Despite the world’s best efforts to get everyone off passwords and onto something else (e.g., MFA, passwordless authentication, biometrics, zero trust, etc.) for decades, passwords have pervasively persisted. Today, nearly everyone has multiple forms of MFA for different applications and websites AND many, many passwords.
The average person has somewhere between three to seven unique passwords that they share among over 170 websites and services. Here are some related links to similar statistics:
- The average person has 19 passwords – but 1 in 3 don’t make them strong enough - Naked Security
- The average employee manages nearly 200 passwords - Dark Reading
- Password security habits survey results - Digital Guardian
- Average number of passwords per person - Answers.com
- The average business user has 191 passwords - Security Magazine
And, unfortunately, those passwords often get stolen or guessed. This is why I recommend the following password policy guide:
Most computer security experts agree with these policy recommendations, but more than a few readers might be shaking their heads, especially at the recommendations to use 20+ character passwords/passphrases. Why in the world would anyone need a 20+ character password to protect against password hacking attacks?
Major Categories of Password Attacks
In general, password attacks fall into four different major categories:
- Password theft
- Password guessing
- Password hash theft and cracking
- Unauthorized password resetting or bypass
Each will be expanded on below.
Theft of passwords is by far the most prolific type of password attack, usually by social engineering of some type, but it can also be due to malware and hacking tools. The most common theft method is a traditional phishing email where the sender is pretending to be some organization that the potential victim has a relationship with, which contains a message and link prompting the user to type in their real login name and password. Here is a common example pretending to be from Zoom telling me my Zoom service (which I use frequently) has been suspended:
The sender’s email address and the URL link I would have to click are clearly not from Zoom.com, as it would be if the email was legit.
Today, most malware looks for and attempts to steal as many passwords as it can. If the victim gets tricked into running malicious content, the malware will look in many areas to find and steal the user’s passwords, including:
- Device memory
- Browser password caches and storage areas
- On storage disks
- As typed in by the user
- Extracting them from running programs and processes
If hackers can get access to the victim’s device or network, they will often run password-stealing utilities to extract or eavesdrop on passwords. Here is an example of a hacker tool known as Responder being used to capture a password hash transmitted by a victim viewing or clicking a malicious phishing email with an embedded secret link, which unbeknownst to the user, starts a behind-the-scenes login session.
The hacker gets the password hash from the surreptitious login session, which he then converts to a plaintext password (covered more below). If you are interested in learning more and seeing a demo of this sort of attack, see my article on the subject on CSO Online.
Another way hackers get user passwords is by compromising websites and services that a user authenticates to. The average user logs into over 170 different websites and services in a given year, and each of those websites and services is a potential take-over target for hackers. Oftentimes, no one knows the website/service has been compromised and the passwords stolen until many months to years later. Because most users share the same passwords among multiple unrelated websites and services, it allows one compromised password to more easily lead to further compromises of other websites and services that the user belongs to.
And sadly, sometimes all you have to do is ask for someone’s password. Although not nearly as common as other techniques, hackers can also call or ask a victim in person what their password is. If you think that no one would reveal their password to a complete stranger, you would be incorrect. Watch this clip from Jimmy Kimmel Live of complete strangers asking other complete strangers for their passwords on a public street in Hollywood. It would be only funny if it wasn’t so tragically true.
In general, many tens of millions of passwords are stolen, one way or another, from end users each year. Stolen passwords often end up in public or private file or database repositories, where they can be offered for sale or even queried for free by anyone.
Passwords can also be guessed. All the attacker needs is an accessible login portal the victim can log into with a login name and password, and the ability to guess multiple times over a long period of time. Then, the attacker manually guesses or uses an automated password guessing tool. The shorter and simpler the password, the easier it is to guess. If the involved login portal does not have “rate throttling” or “account lockout”, an attacker can guess a dozen to thousands of times a minute.
Since most user’s passwords are less than 12 characters long and not perfectly random, most of those types of passwords can be broken days to a few months. The average home user rarely changes their password, and most business passwords are only changed once every 90 to 365 days. If an attacker can be given unfettered and unmonitored access to a login portal, they can often keep guessing until they are successful.
One Internet-based company, Akamai, said they saw 61 billion password guessing (e.g., password stuffing) attacks in just 18 months.
Password Hash Theft and Cracking
Another popular password attack is password hash cracking. In most modern-day operating systems, any typed in password is transformed by a cryptographic hash algorithm into a representative hash of the password (i.e., password hash). Here are some example password hashes of the word ‘frog’ using a handful of hash algorithms supported by popular operating systems:
A user’s password hash is stored in password authentication databases that the operating system uses to authenticate the user. If an attacker can retrieve a user’s password hash, however they do this, they can guess at (i.e., crack) the password hash by comparing it to a bunch of possible passwords that have already been pre-computed to their hash. This is known as password hash cracking.
