Dumps of millions of passwords have become distressingly commonplace. And while the services that hold these passwords are ultimately responsible for their security, these dumps also reveal something else. It turns out that humans are extremely bad about creating and remembering passwords. The same simple passwords have dominated these kinds of password dumps for years now, and it doesn’t look like our password etiquette is getting any better with time. So why are we still holding on to the password? In this episode of Checksum, we start digging into how to make the best out of this flawed system, and what a passwordless future might look like.
Transcript of Checksum Episode 10: How Can We Move Past Passwords?
Late last week, a Fortune 500 company announced that an unencrypted S3 bucket was breached, leaking over 4 million encrypted login credentials. It alerted the affected users a week after discovering the breach and urged them to change their passwords.
Ok, that didn’t actually happen, but I imagine you didn’t even bat an eye when I said it. Leaks of personal information, logins, and passwords haven’t just become commonplace. They’ve become expected at this point. While the example we started off the video with didn’t actually happen, there’s a decent chance that something like it will before this actually gets posted. And it’s not just the frequency that’s numbing, it’s the number of people affected.
These breeches have major security implications. So with leaked passwords seemingly a given eventuality, the question becomes, why are we still using them?
Looking at the breeches collected by Have I Been Pwned, the top 10 most recent data sets added range from 582,000 Foodora accounts all the way up to 68 million leaked from Lead Hunter. And that’s nothing compared to the largest breaches in its collection. The three largest all include over 700 million accounts… each. Overall, the breach notification service from Troy Hunt has seen over 9.7 billion accounts get leaked.
Now to be clear, leaks like these are squarely the fault of the company storing that information. Far too often, these come from shockingly bad IT practice, like leaving cloud storage online and unencrypted, or not patching systems in anywhere close to a timely manner. These kinds of things are just waiting to be noticed by people who will exploit them.
The one interesting part of these password dumps is they do provide some visibility into what passwords they are using. A Turkish computer engineering student actually did an analysis of recent password dumps and dug into the numbers. Looking at over 168 million unique passwords, his analysis found that the most common password was not “abc123″… it was “123456”. One out of every 142 people used that for their password, and it was the most common password in the dataset for each of the past 5 years. Overall, the analysis found that the most common 1000 passwords covered 6.6% of all passwords. So clearly generating passwords remains an issue with people. Overall the passwords were not overly complex either, averaging 9.48 characters per password, with only 12% using a special character.
Back in 2018, Troy Hunt had similarly exasperated findings. He was looking at a breach of 2.3 million plaintext passwords from CashCrate and found that 86% of those, almost 2 million, were using passwords already leaked in other data breaches. Some of these included things like “123456”, “password”, and the ever-creative “qwerty”. But perhaps more interesting were passwords that looked to be fairly unique, longer ones with lots of numbers and special characters, were also already found in previous breaches.
Hunt’s two takeaways from this: one, it’s incredible that services that have been breached and revealed their terrible password policies still let users set up the same incredibly weak passwords. Two: that having a good password or passphrase doesn’t mean a whole lot if it’s not unique. Sharing that password between sites just increases your chances of having it leaked.
Most of the issues with passwords come down to the old tradeoff of security and convenience. I think most people can realize that using a completely random string of 40 characters for each different online service is the best way to stay secure, but it’s supremely inconvenient. So even relatively savvy users make little bargains with themselves, like reusing passwords they think are secure or coming up with little formulas to create memorable passwords. The problem is, this is still limited by human memory, which can be quite bad.
So the alternative is the password manager, right? You don’t know your passwords to any individual service, other than the one used for the password manager. Maybe its two-factor authentication, so that when your password is inevitably leaked, its not an immediate gateway to the rest of your identity. Maybe the answer is biometrics? Something you can’t forget or choose to be lazy about?
Password managers are a great way to make the best out of a flawed system. Ultimately, it still puts a single point of failure out there which grants far too much access for a single piece of information. Two-factor authentication is a good start but often sacrifices security for convenience as well, depending on the flawed security of SMS for that second factor in many instances.
Multi-factor authentication is really the only way to think about security going forward. Instead of relying on one or two different signals to authenticate a user, a passwordless system will probably work similarly to the way organizations look at behavioral analytics to detect insider threats. We’ve seen more advanced authentication from major tech companies for a while, taking queues from what financial institutions have looked at for some time. Make one random purchase out of state and you’ll hopefully get a call from your bank to confirm it was you. Similarly, log into a Google account from a different machine and IP address, and you’ll probably get an email asking if that was you.
These are all good steps but they still feel a little ad hoc. Just as micro-segmentation has changed how we think about network security, we need to apply that logic to our online presence. Most networks have given up on a perimeter-only defense of a network, and are now focused on limiting and monitoring east-west traffic, providing little vulnerability and many stages for detection. Zero trust is kind of the name of the game now. If we can extend that mindset to how we secure services to consumers using a variety of signals that are continually monitored and authenticated, we’ll be in a much better security state, without putting an undue burden on people’s memories. With that kind of system, having a single factor leaked won’t be nearly as harmful, and hopefully, the question really will be Have I Been Pwned, rather than When Have I Been Pwned.