Predictable password is achilles heel of the internet

Passwords don't just keep your secrets safe, they also provide an insight into the human soul – and that's what worries computer security professionals, John Henzell reports.

Once a mere amusement on game shows, passwords are now the only thing standing between major corporations and hackers.
Powered by automated translation

A popular factoid used to illustrate the leaps forward taken by computers is that the processor used by Nasa for the moon landing was several orders of magnitude less powerful than the one in the cheapest mobile phone you can now buy in the UAE.

It's a throwaway quote designed to provoke a wry smile, but what was taxing a group of IT insiders who met in Abu Dhabi last month was that for all the advances in hardware, networks remain vulnerable because they all rely on a piece of software that missed out on that stratospheric pace of development: Human Nature version 1.0.

Nowhere is this better illustrated than in password selection. If the moon landing phone comparison illustrates hardware's evolution, passwords provide cogent proof that people have, in computing terms, barely gained opposable thumbs.

When the professional networking site was hacked a few months ago, it revealed a statistically robust sample of what passwords users chose for a serious website.

And the top three? Link, 1234 and work.

This is a generation after the use of passwords became routine and more than a decade after anyone with a pulse knows that cybernasties troll the internet looking for any weaknesses they can exploit.

Defending networks - be they government or corporate - was the purpose of the seminar in Abu Dhabi, where the speakers included John Nolan, a vice president of Mi-Token, a tech company that claims to obviate the vulnerability caused by Human Nature version 1.0.

"The issue is we're dealing with humans," he said.

"They haven't changed in the last 25 years and they're not going to change in the next 25 years.

"You all invest heavily in infrastructure to protect your organisation … but the weakest link is people. Their weakest link is the likelihood to use small, weak passwords.

"It doesn't matter what the policy is - they will take the line of least resistance."

Passwords weren't really needed 25 years ago because few people encountered computers in daily life.

This was 1987, Microsoft released Windows 2.0 and Apple unveiled the Macintosh SE, with the breakthrough ability to take two 3.5-inch floppy disks. (For the benefit of anyone under 35, this was when floppy disks had stopped being floppy. For the benefit of those under 25, floppy disks are like the unholy union of a flash drive and a drinks coaster.)

It wasn't just the computers and their ubiquity in modern life that changed. So too did the profile of hackers, which went from individuals who were after the thrill of bringing down a site to organised groups seeking either political or financial gain.

One of the organisers of the seminar, HelpAG's Nicolai Solling, said one corporate reaction was to mandate less hackable passwords by making them longer, including non-alphanumeric characters, and avoiding real words.

But Human Nature version 1.0 was not up to that challenge.

"The problem with [longer] passwords is either we record it in our brain - that's good - or we write it on a piece of paper, which makes it vulnerable," he explained.

And it's fair to say most of the sysadmins - systems administrators, or network overlords to you and me - listening to Solling nodded their heads at that.

Among them was Nolan. The higher up the management structure, he said, the more likely there will be a password-recovery request.

Even worse was using the same password across multiple uses. If you hack into Sony's website, there's an excellent chance that the password John Doe used there is the same one he used for his banking.

Beyond just the network vulnerabilities exposed by human nature, password selection is like the cyber equivalent of the Rorschach ink blot test, providing a glimpse into the human soul.

That goes well beyond just the sysadmin tormenting tendency towards laziness.

Passwords commonly reflect what each person deems important, and hackers have learnt to place highly in the rank of attempted passwords - the "password dictionary" utilised by hackers - examples like "god", "angel" or any word associated with the focus of the website, which is why "link" and "work" were such poor choices for LinkedIn members' passwords.

Troy Hunt, a software engineer specialising in security at Microsoft, penned a treatise on what he dubbed "the science of password selection" after millions of passwords were hacked from the Sony PlayStation network last year.

He compared the passwords against three databases: 26,000 commonly used first and last names, 26,000 names of places, cities and countries; and 190,000 words found in the average dictionary.

"The results were alarming; passwords were relatively short (usually six to 10 characters), simple (less than one per cent had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary)," he stated.

"We now know that, structurally, passwords almost always adhere to what we would consider 'bad practices', but how are these passwords derived in the first place? What's the personal significance that causes someone to choose a particular password?

"It turns out there are some very recognisable patterns in the data. In fact the vast majority of passwords adhere to just a small handful of common selection practices. This is interesting research in that it begins to give a bit of insight into the thought process of the individuals who create passwords which conform to weak structural guidelines."

About 14 per cent of passwords involved commonly used names, usually not their own but of a spouse or pet. The more common the name, the more likely it was used, with the top three being Maggie, Michael and Jennifer.

More than half were just the name. Include the addition of numbers - "very, very frequently just a 1" - and you have an immediate shortlist for the passwords of about one in eight users.

Add in place names and you have another eight per cent of passwords, two-thirds of which are unbolstered by numbers or other symbols. As with people's names, overwhelmingly the only number used was "1" as a suffix.

Another one quarter of all passwords used a word found in the dictionary. "Top among the dictionary favourites are: password (oh dear), monkey and dragon," Hunt noted.

"The first one probably shouldn't be such a surprise but still, wow! My password source of several hundred thousand accounts had nearly 2,500 'password' passwords, which is not only a pretty poor choice, given it's clearly available in a dictionary, it's also an insanely obvious one."

Another 14 per cent of passwords are strings of numbers, with the top three being 123456, 12345678 and 123456789. For four-digit passwords comprising only of numerals, 1234 was used 10 times as frequently as any other combination. In The X Files, Fox Mulder's password was "trustno1". And when Hunt looked at the list of short phrases used as passwords, the most popular one was … yep.

Hunt's point is that with just a dictionary, an atlas and a phone book, hackers have the basis for 60 per cent of all passwords.

Of the relatively common passwords that were among the 31 per cent that did not fit into a pattern Hunt could identify, many came from popular culture and - more tellingly - were in hackers' password dictionaries.

"Typical examples include 'thx1138' (turns out this is a movie from 40 years back), 'gundam' (actually an anime series), and 'ncc1701' (the code name for the USS Enterprise in Star Trek)," he added.

"So there's a whole range of passwords out there which while they won't be picked up by any of the patterns discussed above, do in fact relate to popular culture. This is a fairly obvious source of inspiration, although one that's difficult to define in a set word list.

"Then of course, there are simply passwords which don't adhere to any discoverable pattern, for example 'mw818283' (although interestingly, a Google search does show this up in an online password dictionary). The thing is, though, these fall into the minority, and even if they are 'strong' (long, random, unique), they're now commonly available in password dictionaries to be used in future brute force attacks.

"Because my entire password database has come from compromised sites which are now readily available online, the reality is that none of these passwords should be used again. Ever."

When sysadmins lie awake at night, it's examples like this of Human Nature version 1.0 at work to blame.

John Henzell is a senior features writer for The National.