Your P@55Word has expired

At 1.07pm on a Tuesday afternoon, the Associated Press sent a tweet to its 1,903,273 followers: “Breaking: Two explosions in the White House and Barack Obama injured”.

The ensuing stock market chaos was exactly what the pro-Assad Syrian Electronic Army (SEA) had intended to create when they gained illicit access to the Twitter account. This wasn’t a complex hacking exercise: the SEA got hold of the password by asking for it. AP reporter Mike Baker revealed that the organisation’s employees had “received an impressively disguised phishing email” an hour before the attack – a communication claiming to be from Twitter that tricked the users into fake password resets.

We have come to rely on passwords to protect all aspects of our lives, from vital business systems to our social media accounts. But among information security experts, there is a worrying consensus: passwords are broken. And they’re exposed on two fronts. On one hand, the number of phishing attacks is increasing rapidly – according to analysis by internet security company Kapersky, 37.2 million people in the UK were targeted by such attacks in 2012, up 87 percent on the previous year. On the other, hackers are becoming more sophisticated in their methods of stealing passwords without going through us. Deloitte estimates that more than 90 percent of user-generated passwords currently in use (including those rated by the IT systems as “strong”) are vulnerable to hacking. UK fraud prevention service CIFAS reported 13,500 cases of identity theft through password hacks in the first five months of this year alone.

Hacking for dummies

Guessing a password should be difficult. If each character of your password can be a letter – upper or lower case – a number, or a non-standard character, then you get 72 possibilities per character. The variations are 72 to the power of the length of the password. The number gets big very quickly. With that in mind, hackers don’t randomly attack a single user’s account and attempt to crack the password. Most systems are alert to multiple login attempts in a short space of time and will lock out anyone who tries it. Instead, hackers get hold of a mass of usernames and partially encrypted passwords that they can then try to decipher.

Dropbox and Twitter have both had password databases stolen, and in June last year 6.5 million LinkedIn passwords were taken and posted online. The passwords in these databases have been “hashed” – encrypted by an algorithm into a longer, machine-generated string of characters for security. Un-hashing them by guesswork would take a very long time, but as computer processing speed and hacker ingenuity have accelerated, there are other, smarter ways. “Hackers use standard tables – called ‘rainbow tables’ – of words and combinations of characters that help identify possible passwords,” explains Martin Deeley, a freelance IT and security consultant. These tables are huge sets of pre-computed hashed passwords matched to plaintext equivalents. The computer runs through the rainbow table until it finds a match among the encrypted passwords: and then the hacker has your actual password.

But still the greatest vulnerability isn’t technical, it’s human. “People use the same passwords over and over again, and the list of most popular passwords doesn’t change from year to year,” says Deeley. Security expert Mark Burnett compiled a list of six million unique username and password combinations that had been circulated online. He found that 91 percent of them had a password from a list of the 1,000 most popular. That’s a very short list for a hacker to start with. A huge 8.5 percent of people use the two most popular passwords: “password” and “123456”.

We’ve been using passwords since ‘Open Sesame’, but all of us in security and privacy agree that they are a problem”

“This is why most IT security professionals promote complex passwords: minimum length, upper and lower case, and a number or a non-standard character. Complex passwords are better, but they bring their own problems,” says Deeley. “Because they’re hard to guess, they’re hard to remember – so people end up writing them down.” Or just re-using the same password. A 2012 poll by Experian found that the average UK user maintains 26 online accounts, but uses just five passwords to keep them secure.

And you, the customer or employee, are not the only weak link – the big online businesses that can authorise your password resets are vulnerable too, particularly when it comes to phishing attacks. In August last year, Mat Honan – a tech expert and journalist for Wired – had his entire digital life taken over in the space of an hour. His passwords were up to 19 digits long, and alpha-numerical. The hackers had managed to play two tech support desks off against each other by pretending to be Honan. Amazon provided them with a small, seemingly harmless piece of information – a partial credit card number – which Apple just happened to use to allow a reset of an iCloud password. Once there, the hackers jumped from account to account, resetting passwords and locking Honan out.

The death of ‘Open Sesame’

“I don’t think that there’s anybody defending passwords today – they’ve been broken for years,” says Brennen Byrne, CEO of alternative authentication startup Clef – one of a group of businesses that in July launched an online Petition Against Passwords. “We’re seeing passwords breaches every day. Giants like Twitter and Apple are losing this information. We’ve been using passwords since ‘Open Sesame’, but all of us in security and privacy agree that they are a problem.”

