NEWS

Why (almost) everything we told you about passwords was wrong

Posted: October 2, 2022 by Malwarebytes Labs

I have an embarrassing confession to make: I reuse passwords.

I am not proud of it, but honestly it’s a relief to finally get it off my chest. I am not a heavy re-user, nothing crazy, I use a password manager to handle most of my credentials but I still reuse the odd password from time to time.

It’s embarrassing to admit because recommending that users use unique passwords for each of their accounts is part of my job, and with good reason: Password reuse leads to credential stuffing, a form of automated attack where cybercriminals use lists of passwords stolen from one website to break into other websites. Credential stuffing attacks are large, automated, and persistent, and they are so successful that they happen almost constantly.

It seems obvious and important therefore to tell users not to reuse passwords. But telling them to stop doesn’t work and it never has. It doesn’t even work on me.

Why not?

I believe the reason is that for years we’ve been misdiagnosing the problem we thought we were solving. Consequently, we treated password reuse as a form of misbehavior that could be corrected rather than seeing it for what it is—a rational response to an impossible situation.

As computer and internet use exploded over the past forty years, the number of passwords each of us must remember has climbed precipitously.

The companies that make password managers are in broad agreement that we’re currently averaging a little less than 100 passwords each. Dashlane said its users have about 90 passwords; NordPass puts the figure at 70-80; and LastPass says it’s 85 passwords for employees of SMBs, and 25 passwords for people working in enterprises.

Me? I’ve got 742, and I’ve used 200 in the past year.

It simply isn’t possible to remember that many passwords, and the number of passwords we need to know probably exceeded the number we can remember decades ago.

In 2012, a group of researchers gave us a big clue about how small our capacity for remembering passwords is by looking at how often users forgot theirs, or got them mixed up. 84 percent of users with 7-9 passwords reported problems, and there was a precipitous decline in recall between users remembering 1-3 passwords and those remembering 4-6.

The sense that we can, at best, remember just a handful of passwords is reinforced by more research from 2018. In this study the participants had just 13 accounts each. Despite this relatively modest number, 91 percent resorted to password reuse, choosing to service their accounts with an average of 5.8 passwords each.

It was a snapshot of what had happened everywhere.

In the face of an ever-growing gap between the number of accounts and the number of passwords they could remember, users did the only things that made sense: They made their passwords weaker, so they were easier to remember; they wrote them down; and they reused them.

The collective response of the security community was to tell them to STOP: Don’t write them down; stop making them simpler; stop reusing them; and by the way please make every password a mixture of no fewer then fourteen uppercase, lowercase and wacky characters; oh, and please change your impossibly complex password for a different impossibly complex password as often as you change your underwear.

We should not have been surprised when we were completely ignored.

Nevertheless, we persisted for years. Some of the advice got better, but the bits about making strong passwords and not reusing them didn’t change even though password reuse remained endemic, and every data breach brought further evidence that users remain firmly wedded to very bad password choices.

Several years ago, experts at Microsoft Research and Carleton University, Canada did the math that explains what’s going on.

According to their calculations, a conscientious user with 100 unique, random passwords would have to perform an impossible feat of memory—the equivalent of remembering 1,362 random digits, a task that “far exceeds what users can manage by memorization”. You don’t say.

Many users’ first instinct is make their passwords easier to remember, which makes them less secure. It helps, a bit, but it doesn’t come close to turning a 100-password portfolio into something a normal human can manage.

One of the “Eureka” moments in the research is that users don’t just have to remember their passwords, they have to remember which password goes with which account. Just that task alone is more difficult than remembering the order of a shuffled card deck.

No amount of weakening your passwords can overcome that. The only strategies that work are writing passwords down or reusing them.

One weird trick to improve your passwords

You may be reading this thinking that the answer to all of this is to use a password manager—a piece of software that can generate strong passwords and remember them for you.

Password managers are a potential answer to this problem, and advocating for them has been an important piece of security advice for several years now. However, despite all that advocacy only about 20% of us use one and almost half of us still don’t know what a password manager is. Teaching users to be better users is a long game.

