pattern recognition above). So now Bob has his awesome* password and he’s going to put it to use everywhere!
…including the questionable file sharing site he signed on to so he could download movies. Or the theme developer for his cool blog that he paid $10 for a fancy theme. Or any of the several dozen other services that people throw their personal data into on a weekly basis. And his Yahoo, Facebook and bank accounts.
One of those services is probably going to get hacked at some point (and it might not be the one you think!), and despite Bob’s best intentions to use an uncrackable password, that password is going to end up in a file that gets shared amongst the dirtiest, evilest hackers in the world. And those hackers are going to take his username and password and try them at every bank in the country in an attempt to steal Bob’s identity, or just plain old steal his money.
There’s only so much you can do to protect yourself against someone else’s data breach. You’re already doing the first thing, which is to make yourself more aware of computer security generally. A few specifics though:
- Pay attention. Large companies will notify you of data breaches when they become aware of them, but they don’t always find out right away, or at all. Many small, older companies go on auto-pilot after they’re acquired and unsafe data can be left out in the wild for many years. Even so, pay attention to news and be aware of data breaches so you can take action when it happens.
- Use unique passwords. Again, using unique passwords is a something of a defense against data breaches – if one service is breached, the passwords that have been hacked will not create vulnerability in other services.
- Use strong, random passwords. Random passwords make it harder for automated tools to recognize when they’ve successfully cracked your password.
- Change passwords periodically. In the event that a data breach occurs but is not discovered, if you change your password before your account is hacked, you’ve beaten the hackers to the punch. I recommend changing passwords every 3-6 months on critical accounts (banking, email, social media, anywhere you store backups) and yearly on non-critical accounts.
- Use a password manager to make the three previous points easier.
At this point, knowing how to protect your passwords should be as natural as knowing to lock your car door. Kitestrings aims to make a problem that seems complex into a manageable process. Securing your digital world is challenging, so let us help you make it a little easier.