63% of data breaches in Verizon’s Data Breach Investigation[1] were the result of bad password practice. This report analysed a dataset covering more than 100,000 incidents across 82 countries in industries ranging from finance to mining. The frustrating thing about this statistic is that, even in our fast-paced world of rapidly expanding technological progress, the methods employed by most hackers actually remain rather primitive and unsophisticated. A breach caused by a poor password or a good password common to many accounts should be inexcusably preventable. And yet, year on year, the trend of password related breaches continues. But why? The reason is often not ignorance. People know that “123456” and “password1” are bad passwords and yet they continue to top lists of the most common passwords. The real problem is apathy and it is often not until someone has suffered the terrible violation of having personal information stolen from them that their habits change. How do you change their behaviour before this violation occurs?

The real problem is apathy.

Companies must do all they can to prevent this apathy affecting their business and though the statistics suggest tackling this problem should be the priority, companies tend to focus more on what they can do from a management point of view as opposed to building up a culture of information security at the individual employee level. Nonetheless, a single employee’s foible for guessable passwords can easily become a problem for an entire company, after all, 60% of people use the same username/password combination for all of their accounts and 83% use the same one for several accounts. So when someone’s Facebook password is stolen and it also happens to be their single-sign-on login for their company’s network, the result can be unpleasant.

There are an arsenal of tools available to those who wish to exploit password negligence; stolen credentials can be automatically entered into countless websites attempting to find a matching login, insecure public WiFi networks can be infiltrated to monitor individuals accessing company networks remotely, these are but a few of the attackers’ capabilities Not to mention, time-tested phishing scams which remain a scourge of our security and our spam folders. The more sites a password is used on, the more opportunities there are to steal it – and this applies even to relatively complicated passwords. Infamously in 2012, Dropbox had more than 60 million users’ credentials stolen shortly after the LinkedIn hack that same year. It turned out that the root of the problem was that a Dropbox employee used his company password for his LinkedIn account.

60% of people use the same username/password combination for all of their accounts and 83% use the same one for several accounts.

Let’s take a quick look at the real facts behind securing a password. A site where it is expected that users would create strong passwords, such as PayPal, typically requires passwords to be at least 8 characters long. Assuming you mix up lower and uppercase letters with numbers and symbols there are well over 6 quadrillion potential combinations. A single powerful computer, burning through 2 billion keys per second would take 35 days to go through those. This might sound sufficient, but an 8 character password of purely random characters is going to be difficult for you to remember and is far more likely to end up being “Carrot!16” than a more obfuscated “?7gH9£jq”. As such hackers use hybrid attacks, referencing words in dictionaries and random character combinations arranged in predictable password formats. This renders “Carrot!16” far less secure than the computed possible combinations suggest.

Passwords are just a matter of entropy.

It is a common misconception that good passwords are hard to remember. This is not the case. Since it is more important to have a greater number characters than to substitute the letters for symbols, the onus doesn’t need to be on obscure permutations that are impossible to remember but can be as simple to remember as four common words, back-to-back. The maths and philosophy web comic XKCD brilliantly explains that the password “CorrectHorseBatteryStable” is far more secure than “Tr0ub4dor&3”. This is because password security is based on entropy, a measure of randomness, and for every extra character you add the number of combinations increases exponentially. A 15 character password consisting only of ordinary lowercase letters has 3.8 quintillion different possible permutations; far more than an 8 character password filled with exclamation marks and numbers. As we enter into the 20 character range you would theoretically leave your hacker waiting billions of years before being able to get anywhere near your data.

Changing employees’ understanding of password security and persuading them not to reuse passwords on multiple accounts is a much cheaper solution to password security compared to installing a customised application to send single-use codes for a multi-factor ID system. For the small business or the educational institution simply being aware can get the job done. Secure passwords need not be difficult to remember, just hard to break. This is an easy opportunity to plug a massive hole in our information security – whatever industry we are in our password policies need to reflect these facts.

[1] Verizon’s 2016 Data Breach Investigations Report. Retrieved September 15, 2016.

If this is an area you are interested in come talk to us at – hutsix.io

Ray Williams – Hut Six