In the wake of a breach, researchers typically focus on the poor password choices of users, but reuse is a much greater threat
Sony Pictures, news site Gawker, and social networking site RockYou — following each high-profile breach, hackers released the password file and lit off a round of analysis of users’ password choices. The most common conclusion from researchers: Users select poor passwords.
Yet, in the real world, choosing weak passwords is much less dangerous than reusing the same password at multiple sites. In a recent paper, researchers from Florida State University, Cisco, and security firm Redjack, found that passwords not guessed by cracking dictionaries can survive brute-force attempts quite well.
“There are very few situations where password strength really makes a difference,” says Matt Weir, a co-author of the paper and security researcher, now with the MITRE Corporation.
Weir and other computer scientists researched whether entropy, a common cryptographic measurement, was a good metric of password strength. In reality, today’s password-breaking systems focus on guessing common passwords using techniques like rainbow tables, not on brute force methods of cracking. The researchers demonstrated that common estimates of strength overestimate the difficulty in cracking easily guessable passwords and underestimate the difficulty in cracking more complex codes.
The conclusion: Really weak passwords — those having less than eight characters and contained in a password dictionary — can be broken easily. However, add a little complexity, and the passwords become much harder to break.
“What immediately sticks out is that the password cracking sessions start out much like the other attacks, but quickly hit a plateau where they become significantly less effective,” the reseachers state in the paper. “Unfortunately this means that there still are a sizable number of users who pick weak passwords and would be compromised in an online cracking attack.”
The research undermines the focus on password strength, as do recent events. In particular, password strength matters little if providers don’t protect the sensitive files that store passwords. For example, Sony Pictures allegedly did not encrypt its password files, allowing anyone with access to the file, such as the hackers that broke into the site, to have full access to all the passwords.
In addition, the strength of the passwords has not mattered in many cases because the companies have failed to encrypt the password files, exposing weak and strong passwords alike. The RockYou breach exposed some 30 million passwords and Sony Pictures exposed a million, all allegedly without the protection of encryption.
In the face of such events, having unique passwords is significantly more important than strength. A unique password limits the impact of any breach to only the affected accounts — a much better situation then trying to quickly change passwords across all your accounts.
Yet, because of the difficulty in keeping track of passwords across the dozens of Web sites and online services to which a person typically belongs, most users reuse passwords. An analysis of the Gawker password set found 76 percent of people reused their passwords. Another analysis that compared Gawker and Sony found 67 percent of accounts using the same email address also had the same password.
While many security researcher like to belittle the user who reuses simple passwords across multiple sites, software architect Troy Hunt, who did the latter analysis, says the user’s dilemma is entirely understandable.
“Even if you go low and, say, use 10 characters, by the time you add a little complexity and by the time you accumulate a few accounts, you have to be a savant to remember them all,” Hunt says.
Unlike requiring strong passwords, providers cannot gauge whether a password has been reused. Such choices are entirely in the user’s hands, unless providers somehow find a way to force users to use a password manager.
Because of these tradeoff between security and usability, password will likely puzzle researchers for some time to come.
“We are going to be dealing with password problems for the forseeable future,” MITRE’s Weir says.