A brief history of passwords from P to b: the birth, death and zombie apocalypse

The attack on the towers of the World Trade Center on September 11, 2001 claimed the lives of 658 employees of the financial company Cantor Fitzgerald. Its director, Howard Lutnik, who lost his sibling that day, faced an unprecedented problem. And it was not even the fact that the company's servers, including backup ones, were also buried under the rubble. Information was partially available, but it was closed for hundreds of accounts of dead colleagues. Specialists from Microsoft were brought to the rescue, they used powerful servers for the fastest possible brute-force - the existence of the company depended on access to the data, and it was necessary to catch the first opening of the auction after the attacks. Hacking could accelerate the personal data of the victims. Lutnik had to ring up relatives and, at the most inappropriate moment, ask them a series of questions: the wedding day, the name of the college or university, the name of the dog.

This is a brief retelling of perhaps the saddest article about passwords in their entire history, published in 2014 in the New York Times. The story gives two main characteristics of password protection: it creates a bunch of problems, and, in many cases, it still does not work. Passwords are such a bad security concept that they have been buried by the media, security experts and scientific researchers more than once. But it's still there, the password is still the main method of separating the public from the private, and such a situation, after the funeral, can be officially considered a digital zombie apocalypse.

Today I will try to analyze what is wrong with passwords (the short answer is everything), what can be done about it, and also share a couple of interesting historical observations.

Everything was bad from the start.

According to the magazine Wired , the need for passwords first arose in the construction of computer systems with shared access based on time-sharing. In the 60s, when computers were very expensive and took up a lot of space, it was the only adequate way to divide the computing power among everyone. From the Compatible Time-Sharing System , developed at MIT technology in 1961, the legs of many modern technologies are growing, including the concept of Unix-like systems. With a high degree of probability, password authorization first appeared there.
')
When developing CTSS, there was a choice between passwords and what is now called prompts, such as the mother's maiden name. The choice in favor of passwords was obvious: less memory was required for their storage and processing. Security systems were absent. In 1966, an error appeared in the system code, which somehow reversed the text of the welcome message for users and the list of passwords. As a result, every time you logged in, you could see the passwords of all users. But even earlier, in 1962, one of the MIT graduate students stole user passwords: he was given only 4 hours of machine time, and he was thus able to use someone else's quotas. It was easy to do this: each user could order the printing of a file, specifying his name and the name of the user-owner. Knowing that the password database is stored in the UACCNT.SECRET file of user M1416, the graduate student was able to print the entire database (more memories of CTSS here ).

But it got worse

And because of what actually fuss? The news background for many years does not imply any rehabilitation of password protection, but 2016 still became special because of the huge number of password leaks to various popular services. I will list only the main ones:

" Mail.ru, Yahoo and Microsoft , only about 300 million passwords - the base was most likely collected as a result of phishing.
»LinkedIn - a leak of 2012 has surfaced , with postal addresses and hashed salt-free passwords (experts say that up to 90% of passwords can be decrypted in three days).
“Tumblr - the hashed passwords with salt flowed away, but just in case the administration of the social network initiated a forced reset.
"Vkontakte - 100 million clear passwords , the old passwords of 2012 have flowed away, the social networks claim that it was not a hack.
Twitter - 32 million passwords allegedly stolen using phishing and malware.
»Ubuntu Forum - 2 million passwords stolen through SQL injection.
»Another 2 million passwords from the Dota 2 forum , as in the case of Ubuntu, were attacked by the unpatched vBulletin system. Passwords are hashed and salted, but up to 80% can be decrypted.
Dropbox - reset passwords after the ascent of the 2012 leak. Presumably the account of one of the company's employees was hacked.
“ 1.7 million Opera sync passwords are allegedly compromised.
“ Rambler - almost 100 million passwords, also dated 2012 year.

Passwords are stolen from users. Owners of services. On the way between the first and second. Sell ​​on the black market, and spread in open access. Hack sites or use phishing. Have I Been Pwned Service ? Troy Hunt, a well-known security professional, allows you to check for leaks in the password associated with your email address. At the moment there are databases with 136 resources, and the number of passwords exceeds 1.4 billion.

With a high probability, your four-year-old passwords are available on the web in almost clear text. Leaks go sideways and site owners who initially seemed to be unaffected: they begin to attack, suggesting that the user uses the same password on different services. Here are examples from recent ones. Passwords had to be dropped by GoToMyPC after reports of hacking accounts for remote access to the desktop. Similar operation had to be carried out to the GitHub service. The same Mail.ru (and not only one) has to monitor leaks and reset passwords to access its services on a regular basis. I have already said that the passwords are some problems?

But why?

