Published May 30, 2013
With high-profile cyber attacks on the rise, a spotlight shining on passwords has revealed a faulty system rampant with potential loopholes and a traditional password-username mechanism that has fallen painfully behind the times.
As more and more of people’s lives move online, it has never been more imperative to adopt complex passwords and diversify them across all accounts. Yet, 74% of Internet users still use the same password across multiple websites, according to data from McAfee.
The misstep has been at the helm of a string of recent market-moving cyber attacks, including a takeover of the Associated Press’s Twitter account last month that sent the stock market spiraling 143 points on false reports of a bombing at the White House.
Last week, the Financial Times’ Twitter account was briefly in the hands of Syrian hackers, and the accounts of reporters at the New York Times and the social media accounts of Burger King (BKW) and Jeep have also fallen victim to varying degrees of cyber heists.
“There has been so many breaches of data over the past decade -- so many breaches of high profile accounts such as the AP -- that it has just become so painfully obvious that the password is just done,” said Robert Siciliano, an online security expert at Intel’s (INTC) McAfee.
Some of the most widely-used passwords are as simple as “password” and “123456.” Other people use common words, personal dates that are publicly-available such as their birthdates or common words and phrases.
Compounding the issue is the fact that passwords are oftentimes used across multiple platforms, making it easy for a hacker to attain access to multiple accounts, like Facebook (FB) and bank accounts simultaneously.
“You have skeleton key on your online life and it only takes one” malicious email or link, said Pat Peterson, CEO of Agari, a San Mateo, Calif.-based email security provider that acts as an overlay between email receivers and senders. “It’s not just the password for Facebook anymore. If the password is being reused, it’s basically the access to your bank account and everything else.”
Out of three million user passwords analyzed in a recent Trustwave report, 50% of business users were found to be using easily-guessed passwords — the most common being “Password1” because it often meets the minimum standard for acceptable passwords.
“I think the issue is people don’t think their stuff is going to be accessed,” said Christopher Pogue, director of SpiderLabs at Trustwave, a cloud-based compliance and information security solutions company. “As we move into this more fluid cyber world, passwords are a big deal.”
The Golden Ticket: Longevity
Longer, more complex passwords make meaningful differences in thwarting cyber criminals.
To put this in perspective, an eight-character password that has mixed upper and lower case alphabet letters plus numbers and common symbols such as B33r&Muh has a potential 7.2 quadrillion different combinations, according to data estimated by Lockdown, a U.K.-based home computer security center. With a cluster of computers guessing at a rate of 1 billion per second (which is possible), it would take hackers 83.5 days to crack the password and access the system.
If that same mixed password had only six characters, the number of combinations slumps to 782 billion, which would take that same cluster of computers just 13 minutes to guess correctly, according to Lockdown.
“By increasing the complexity and adding to the length, it increases complexity of a computer system being able to guess that password exponentially,” Pogue said.
One way to outsmart a so-called “dictionary attack,” or an automated password-guessing technique that tries hundreds to millions of possibilities in an instant, is to use word permutation, or a “3” instead of an “E,” an “$” instead of an S.
It goes without saying, but companies also shouldn’t use variants of their own corporate name in a password for easy access.
Phishing for Access
Further helping cyber scammers gain access to sensitive data including usernames and passwords are spyware, malware and phishing schemes. More than 95% of all phishing attacks in 2012 were tied to state-affiliated espionage, according to Verizon’s 2013 data breach investigations report.
“Sending a convincingly crafted malware-laden e-mail to a few key employees could give an attacker the keys to a company’s intellectual property kingdom,” Verizon said in the report.
A phishing scam is often delivered to victims in the form of a link or attachment in an email or inbox message on a social media site like Facebook or LinkedIn. When opened, it will infect the computer with spyware that enables a criminal to swipe usernames and passwords.
Phishing schemes can be sent widely to multiple employees, and all the hacker has to do is hope one person clicks on the link and that the security firewalls fail to defend.
“In the form of a virus, spyware has been around for more than a decade, and in the wrong hands it can do a significant amount of damage,” Siciliano said.
The media has been targeted in a recent string of phishing schemes that have increased the level of high-profile cyber attacks. The Financial Times, a Pearson (PSO) company, never responded to a request for comment regarding whether it was hit by a phishing scheme ahead of Friday’s Twitter attack, but the password-smuggling event carried the hallmarks of one, and the attacks that hit the AP and New York Times have also been said to have initially emerged from phishing.
“An amazing percentage [of cyber attacks] have started with a malicious email,” Peterson said.
The Syrian Electronic Army, which claimed responsibility for the FT attack, bragged about the infiltration and posted FT usernames and passwords on Twitter in the aftermath, one as simple as Gar1eth – a play on the staffer’s first name, Gareth.
“Whether due to lack of education or policy enforcement, employees pick weak passwords, click on phishing links and share company information on social and public platforms,” Pogue said.
Is the Password Dead?
As the online attacks continue to escalate, it's clear the traditional username and password system is failing.
“The password model for the 21st century is completely broken,” Peterson said. “Aren’t there better ways to prove you are who you say you are?”
His question was rhetorical, of course. There are emerging technologies in the pipeline that are already shaping the way people log-on to their cyber interfaces, such as retina, voice and fingerprint recognition.
Many startups are writing applications that can identify a person based on the contours of their face and other physical features. Peterson said it is a hot field that will likely be deployed in the government first before becoming highly functional and widely used among consumers.
Multiple-factor verification systems, using a multi-layer approach of protection that include facial recognition, codes and personal questions as well as usernames and passwords go several layers deeper, making it more difficult for hackers to gain access.
It has yet to be fully adopted, however, partly because it requires money, more training and additional customer service if provided by a brand.
“Many people don’t have the capacity for multi-factor authentication and what that boils down is additional customer support [for businesses] – which results in more expenses,” Siciliano said.
Until a tech-savvy generational gap is narrowed or apps are written that make multi-layered approaches to protection as seamless as checking email, it may take some time.
In the meantime, get comfortable with lengthy passwords and using a different one for each login. If that’s too much to handle, buy a password manager that can do it all for you.