The Truth About Passwords

The Truth About Passwords


Anyone who hasn’t been living off the grid for the last 30 years will know the pain of having to manage numerous complex passwords every day in order to work, shop and socialise in our online world. Most of us take it for granted that this is part of the price we pay – along with our privacy – in order to be a member of modern society. But have you ever stopped to think why it has come to this? The truth is, we are paying the price for failures of IT operations teams in securing this information in the first place.

First, let’s examine the different techniques that an attacker can use in an attempt to obtain your password.

One technique is to try to brute force your credentials online. This entails knowing only the format of your login username, and trying a number of potential passwords one by one until they hit paydirt. With current computing power that can try up to 100 billion passwords per second, this seems like an unstoppable attack. However, this technique is easy to thwart simply by restricting the number of attempts that a user has to get their password right, and locking the account once this is exceeded. So even a relatively simple password (say 6 characters) is safe from this attack, as the time to try every possible combination is blown out by this account lockout feature.

Another technique is social engineering – for example phishing attacks – where a user is tricked into revealing their password. This technique’s effectiveness is completely unrelated to the length or complexity of a password. In other words, having 12-character passwords with symbols and numbers won’t offer any protection.

Apart from these, there are about a dozen other ways to steal passwords, but here’s the thing: they all exploit weaknesses in the way your IT operations teams manage their systems. As an example, let’s look at a technique called credential dumping. This involves a hacker getting their hands on the password database at the heart of your network. This may be on a domain controller, an SQL database, or some other platform.

Once a hacker has an offline copy of this password database (which shouldn’t be storing the actual passwords in cleartext, but hashing them instead), they can attempt brute force attacks like the one described earlier. The difference is that there is no rate limiting mechanism to lock them out after a few unsuccessful attempts. And because the database contains the credentials of all users on the system, this is like shooting fish in a barrel.

So, it comes down to this: system administrators force us to use ever longer and more complex passwords only because they aren’t confident that they can adequately protect their crown jewels – the password database. You could charitably view this as an example of defence in depth. Or you could view it as IT teams mitigating their risks by transferring some of the responsibility to end users, and making their life harder in the process.

What’s your view?