RCL 138

Password Weaknesses: Holes In Our

Security
Gopal Jayakar
4/3/2017
Abstract
Internet security, especially in the modern era when so much of our information is online,
is increasingly relevant in everyday life. Often, one or two passwords are responsible for
safeguarding all of our information including bank credentials, credit card numbers, social
security numbers, and more. It is easy to be lured into a false sense of security and believe that
nobody would care about one individuals identity and possessions, but this idea is
fundamentally wrong. The biggest security risks of today come from large data breaches where
hackers gain access to swaths of information from many users at once. Measures can be taken to
protect students such as implementing password managers and two factor authentication. To
understand how these measures can protect students, one must first learn the history of password
protection.

Background
The first use of passwords was in the 1960s1, when a UNIX based computing system at
an MIT lab2 needed to be outfitted with a security procedure. They implemented a password-
based system that would allow a variety of users to log into the computers and only see their own
files. At this point in time, each users password was kept in plaintext in a file on the computer.
Plaintext in the context of passwords refers to the actual text of the password without any
encryption applied. This, of course, is very insecure. Anyone who gains access to the file would
be able to immediately see the passwords of everybody in the database, and then be able to
access all that information.
To combat this measure, the Multics project developed a basic encryption algorithm that
performed some basic transformations to the text and stored the product in a file instead1. This
made the file extremely hard for a human to read without manipulation, but because this
algorithm was so basic, involving only a square root and the AND operator, it could easily be
reverse engineered by intelligent mathematicians. Using the transformed text in the file,
mathematicians were able to work backwards and find the password used to generate it. Because
of this, the code was cracked quickly, and researchers began searching for a better system of
scrambling information that used an irreversible mathematical process so that even someone
with the scrambled text would not be able to find out what the original passwords were.
Thus, encryption was born. This complex mathematical process converts a password into
a password hash, which is an encrypted form of the password that cannot be decoded to find
the original password. However, there remains one main method of password cracking, the brute
force approach3, that is one of the last remaining ways hackers can find your password. The brute
force approach is lengthy, but given enough computing power and time, will always return the
correct password.
The brute force method essentially guesses every password until it finds one that matches
the hashes provided to it. Computer experts have worked hard at optimizing this process,
including guessing passwords that people use frequently4, gathered by examining past data
breaches. Even without this optimization, many of the most frequently used passwords take less
than a second5 to crack. After optimization, hackers can get at extremely large passwords very
quickly by making the computers observe patterns in the patterns it has already cracked, and
using those patterns to create better guesses6 for the remaining passwords.
Figure 1:

This graphic shows the time it takes to crack a variety of passwords released in an actual hack.
Most of the passwords did not last longer than two hours.
Image: A

Impacts
The loss of any password is likely to expose large amounts of data, and when password
hashes are stolen, they are usually stolen in large quantities. As technology has advanced and
individual companies have started to command information about greater numbers of people and
concurrently have made themselves increasingly lucrative targets for hackers. Yahoo had a data
breach in 2013 where sensitive information including password hashes was stolen from the
Yahoo servers7. By scraping the usernames and passwords from databases like Yahoos, hackers
can gain access to users accounts. This in turn can give them access to bank accounts and credit
card information because email accounts are so often used as the backup security method to reset
passwords.
Hacks to non-email services can also be extremely dangerous. Students often fall victim
to the illusion that one password is enough, and use the same username and password
combination across many websites. As a result, finding a students login information for a blog
or social media site can often give internet thieves access to other, more sensitive accounts. This
extremely prevalent problem is termed password redundancy or password reuse8. As a
result, any kind of data breach involving hashed passwords, even well hashed ones, can pose a
great risk to a student.
Phishing attacks also create a risk to students on the internet. The term phishing refers
to a practice whereby an attacker baits their victim into giving them their login credentials, often
by masquerading as a trusted site. These attacks can be avoided easily by taking care to avoid
untrusted links and checking site identities before logging in, but not all students take these
precautions. Phishing has an advantage over conventional hacking because it does not involve
the computationally intensive process of a brute force attack and it immediately returns the users
password. The drawback for hackers is that the quantities of information are significantly
smaller.
 There are many ways that a students login information can be compromised, and it is
more important now than ever to protect online identities. Even though these attacks can come
from a variety of sources, there are also common sense measures that any Penn Stater can take to
protect themselves that should be implemented on a wider level.

Solutions:
Although the risks to students are various and daunting, there are easy ways for
individuals to combat the many risks they face when creating accounts online, and many, like the
two below, are relatively cheap to implement and scale. From the descriptions above, a few
common sense measures suggest themselves. Use unique passwords for different websites and
ensure that they are long and have a variety of different characters. For many students, this can
be a lot of information to keep track of. Although this greatly enhances security, forgetting
passwords is often a large hassle and involves several steps, including logging into an email
address and setting a new password.

