Passwords & Human Psychology

The problem with humans is that we want to protect our data but are not willing to make any effort to protect it, a good example is the passwords we choose to protect our data and computers.

A while ago, one of my friends brought me a laptop to get fixed. It was a standard HP laptop running Windows 7, the laptop belonged to his friend’s girlfriend. I turned the laptop on to understand the issue and found the login screen. Since I didn’t know the password, I asked my friend for it. He said even he didn’t know. He made a call to his friend so he could ask his girlfriend for the password.

While he was dialing I asked my friend for the name of his friend whose girlfriend’s laptop it was. He told me a name, which I entered as the password, to my surprise I logged in! Initially, I thought I might need to add some characters like @123, @password, @*, etc. to might get it to work; but it worked just with the name.

The girl used her boyfriend’s name as the password for her laptop. Soon I told my friend to cut the call as I have figured out the password. After that, I started fixing the issues which I think might be the reason for the unexpected behavior of the laptop. While I was in the middle, my friend received a call from the girl who said, “Please don’t open the Pictures folder as it contains her personal images”. Hearing this made me laugh so hard that I was on the floor.

The incident made me realize, even though humans want to protect their data, they are not willing to make any effort to protect it and this is obvious from the passwords we chose. Even after implementing effective and standard encryption techniques, it is common to hear how hackers were able to crack user passwords from the data breach files, all thanks to common passwords! You can find something useful related to password dictionaries and common passwords here and here. Read them, passwords are a very important part of our digital life.

The problem with passwords

Fernando Corbato, the person who invented passwords, in an interview to The Wall Street Journal said that they have become a "kind of nightmare".

Unfortunately it's become kind of a nightmare with the World Wide Web. I don't think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.

He rightly believes that passwords aren't really high-level security, it is not hard to understand why passwords are vulnerable by nature.

Approximately 90% of the websites use passwords as a mechanism for authentication in one way or another. One of the worst mistakes that users make is using the same passwords for all the sites. Well established multi-billionaire websites companies have sufficient to protect the data in their servers but some small-scale startups might not. Compromise of passwords in the form of data breach put your other accounts to risks. It is good that we have 2 step verification method deployed but, we still need to make sure that the passwords are strong enough. We all are well familiar with the requirements of a strong password. What makes it difficult is to create a strong password for every website and remember them which tempts people to use one password everywhere. LastPass is a great application to be used for password management.

How to Websites store the passwords?

A good website never stores the passwords in an encrypted format, never in plain text. Way back in time, admins used to store encrypted passwords along with their corresponding usernames. So, whenever a user requested access, his provided password was encrypted and matched with the stored entry. But this mechanism had a downside. In the case of a data breach, an attacker just needs to cross-check all the entries with the common passwords. This reveals many usernames along with their passwords. Apart from this, an attacker can use rainbow tables to get the hold of the passwords. In short, a rainbow table is a highly-optimized pre-computed table that maps passwords to hashes. To make things worse for an attacker, admins started to use a new method called salt to store the passwords. What happens here is to create a secure non-secret unique pattern of string. Compare this to the password before storing, a password without using salt will be stored like this:

$ echo -n password@123 | sha1sum8e7152d0eb52c340579f2d70a28eaf1a2c5ba1c5 -

Without salt, this is what would have been stored in the servers. Any user with password “password@123” would have the above entry of hash stored. I hope you don’t have the above example string as a password. If yes, now will be the test time to change it to something better. Now, it is easy to see why having a common password is such a big mistake. With salt, a random string is generated for each user. Assume the string is “random” in this case, then we will get:

$ echo -n randompassword@123 | sha1sum77a610bccfdb1626dc98290366b9f834b03c1225 -

Since the salt is random and unique users with the same password have different entries stored. The purpose of the salt is to make parallel attacks against all hashed passwords useless. This technique also helps protect against the use of rainbow tables. Now we know that salts are important and helpful but what are the characteristics of a good salt. Should prevent the attacker from running a hash against multiple users in the database making parallel attacks and rainbow tables useless. One important part is about storing these salts. You can go over this nice thread of answers in Information Security Stack Exchange for this.

Too much of anything is not good

There are some practices employed by admins that are counterproductive, these include forcing users to change their passwords too frequently which results in users using a set of passwords in cycle making passwords predictable and easy to guess. It is important that users are changing passwords with time, but too frequent is only going to hurt. Another thing is creating a difficult policy and rules for passwords. This includes asking users to have lengthy complicated passwords with a combination of upper and lower case strings, use of symbols, numbers, etc. This forces users to write down their passwords which is another nasty thing to worry about. Making sure that the users are well informed and are aware of good password practices is the best way to keep their data, computers and applications secure. The users themselves are the best defense against any kind of attack and it starts with a strong password.