Last week’s Yahoo hack — the largest breach of user account data in history — has focussed attention once again on the password’s inherent vulnerabilities. And some cybersecurity experts say we might be nearing the point at which large numbers of consumers finally stop relying on them.
“I believe we are approaching a tipping point,” said Brett McDowell, executive director of the non-profit FIDO Alliance.
The FIDO alliance promotes two open standards that use hardware devices to either replace or supplement passwords. The device can be a USB key stick or a smart card; a specially secured chip in a smartphone or tablet; or even a fingerprint reader or iris scanner attached to a laptop.
Boosters say that FIDO standards are finally overcoming the “chicken and egg” dilemma that has plagued so many security technologies.
Hashing, cracking and brute-forcing
The 500 million passwords stolen from Yahoo were encrypted — a mathematical transformation that turns the word into a string of meaningless data called a hash.
Security conscious websites never store passwords themselves — only hashes. When the user logs on, the password is encrypted the same way it was when the password was first entered and the website compares the hash of the password entered with the hash it has stored. If they match, it means the correct password was entered.
In theory hashing should protect stolen passwords, since it’s all but impossible to mathematically derive a plaintext password from a hash. But special “cracker” software can be used on stolen data in what’s called a “brute force” attack.
Most websites limit the number of attempts to log on — making to impossible to simply guess the password. But once the hashes have been stolen, there’s no limit to the number of guesses that can be made and cracker programs just keep producing hashes of possible passwords — guessing as many as hundreds of times a second — until they guess correctly and the hashes match.
Cracker software is typically programmed to guess commonly used passwords first, then go through the dictionary and lists of proper names, then try combinations of words or words and numbers. They can even be programmed to try all those guesses with zeros in the place of O’s, ones in the place of L’s and so on.
Yahoo said in its statement that most of its hashes were “salted,” meaning they’d been re-encrypted with the addition of a special term, making them harder to brute force. But even salted hashes can often be cracked given enough time and computing power — especially because users generally ignore advice not to use dictionary words or proper names in their passwords.
“The bottom line is, passwords can’t be secure,” McDowell told FedScoop. “It’s long past time that we replaced them with something that’s not vulnerable to phishing, social engineering or replay attacks.”
Phishing or social engineering involves tricking a user into giving up their password, for example on a fake website carefully designed to look like your bank’s real login page. Replay attacks rely on the fact that most users also ignore advice not to use the same password for multiple sites or accounts. That means if a hacker has the password for a user’s email account, they can try it on social media or even financial accounts, too.
For several years, Gmail, Facebook and many other large online service providers, following the lead of banks and other financial institutions, have offered additional security in the form of what amounts to a second password — a code-number or PIN that’s sent via SMS to the user’s mobile phone.