More worryingly, buried deep within a 2016 password reuse study is the startling conclusion (with some caveats) that “third-party password managers do not significantly reduce password re-use across websites.” This probably requires more study, but from a personal perspective I can say that having a password manager has certainly helped my reuse problem, although it has not eliminated it.

But that isn’t password managers’ only trick: They can still generate strong passwords, and that’s good, right? Yes, it is, but we may have been seriously overestimating the importance of them.

In 2019, Microsoft’s Alex Weinert wrote that “When it comes to composition and length, your password (mostly) doesn’t matter.” And he’s not alone in believing that. Password strength just isn’t a factor that affects your security most of the time.

A strong password won’t protect you from a credential stuffing attack, phishing, or keylogging malware, for example.

Avoiding the most common form of attack—password spraying—where attackers use very short lists of very common passwords against lots of targets, requires only that you don’t use one of the 50 worst possible passwords (things like qwerty and 123456). You can have a very bad password indeed and still be safe from everything I’ve mentioned above. A modest password of just six characters or so will protect you from almost any kind of brute force attack conducted across the internet.

The only situation where password strength really matters is in an offline brute force attack where an attacker uses specialist hardware to crack the contents of a stolen password database. These attacks are very rare, but they are the reason you are asked to concoct 14-character masterpieces of uppercase, lowercase and wacky characters.

Solving the difficult edge case of offline password cracking by demanding all users create vastly more complex passwords than they otherwise need, either in their own head or with a password manager, seems like tilting at windmills. Defending against determined and well-resourced adversaries is a job for experts. We should be taking on the burden of defending against these attacks with better password management and storage rather than by demanding better users.

We need to stop and think about all the things we’re asking users to do. The more rules we offer, the less likely people are to follow any them. And the more rules we offer that subsequently turn out to be counterproductive, such as demanding regular password resets, or valuing special characters over adding more characters, the more credibility we burn.

If we’re going to spend time advocating for a change in behaviour, we should probably pick one thing. And there is something that can make an enormous difference to password security, without users needing to worry about what passwords they use, where they store them and how often they use them: Multi-factor authentication (MFA).

The simple act of having to type in a code from an app alongside your password is a game changer—it kills credential stuffing, password spraying and brute force attacks stone dead.

Weinert: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Even better, while we can advocate for users adopting MFA where it’s available, we aren’t reliant on them listening. The most important thing is to persuade organizations, or better yet groups of organizations or even legislators, that it’s important. When that happens, users are just along for the ride.

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using MFA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

One thing a little concerning is the statement…

If these password manager developers can sift through, hopefully encrypted code of someone’s dataset (yes, it may be anonymous sample from their users as indicated by Dashlane), then what other backdoor information are they gathering or can be extracted. A good encrypted dataset should be near impossible to analyse for statistics or other ‘leaky’ information.

If it is the password manager software catching the statistics, this is even more concerning as what other information could be also captured and vulnerable to exploitation.

Agree that MFA is critical and must be used where available. A secondary comment on MFA is never share any information associated with MFA with anyone. Doing so immediately compromises its potential benefit.

One aspect of password security that always puzzles me is the insistence on long passwords and giving the reason for it that it reduces the chance of success for a brute force (trying many guesses to find the right one) attack. Some articles present pretty tables of the number of combinations possible and how long it would take to run through them all for a given power of computer. I fail to see the relevance.

The point that seems to be missed is that the app the hacker is trying to access must permit hundreds or even millions of tries for a brute force search to work. How many that guard a bank account or something similarly important do? The usual rule is three strikes and you’re out, requiring a password reset with much more stringent identification.

I can see that longer passwords reduce the chance of guessing using personal data (dates of birth, pet names etc) that reduce the number of possibilities but that is not a brute force attack.

Usually the argument is based on the number of permutations. The more characters, the more combinations available.

If brute force is used, then longer passwords take exponentially longer to find the matching combination. It also assumes a brute force attack uses 1+ characters and increasing character number each try. It is possible this is the case and those using brute force give up once a certain number of characters is used. Using more takes more time or increases the likelihood for systems to identify an attack.

