“Your password is too weak”
“Use a less commonly used password”
We’ve all been there. Have you ever wondered why almost all websites do not allow us to create simple passwords?
If you have, you’re at the right place. Before we dive right into the discussion let me try guessing the pattern of your password. When
people are faced with complex rules — at least one uppercase letter, number, symbol, etc. — they will do the simplest thing possible.
- Capitalize the first letter in their password
- Add a “1” to the end, sound familiar? If we have to use a special character then what? Xyz@1 or Xyz@1234?
GOT YA?
Let me introduce you to one of the most common vulnerabilities in web applications these days, Broken Authentication. Broken Authentication is a common issue and has been listed in the
Open Web Application Security Project (OWASP) top ten web application vulnerabilities list.
What is Broken Authentication?
It’s plain and simple. If the login functionality of your application can be subverted or bypassed in some way, this is referred to as broken authentication.
Types of Broken Authentication
While there are a lot of different ways to exploit broken authentication, we will have a look at some of the most commonly used ones.
Brute force attack – A brute force attack is a popular cracking method. A brute force attack involves ‘guessing’ username and passwords to gain unauthorized access to a system. This attack tries to guess every possible combination until it hits yours. Brute force is a simple attack method and has a high success rate. In 2012, an industrious hacker unveiled a 25-GPU cluster he had programmed to crack any 8- character Windows password containing uppercase and lowercase letters, numbers, and symbols in less than six hours. It has the ability to try 350 billion guesses per second.
As mentioned above, several users use very common passwords. Attackers have lists of commonly used credentials, or real user credentials, obtained via security breaches or the dark web. Bots systematically attack websites and try these lists of credentials, and notify the attacker when they gain access.
Well now we know why websites keep pestering us with our most favorite test???
Dictionary attack– A dictionary attack is a hacker essentially trying to attack your password with a dictionary. A dictionary attack tries a prearranged list of words such as you’d find in a dictionary. If your password is a regular word, the only chances of you surviving the attack is using a ‘super’ uncommon word or the use of multiple words like BananaChairSchoolPhone. This outsmarts the dictionary attack.
Credential Stuffing Attack- Now coming to another very common trait of humans, not following basic instructions (don’t worry I used to do the same). No matter how many times people are told never to use the same password across many sites and services, most still do just that. It’s human nature to take the quickest and easiest option, and the one that means we won’t forget our passwords and get locked out.
Credential stuffing is the use of automated tools to test a list of valid usernames and passwords, stolen from one company, against the website of another company. Since users frequently use the same password on multiple accounts, attackers using this method will inevitably achieve a degree of success.
In 2017, researchers discovered a file on the dark web containing 1.4 billion compromised username and password combinations, in plain text format. These were compiled from numerous earlier breaches and made available for anyone to use.
WHAT CAN WE DO AS USERS?
While a lot of companies are working and improving their technology to avoid this. Users can follow the steps below to keep their passwords safe.
- Do not use personal information such as your name, birth year etc.
- Make your password long – anything under 10-12 characters is vulnerable to be cracked.
- Using passphrases – Making long passwords with random characters becomes very hard to remember for users. An alternative is the use of passphrases which is a combination of meaningful words in a string. These words are absolutely random. You can generate these with online tools like this one, inspired by XKCD.
- Avoid any patterns like – keys next to each other or the ones mentioned above.
- Frequently update your logins with randomly generated passphrases.
Clearly humans are not the best with passwords, so maybe a long term solution for this would be to get rid of passwords. A PASSWORD-LESS FUTURE sounds crazy but may well be the way out. The use of one time passwords(OTP), QR codes, password-less ‘magic’ links, and biometrics may definitely be seen in the near future.
Yash Kumar Gupta, 3rd year Btech Information Technology