The companies behind the password petition offer a variety of alternative methods of authentication. PixelPin replaces passwords with pictures – users choose an image (like a holiday snap), and then pick a sequence of ‘PassPoints’ in the picture that they’ll have to click in sequence to authenticate. PinGrid asks users to remember a pattern on the screen, rather than a simple password, their logic being that humans are better at remembering patterns than strings of characters. Meanwhile, Yubico uses password devices that resemble a USB stick – you plug one of them into your computer, and when you want to log in in it sends a One Time Password (OTP) to the service you’re accessing.

Yubico’s system is an example of two-factor authentication – a combination of something you know and an object you possess. More and more businesses are moving down the two-factor route, but while this is becoming increasingly common where users can be forced to employ it – at work, or by using the plastic “add new payee” gadget sent to us by banks – it has picked up little traction with users on their personal digital accounts. Most cloud-based email services, including Gmail, have a two-factor option, and Twitter rolled out two-factor in August. It’s up to users whether these are turned on and for most people convenience has trumped security.

MC10 has a working implementation of a “biostamp tattoo” – a flexible, lightweight electronics circuit that can be worn on the skin

Two-factor has shown more success when used on smartphones – the device that modern users are already attached to and are likely to have on their person. Clef uses a system called Public-Key Cryptography, wrapped in a mobile app. When you want to log in to a website, you use your phone to send an encrypted digital signal to your computer – which is then verified with an online Clef app, which effectively has the other half of the key. As the process is machine-to-machine, the cryptography can be far more sophisticated than anything our puny human brains could generate or remember.

Biostamps and password pills

The really mind-bending solution to the security problem is “inherence factor authentication”, which replaces something the user has or something the user knows with something the user is. In June, Google filed a patent for a system that verifies users not just by scanning their face (this system has already been shown to be crackable by hackers using photographs), but also asking them to perform a specific action like frowning or sticking out their tongue. By asking for different actions each time, or a sequence, it makes it much harder to cheat.

Electronics company MC10 has a working implementation of a “biostamp tattoo” – a flexible, lightweight electronics circuit that can be worn on the skin and that machines can read when it is nearby. Motorola has a conceptual plan for a pill-sized device that when swallowed pulls power from stomach acid to produce an 18-bit authentication ECG-like signal from the embedded chip inside (you’d need to take a new pill every day). And then there are the less futuristic options, like fingerprint scans, a feature of the newly released iPhone, and retina recognition.

But while the technology may be there, biometric security has its own problems. “It scares me from a data privacy point of view,” says Deeley. “The idea of giving my biometric data – whether that’s fingerprints, retina information or other physical attributes – to a third party who will scan, digitise, transmit, and store it somewhere worries me more than the authentication benefits than it offers. I wouldn’t trust a third party to handle my fingerprints securely, based on how badly they manage passwords.”

The storage of this data could be made more sophisticated, but there’s a fundamental problem with biometric authentication. If somebody steals your password, you can ultimately (if painfully) get your identity back. If somebody manages to fake your retina, you’ve got a problem. “That’s really the problem with biometrics today,” says Byrne. “In terms of being reliable they work really well. The problem is if you lose your identity it’s lost for good.”

The electronic army on the march

The attack on Associated Press (the fallout from which almost crashed the Dow Jones) was not a one-off, isolated incident. In the space of a few months, the Syrian Electronic Army hacked accounts belonging to Al Jazeera, the BBC, the New York Times, The Daily Telegraph, The Guardian, Human Rights Watch and National Public Radio.

And their sights were not just set on corporate accounts. In July they hacked Truecaller (the biggest online telephone directory, with more than a billion global phone numbers) and text messaging service Tango, from whom they stole 1.5 terabytes of user account data. The SEA boasted online that this data had already given them access to more than a million Facebook, Twitter, LinkedIn and Gmail accounts. And this is just one group of hackers, who have an inherent motivation to publicise their attacks – most data thieves stay silent.

Nobody knows how many passwords have been hacked, or accounts accessed. Your own identity could already be compromised. And you – like the Associated Press – will only find out when one day you get the message: “password failed”.

Posted on Thursday, October 1st, 2015 - Categories: #11 - Apr-Jun 2013, From the archive, Long reads.