While many logins close access after 3 tries, there are many that don’t. The ones that don’t (generally email, hosting webs, some social media etc) are the ones that can be exploited for criminal purposes (scams, spams, phishing etc).

And having password lists linked to say email from hacks, increases the rate of success if these are used as the brute force attack. This is why it is critical to reset password immediately after advice indicating a login site you have used has been compromised in some way, even if data taken seems irrelevant.

The article while interesting doesn’t cover all the scenarios and gives an impression that password length or reuse doesn’t really matter, especially with MFA. There are however many websites without MFA.

Before we are lost to guessing can anybody supply any data from the industry about the proportion of logons that restrict the number of tries and what class of accounts (if any) they are?

Can’t guess, but many we use don’t. From experience, I would say out of the about 200 we have used in the past, a lot don’t - guess would be 25-50%. Those that do are generally key ones with important data.

We have found this out as some logins expire after time if password isn’t reset. Only after entering the password many times, we then use the forget password where available or contact the business to reactivate the login. It isn’t as common practice possibly as it should be.

Many business email passwords also don’t have limited try settings as one can easily be locked out - especially when email software are set to continually login to retrieve emails. I know of a business also where the forget password email is the same as the business email being logged into…not the brightest thing to do.

Banks are usually three log in tries as well as Telcos .

Except that LastPass appears to have been hacked through MFA brute forcing. That is, it presumably permitted a material proportion of 1 million guesses for the MFA.

It is also very easy for phishing sites to use man-in-the-middle attacks to capture not just your password but also your second factor of authentication. Even if they are not placed to do this, SIM-jacking will do just fine for a worryingly large proportion of online accounts.

This is an argument against using an online password manager.

The MalwareBytes author assumes that websites ‘do the right thing’ - and block you after a certain number of guesses, or at least slow the process down so even when automated it is not effective. If even a company like LastPass can mess these things up, what hope is there for the average medium-sized business whose entire business is not security?

The reason you want a long password is that if a company does not store its passwords properly then an attacker can brute-force individual passwords. Download the database, run it through any of half a dozen tools that are designed for just this purpose, and in a couple of hours you will probably have all of the passwords that have fewer than ten characters. Adding an eleventh character makes the cracking twice as difficult as for a ten character password. Using a range of different characters similarly makes the cracking exponentially more difficult. If you have a standard password length of fifteen to thirty characters, then you can safely assume that your passwords are as safe as the cryptography that stores them i.e. unless/until quantum computing actually delivers.

No, passwords are not a perfect solution. Yes, multi-factor authentication is better than just a password. No, MFA is not the solution - in many cases it makes accounts easier to hack.

The simple act of having to type in a code from an app alongside your password is a game changer—it kills credential stuffing, password spraying and brute force attacks stone dead.

One needs to be careful with that statement. Even with 2FA, it may be possible for an attacker to see the difference between a correct password and an incorrect password. Sure, they may not get logged in even with a correct password (because they will be defeated by the 2FA) but that then allows the attacker to focus the attack for a second pass - assuming that the target is worthwhile.

Any company’s app is both a likely privacy risk and a potential security risk, so 2FA via an app is not a panacea.

Better than an app, in those respects, is an RSA token or similar. If you must use an app then an open source, non-proprietary authenticator app is better than some company’s app i.e. you should prefer a company that allows you to use a non-proprietary app for 2FA rather than forcing you to run their app on your phone.

Don’t get me wrong. 2FA is good. But I would use it sparingly i.e. where it is justified based on the consequences of your login being compromised.

This isn’t very clear to me. You say a hacker could get the database of users and passwords if it was not protected well and then extract individual passwords using software. So you are saying the owner has encrypted the database but not secured access to it, is that correct?

Encryption (or more properly in this case one hopes hashing) and access are two different things.

1. If an attacker gets into an entity’s network, they may or may not be able to access ‘everything’. This depends to some extent on the network design (don’t do it the Sony way), and to some extent on the vulnerability/ies used to gain access.
2. If an attacker does have ‘everything’ access, that is likely to include any password database/s, that the attacker can download and seek to ‘break’ in their own time.

