According to a new survey, it really doesn’t matter how strong you make your passwords or where you store them: Hackers are going to figure them out.
Thycotic surveyed attendees at this year’s Black Hat conference and found that 75 percent of those responding (the vast majority were white hat hackers but there was a percentage of black hat hackers answering the survey, as well) said that no password is safe from hackers. Or the government, for that matter, they added. And half would be more than willing to step in and crack a password if paid for their services, but it wouldn’t be cheap, as eSecurity Planet pointed out:
Eighteen percent of respondents would do so for less than $1 million, 10 percent would do it for $1 million to $50 million, and another 23 percent would be willing to hack the iPhone for $50 million to $100 million or more.
So, the hackers may force the government or a company to sell its soul to crack a password – and I have no doubt they’d be able to do it – but they also provided tips that would make their job more difficult, such as limiting administrative access to accounts and better privileged access account management. But here’s the one that jumped out at me: Protect user passwords with security best practices. In a CIO article, Joseph Carson, a Certified Information Systems Security Professional (CISSP) and head of Global Alliances at Thycotic, said that changing behavior regarding passwords is difficult, adding:
[W]hen you are ready to secure end-user passwords, look for solutions that enforce your security policy for password strength and the frequency of password changes, and also provide easy and secure password resets — regularly requiring employees to change their workstation passwords will undoubtedly mean calls to the help desk when new passwords are forgotten.
However, not everyone is sold on the idea of changing passwords frequently. In fact, the chief technologist at the Federal Trade Commission said doing so could be problematic for security efforts overall. The reason? All of those password changes could make it so users default to easier passwords that they can remember and easier passwords are easier to crack. Research on the topic, Ars Technica reported, found that users who are required to change their passwords regularly make very small changes to the initial password, such as switching capitalized letters in the phrase or adding a number. This small switch is called a transformation, and, the article continued:
The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.
So what are we to do? Adding authentication levels would help, since that would require hackers to crack more than just a password. Avoiding transformation in password changes would also help, but best security practices need to include some way to securely manage passwords (password management systems online aren’t an option for everyone). I don’t think there is an easy answer, but it does hit home that the password has long passed its usefulness as a security tool.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.