Password hash cracking is done externally to the user’s login system. The hacker does not need to be on the victim’s network, and rate throttling and account lockout cannot be implemented to slow down the guessing. Attackers with the appropriate password hash cracking hardware (called password hash cracking rigs), can guess up to many tens of trillions of passwords per second. With that sort of speed, very few passwords below 20 characters will be able to withstand the attack.
It is well-known that within the password hacking community, that “normal” human created passwords up to 18 characters are routinely broken in real-world attack scenarios in days to weeks. However, if the password is truly random, something like what a password manager program could create, then the perfectly random password needs to only be 11-12 characters long to withstand all known password guessing and cracking attacks.
Unauthorized Password Resetting or Bypass
Another common password attack is for a hacker to utilize a method which resets the user’s password or simply bypasses it altogether. Most popular large authentication systems allow users to self-reset their own passwords. These are needed because one of the most popular support calls is a user forgetting or needing to reset their password. Password calls to tech support are so common that if they were all handled by a human, it would require significantly more resources and money than the involved organization has to spend. So, many/most organizations create or enable a self-help portal that the user can use to reset their password. Unfortunately, hackers know about these two and will use various tricks to reset the user’s password without the user’s permission.
How the hacker is able to do this varies by authentication system and self-help reset portal, but just know that millions of passwords are reset each year by attackers. The hacker then takes over the account (known as account takeover), changes the user’s password again, and begins using the account in an unauthorized way. Many times, the user is unable to recover the account and it is lost to the hacker forever.
In summary, passwords are compromised by the many tens of millions each year, using password theft, guessing, hash cracking and unauthorized password resetting.
Password Attack Defenses
The password attack defenses can be summarized by the following, in order of importance:
- Use phishing-resistant MFA whenever possible
- Mitigate social engineering to prevent password theft
- Use a different, non-guessible password for each site and service
- Use a password manager wherever you are able to allow perfectly random passwords to be created and used, without the user having to create or re-type them
- Where a password manager cannot be allowed, users should create long and/or complex passwords or passphrases, different for each site and service
- All passwords should be changed, at least annually
There are dozens of other good password attack mitigations which should be implemented by users and administrators.
If you can use phishing-resistant multifactor authentication (MFA) instead of a password, try to do that. A hacker cannot steal, guess or bypass your password if you do not have one. It is key to use phishing-resistant MFA whenever possible. Most MFA is easily bypassed by simple phishing attacks, which negates most of the reason for moving from passwords to MFA. For more information, read the following articles:
- Don’t Use Easily Phishable MFA and That’s Most MFA!
- My List of Good, Strong MFA
- Why Is the Majority of Our MFA So Phishable?
Unfortunately, most sites and services do not yet support MFA and users will continue to have to use login names and passwords across more sites and services than MFA can help with. The single best tactic a user can do to prevent password hacking (after using MFA) is to prevent being socially engineered, however that is accomplished. It takes a good, defense-in-depth combination of policies, technical defenses and end-user education to best prevent social engineering. This webinar, Stay Out of the Net: Your Ultimate Guide to Phishing Mitigation lists an inclusive list of anti-phishing defenses. If you prefer reading the same information, it can be found in this Comprehensive Anti-Phishing Guide e-book.
There is no other single defense that does more to prevent password theft than to mitigate social engineering and phishing.
The second-best thing a user can do is to make sure they use different passwords for every site and service. This prevents one compromised password from more easily allowing additional compromises to other sites and services used by the user.
A perfectly random 11-12-character password, like those created and used by password manager programs, is considered unguessable and uncrackable by any known password guessing attack (i.e., strong passwords can still be stolen). Humans have a hard time creating and using perfectly random passwords, especially when a different one is needed for every site and service. For that reason, every user should use a password manager program when possible. In a perfect scenario, the only password the user would have to create, remember and use, would be the passwords/passphrases needed to log into their device(s) and their password manager program. The password manager program would handle all password logins after that.
If you are not familiar with password manager programs or are unsure of which password manager program to use, Wired Magazine has a great article on password managers.
In closing, password attacks are very common and one of the highest cybersecurity risks to any user and organization. Most password attacks happen because a user’s password (or password hash) is stolen or guessed. Users can follow a handful of defenses to significantly reduce the risk of being the victim to a successful password attack. Users who follow the password defense recommendations above are far less likely to be hacked because of their password; and vice-versa.