It's simple: we use too simple passwords. A selection of the most popular passwords is done almost after every leak, here is a good example:

123456
password
12345
12345678
qwerty
123456789
1234
baseball
dragon
football

Dragon! 11

This analysis by WPEngine provides information on typical password lengths, most often from 6 to 9 characters. 11 or more characters are used by less than 5% of users. Simple passwords go sideways to server owners. In open text, almost no one stores the password database, but it is quite simple to recognize hashed passwords a la 111111 (for more information on hashing in simple language here ). The above LinkedIn leak contained only hashed passwords, so it is assumed that most of the passwords there can be decrypted fairly quickly. Adding salt (random data) makes it harder to attack using a dictionary, but it doesn’t save you from brute force — when you need to get a password for a specific user, and this password is simple, the attack remains real.

But that's not all. According to the data from here , about two thirds of users use the same passwords on different services, save passwords in clear text, including electronically, forget passwords, which prompts the use of simpler combinations. According to our data ( PDF ), about half of users save passwords on their devices in one form or another. A typical password length is 8-12 characters, more than 20 characters are used by only 3 percent of users.

Add to this the attempts to actively steal user passwords, both with the help of malware and with the help of phishing. According to the most recent data from Lab, phishing pages were blocked by 8.7% of users. Clear text password leaks usually occur as a result of phishing and malware attacks. Steal passwords from browsers , target specific services, such as Steam . The typical tactic is the theft of everything that is badly lying - let us see later.

Against this background, problems on the server side, especially the issues of intercepting passwords along the way do not seem so serious. On the server side, the chaos adds the complexity of the infrastructure and the nuances of work; we can recall at least the (corrected) insecurity of one-time application passwords for Google. Network interception directly affects passwords when they are transmitted in clear text over unsecured channels, but this is becoming more and more rare. Decrypting cookies, as recently analyzed using the 3DES and Blowfish algorithms, remains a purely theoretical exercise, and session hijacking does not directly address password problems. Man-in-the-middle attacks remain: conditions for them are created both on the user’s side and because of the insecure infrastructure. An example of the latter is unsafe access points .

And what to do?

Immediately note attempts to force people to use more secure passwords. First, it will not work. Secondly, it does not solve the problem of re-use of passwords on different services. Thirdly, a complex password can be compared in the first approximation with the use of a secure key for the same SSH connections: keys are not generated by hands, and in general, complex passwords should not be either. The latter is possible with the use of password managers, this is a completely reliable method despite the hacking of these services already (for example Lastpass last year ). Alas, it remains highly specialized and is unlikely to become widespread. Biometrics also goes there: it has long been clear that in the current implementation (fingerprint on phones, for example), there is only an additional method of protection along with a password (even shorter than on desktops!).

Unlike password managers, the only mass method of protecting user data remains multifactor authorization. Implemented through the phone or through a special application a la Google Authenticator and Yandex.Key - this scheme either completely eliminates the reuse of the password, or complements it with a random authorization code. This is very cool, but in this concept one password is replaced by another, which means that the possibility of interception remains. Examples of intercepting banking malware authorization codes already exist. I will assume that this is a working, but temporary solution to the problem, as well as, for example, Microsoft’s attempts to limit the use of unsafe passwords at work by using “big data” about leaks and cyber attacks.

But the real future will come when the passwords are replaced with data about the user - in 1961 there were not enough resources and memory for this, and now both of them are abundant. Before the end of this year, Google intends to complete the Abacus project, which identifies the user by behavior — in fact, a large amount of information will be collected about us, from the manner of walking to patterns when typing, and on the basis of many signs, it is enough to distinguish an authorized user from the devil knows who.

100% reliability will never happen

Yes, all proposed methods - from password managers, two-factor authentication to behavioral analysis and biometrics, can be complained of. Biometrics are bypassed with silicone fingers; password managers crack or hijack a master password. Multifactor authorization is bypassed with the help of malware on smartphones and fraud with SIM-cards (and in the future also by hacking into cellular networks). None of the solutions protect completely against phishing - in any case, it will have to be fought separately.

And this, unfortunately, is normal . The golden age of the Internet, when the viruses were white and fluffy, and almost no one broke the mail, was caused by the fact that no one needed the data stored with a password. This will not happen again. It should be understood that any method of protection applied personally by you, your bank or the postal service does not give an absolute guarantee against hacking. The problem with password protection is that, in the default case, it is in principle unsafe, like a fence without a gate. Even the widespread introduction of two-factor authentication (it is still far, alas) will significantly reduce the number of successful attacks. While the owners of sites, forums and other chats are worried that additional security measures will lead to an outflow of users, passwords will continue to drain. At the moment, the rescue of drowning people is in the hands of the drowning people themselves, the user is largely responsible for the security of their accounts. Only the volitional effort of one of the market leaders (like Apple with a headphone jack, only more meaningful), followed by others, can change the situation. And then a bright future will come. And you know what. With all the flaws of password protection today, it’s not at all true that we will like this future.