The Birth of the Password
The birth of the password, as with many revolutionizing technological innovations, was conceived within the walls of MIT. In the 1960s Fernando J. Corbató (1926–2019) was one of the computer scientists working on the Compatible Time-Sharing System (CTSS) at MIT. The creation of the CTSS permitted multiple users to simultaneously access resources on a single computer. Before the CTSS, users would have to take turns using a computer so there wasn’t much concern that another user could peruse the data of another user. Because the CTSS allowed multiple users to use one computer, there had to be some mechanism that would prevent users from viewing each other's private files. This is when Corbató came up with the concept of the password. At the time, Corbató thought, “Putting a password on for each individual user as a lock seemed like a very straightforward solution,” and indeed it was. Users now had to provide a password before being authorized to view their files on a computer; only the users with knowledge of the password would be capable of viewing the contents of these files. The adoption of the password would be the onset of the authentication system — a system that is used to verify the identity of a recurrent user on a system, application, or network.
Bad Password Habits
It has been 60 years since Corbató had been pondering about the concept of a password, and today it is still the most dependent authentication mechanism used. Since the 1960s, much research has been conducted regarding the secure construction of passwords in order to prevent adversaries from compromising accounts. Because passwords are so commonly used for authenticating users and can be highly lucrative for an adversary, black hat hackers have put much effort into finding ways to obtain users' passwords. The amount of effort that a black hat hacker has to give is totally dependent on the characteristics of a users password — the more complex and uncommon a users password is, the more effort an adversary has to give in order to obtain this password, which most of the time results in thwarting the attackers. Unfortunately, even after six decades of password usage, there are still many individuals who either do not understand the risks of having weak passwords or simply choose to have weak passwords to address the biggest issue with password creation which is memorability. An ideal password has two properties, (1) it is easy to remember, and (2) it is hard for someone (or a computer!) to guess. Because users today can easily have more than 25 accounts, each of which will most likely require a password for authentication, having to manage so many passwords leads to bad password habits such as password reuse, the usage of dictionary words within passwords, and the predictable behavior influenced by obeying mandatory password requirements.
According to research conducted by the password manager Nordpass, the average person has 70–80 passwords. Remembering 70–80 passwords is unrealistic unless you adopt a truly insecure technique for managing so many passwords — reuse the same password across multiple accounts. According to a study by Digital Guardian that involved 1,000 Google users, 43.3% said they reuse passwords for non-critical accounts, 39.9% said they never reuse passwords, and 10.8% of the participants said they have one password they use across most or all of their accounts (horrible!).
The issue of memorability also leads to creating passwords with words that are memorable, i.e. words found within a dictionary; it’s much easier to remember, P@ssword123, then it is to remember, %342GdaXcER. But creating passwords with dictionary words leaves a password vulnerable to an attack appropriately named, a “dictionary attack”. A dictionary attack is an attack that attempts to guess a user's password by generating wordlists (a file with a bunch of passwords in it) that contain variations of words that are found within a dictionary. For example, a wordlist generated for a dictionary attack may contain the words sunshine and gamer.
Because a lot of applications create password policies that require certain characteristics that a password must possess before accepting a password, adversaries who want to improve the odds of guessing a users password must be aware of the common password requirements and the different ways users try to insecurely simplify the creation process by using predictable human behavior. Password policies normally require a password to have certain aspects like an uppercase letter or a special character and this often leads an individual to create passwords with predictable properties. For example, if an application only accepts the creation of passwords that contain an uppercase letter, most people will simply uppercase the first letter of their chosen password which corresponds to the normal behavior of capitalizing words. These sorts of predictable patterns can allow an adversary to create more effective wordlists by not only using dictionary words but also using variations of these dictionary words that meet the requirements of common password policies.
Another concern when dealing with so many passwords is the issue of storing them. According to the same Digital Guardian study mentioned above, when these participants were asked how they store their passwords, 38.6% said they write down their passwords, 27.7% said they use password managers, 9.5% keep all of their passwords in a file on their computer, and 6.6% use a storage hosting platform like Dropbox or similar services to store their passwords. Writing down passwords is an easy win for an adversary trying to get access to your organization. In fact, many breaches have occurred simply because employees had left their passwords on a piece of paper on their desks. For this reason, many organizations enforce a clean desk policy (CDP) which is a directive that requires all employees to leave their workspaces completely devoid of any papers before leaving their workspaces to prevent the leakage of confidential data such as passwords or proprietary information.
Data Breaches and the Dark Web
The number of data breaches this year compared to last year does reveal that companies are getting better at preventing data breaches. According to this article, the first half of 2020 witnessed 540 data breaches compared to last year's 1,473 data breaches with over 164 million records exposed. Regarding data breaches that resulted in the theft of credentials, one might want to know just how many credentials can be found in the dark web today? Well to that answer that question, a dark web audit performed by Digital Shadows Photon Research Team disclosed that there are more than 15 billion stolen credentials on the dark web as a result of over 100,000 data breaches. Yikes! Below are examples of the most popular passwords that were used in 2019 and 2020.
Top 25 Most Popular Passwords Found in Data Breaches in 2019
Top 25 Most Popular Passwords Found in Data Breaches in 2020
Wherever possible multi-factor authentication (MFA) should be implemented because it contributes to the defense-in-depth security strategy, which attempts to provide layered security by deploying multiple defensive controls throughout an information system. With MFA, an authenticating user must first prove their identity by providing two or more pieces of data (factors) to an authentication system before being granted access to resources. Generally, there are three types of factors that are used to provide MFA:
Something you know
Something you have
- Security tokens
- Key fobs
- Mobile devices
Something you are
- Retinal recognition
- Face recognition
- Voice recognition
Other authentication factors might also include properties such as time of day or Geotagged location.
Recommended Password Policies
Password policies are crucial for guiding a secure password creation process. Being able to blacklist certain insecure elements that a password can have can help ensure that passwords aren’t being lazily chosen. The following password guidelines are recommended by Microsoft to help keep your organization safe:
- Make passwords a minimum of 8 characters in length
- Do not allow composition characters such as “*&(^%$ “
- Do not require mandatory passwords resets for users
- Ban the usage of common passwords
- Users should not reuse their organization passwords for non-work related services
- Enforce 2FA when possible
- Bonus: Do not include your username in your password and even worse do not make your username your password!
Please choose strong passwords and stop writing down your passwords and start using a password manager like LastPass. Thank you for your time!