Figure 2:

Longer passwords are shown to have much longer times to hack, so creating longer passwords is
very good for security.
Image: B

-Password Manager
One interesting solution is the password manager. Password managers are applications
that integrate themselves into phones and web browsers, and automatically fill username and
password fields on pages they have been configured to interact with. They typically use
extremely long passwords composed of randomly generated sets of a variety of different types of
characters, which are extremely secure and too complex for users to remember. Because they are
so unique, they avoid following patterns found in human-generated passwords, which eliminates
another vulnerability. Though these applications frequently cost money to purchase, password
managers like LastPass and Dashlane9 are free to use.
 These managers work by identifying username and password fields from different
websites and automatically filling in those fields. Students need to log into the password
manager itself, which is itself potentially a very large security risk as a hacker with just one
password will suddenly have access to all that students information. However, the companies
that create these password management systems are highly security conscious and extremely
sensitive about managing their own systems to ensure a breach does not occur. For example,
LastPass, one of the free to use password managers, was hacked in 2015, but moved quickly to
stop any damage from occurring10. Another potential difficulty when using a password manager
is giving another person temporary access to your account. Because all your passwords are held
by the manager, a user would have to share the highly complex computer-generated password.
This, however, is a mild inconvenience.
Despite this potential downside, password managers remain the best way to generate
highly secure passwords that are essentially impossible to crack using a brute force attack. These
companies rarely, if ever, get hacked, so students can approach them with a high level of trust.
Interestingly, they tend to make browsing experiences more convenient for users than normal
because users will only need to log in once, to the the password manager. Subsequent login
attempts are all handled by the password manager. Overall, password managers increase usability
and security for students and should be more widely implemented and promoted.

-Two Factor Authentication

In order to add a second layer of security, some organizations and individuals choose to
use two factor or two step authentication. This process requires two methods to verify the
identity of the student attempting to login to the service. The first method is typically the
password, like on a normal account, and the other might be a phone call, in-app verification, or a
password generated from another device. By requiring a second method to verify the identity of
the student, the difficulty for a hacker to access that students account rises dramatically. Even if
that hacker went through the process of stealing the students hash and finding their password
through a brute force attack, they still would not be able to access the contents of their account.
Even though two factor authentication dramatically increases security, it does have some
pitfalls. If the customer loses access to their second factor, either through theft, loss, or battery
drainage, they will not be able to access their own account. Their account is now almost
inaccessible to them. This can be solved by setting up multiple devices as the second factor, such
as a home or work phone. The second factor also does not address the issue of password
redundancy. If a student has two factor authentication on some of their accounts and not others
and uses the same password across accounts, they will not have protected their other accounts. In
addition, not all online services support two-factor authentication, and the ones that do may use a
myriad of methods to do so and will not necessarily be consistent among themselves.
Two factor authentication may have a few pitfalls, but it is still a very robust way of
protecting your account. It prevents hackers with your password from accessing your account,
and when used in tandem with a password manager, the password redundancy problem is
eliminated. If the student leaves their laptop open or a weak username or password is cracked or
stolen, the two-factor authentication will also protect their account.
Action Items:
Actions are frequently taken to protect students physically and emotionally, but online
security is often overlooked.Generally, students use the internet frequently, and more measures
need to be implemented to ensure students online security. By running ads to increase awareness
of the dangers and risks of password redundancy and weak passwords, the university will greatly
increase the online security of the entire student body. Because of the universitys uniquely
powerful electronic infrastructure, this message can easily be disseminated to students through
an email from the university leadership. Small messages can also easily be worked into the
existing New Student Orientation process that already advises students on many best practices
for them to follow at the university and in life.
Penn State already has a two factor authentication system, but many students are not
aware of its existence, and of those who do, many still do not choose to use it out of a want for
convenience. Ideally, the university would have three-quarters of the student body on one or both
of these programs at all times. It is unrealistic to expect that every student use all these measures
especially the two factor authentication. It is critical that the university move now to secure the
safety of the students and encourage them to apply best practices moving forward in their lives.
Endnotes:
1. Patrick Mylund, The History of Password Security, June 7 2012, available at
https://patrickmn.com/security/the-history-of-password-security/ (last accessed April
2017)
2. Robert Mcmillan, The Worlds First Computer Password? It Was Useless Too,
January 27 2012, available at https://www.wired.com/2012/01/computer-password/ (last
accessed April 2017)
3. Blocking Brute Force Attacks, OWASP, March 4 2016, available at
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks (last accessed April
2017)
4. Paul Szoldra, These Are The Worst Passwords You Can Use, Business Insider,
January 19 2015, available at http://www.businessinsider.com/worst-passwords-2016-1
(last accessed April 2017)
5. Estimating Password Cracking Times, Better Buys, available at
https://www.betterbuys.com/estimating-password-cracking-times/ (Last accessed April
2017)
6. Victoria Woollaston, Think You Have A Strong Password?, Daily Mail, May 28
2013, available at http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-
password-Hackers-crack-16-character-passwords-hour.html (last accessed April 2017)
7. Tom Evans, Worlds Biggest Data Breaches, Information Is Beautiful, January 5
2017, available at http://www.informationisbeautiful.net/visualizations/worlds-biggest-
data-breaches-hacks/ (last accessed April 2017)
8. Keir Thomas, Password Reuse Is All Too Common, Research Shows, PCWorld,
February 10 2011, available at
http://www.pcworld.com/article/219303/password_use_very_common_research_shows.h
tml (last accessed April 2017)
9. April Glaser You Need A Password Manager. Here Are Some Good Ones,
Wired, January 24 2016, available at https://www.wired.com/2016/01/you-need-a-
password-manager/ (last accessed April 2017)
10. Kate Vinton, Password Manager LastPass Hacked, Exposing Encrypted Master
Passwords Forbes, June 15 2015, available at
https://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-
exposing-encrypted-master-passwords/#416a72ba728f (last accessed April 2017)
A. Paul Ducklin, Anatomy of a brute force attack how important is password
complexity? Naked Security, 16 August 2013, available at
https://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-force-attack-how-
important-is-password-complexity/ (last accessed April 2017)
B. Pierluigi Paganini, Two-factor Authentication for SMBs Security Affairs, July 1
2013, available at http://securityaffairs.co/wordpress/15786/security/two-factor-
authentication-for-smbs.html (last accessed April 2017)