A properly managed password database will contain entries that are effectively salted and then hashed. Of course, a lot of entities do not manage their customers’ passwords properly, including according to the last link Instagram and Google!

If a password database is hashed but not salted, then there are certain assumptions that can be made about it. Every occurrence of the password “123456” will result in the same hashed output - that is, if you use an encryption algorithm it will produce the same output every time given the same input.

So someone who has downloaded a password database will be able to use password cracking tools to automate the task of trying to figure out exactly what the passwords are. The attacker will generally look for low-hanging fruit first - with a dictionary attack and ‘most common passwords’. As passwords get longer and are not simple dictionary entries it gets exponentially harder for the software to attempt all possible permutations. For instance there are one hundred different possibilities for a password that consists of two numeric characters, but a thousand when you add a third character. (The guesser would on average have to try half of all possible combinations in order to crack a particular password.)

This means that the longer the password, the more guesses required all else being equal. At some point the number of guesses that can be automatically processed in a lifetime is less than the number of guesses required for a particular password length and complexity. The hacker gives up, having accessed all the ‘easy’ passwords.

Hence why you still want to keep a long, complex password. If it is stored as plain text then you’re in trouble regardless, but if it is at least hashed then your account is less likely to be compromised than the accounts of the poor schmucks who used “password”.

It looks to me that what you are describing is deducing the hashing or encryption method from many examples. Is that right? Software to do this would probably not use a brute force (generating all possibilities and testing one by one) would it, although it may be easier for shorter rather than longer passwords. I am just trying to work out if we are using the same meaning of ‘brute force’.

My understanding (not having used the tools or done any of this naughty stuff) is that your hacking tool automates trying to guess the password that generates the hash, and so the bad person would need to have some idea of the hashing methodology would be a start.

This is a hobby area of mine, and so I cannot describe the entire process by which someone accesses an encrypted or hashed database and then gets some sense of it. All I can report is my obviously limited understanding of tools and techniques.

The use of a dictionary tool to identify a password requires one to know the hashing algorithm used. Hence does some idea become one of knowing the algorithm or several alternatives that are likely to have been used?

A brief overview from the auth0 project.

As the article states, a rainbow table can be used if passwords are not salted before being hashed. The rainbow table would identify ‘most commonly used used passwords’.

I am not an expert on cryptography, but suspect that with sufficient known inputs and outputs the hash methodology is knowable. Hence said rainbow table, or alternatively creating half a dozen accounts with different passwords before you even steal the password database.

Final statement of the bleeding obvious: the hash (and hopefully salt) methodologies need to be inaccessible to said hacker… unless you are Cloudflare (or Silicon Graphics), and even then you only know the source of randomness but not when/how it is turned into a binary seed and used to create a hash.

image1920×1080 165 KB

Part of the problem is that the reason people have so many passwords and resort to reusing some is that many companies require you to set up an account and password that is totally unnecessary for you, the consumer.

For example to watch catch up TV, even the ABC is now doing this. Also for all those loyalty cards on offer which you may have taken up in the first place because it gave you an immediate discount on what you were buying. I really don’t care if someone hacks into my Spotlight or Rockmans card and uses the few points I have accumulated. Or for those places you buy something from once and are highly unlikely to buy from ever again.

For many of these things like catchup TV or companies wanting to send me info or wanting to have a login so they can ‘customize my user experience’ I just choose the option to use Google as my login credentials.

No password involved.

On the odd occasion when bored I go into Google mail and see what has been sent and usually clear it out with a bulk delete.

Google also monitors and alerts me to my normal email address of any attempt to login to my account from a device not registered, or if even one incorrect password is attempted.

Thus the possibly hundreds of logins and passwords that would need to be managed and remembered is reduced to just the dozen or so that matter.

Not everybody will accept that this is a net benefit in exchange for Google knowing so much about what web sites you go to.

Resistance is futile. You have been assimilated.