Opinion: The Password Dilemma

The whole user authentication and passwords experience is really a big problem, and access is not as secure as we would like, particularly to public and consumer services.

The LinkedIn hack back in 2012 resulted in 117 million passwords and email names stolen.  Kore Logic  (https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016) have recently obtained the list and started to analyse it.  As of May 2016 they’ve cracked 65% of the list, and they’ve confirmed that the top six passwords are:

 Password    Frequency used
123456        1135936 times
linkedin          207488
password      188380
123456789      149916
12345678        95854
111111            85515

The password 123456 was 5 times more common than the second place one, representing approximately 1 in 50 of the sample!  Not good odds.

This illustrates that users of public services (social media)are highly complacent and not in ‘security mode’.  It also indicates that LinkedIn (and they’re not alone) don’t really take password security seriously enough or they would block obvious passwords.

Secondly, consider that there are now compute clusters that can break any 8 character NTLM encoded Windows password in less than 6 hours, by crunching up to 350 billion combinations a second.

megaphone-600x338Ally this with the fact that most people re-use the same password for the multiple services that they subscribe to and that email addresses (highly publicised strings) are now commonly used for userrnames.  Unique usernames are not enough. However using different userids and passwords for different accounts soon becomes unmanageable and storing all your passwords in online vaults/wallets etc just seems like ‘putting all your eggs in one basket’.

Some service providers even send customers new passwords in plain text emails. Fortunately, this is a practice that is on a downward trend.

What alternatives do we have?  Complex phrase based passwords are good in theory but susceptible to mis-spelling and too slow to enter.  Biometrics have long been touted as the solution but are still not main stream, because they aren’t as unique as you may think.  At a recent panel debate on Cyber Security that I attended the point was made that there were methods of falsifying finger print scans, and the removal of a thumb from a victim by attackers is not unknown in serious criminal cases.

There are other two factor authentication methods – something you have and something you know.  Often the ‘something you have’ is a card based device that generates a code changing by the minute.  As long as you steer clear of some RSA algorithms this has always appeared a good solution – until you lose the card.  Some solutions send one time pass codes in sms messages – great if you’re in an area of good mobile reception, otherwise useless.

Many companies are now taking out cyber insurance to cover the costs of data loss.  Loss of reputation however is something else again and it doesn’t really help the consumer/user. In the corporate environment Single Sign On is a big step forward  (Speak to NetIQ and TDP if you want to learn more) but what are the solutions for the outside wild world?

What do you think?  What are the solutions?

Send your comments to john@open-horizons.net or better still add your comments to this short article in the digital edition of the magazine at www.ohmag.net.  (To do that you need to register with a username and password of your choice ... just don’t use 123456).

Publish your own opinion?

Is there a subject you feel strongly about (preferably IT related) or some cause or project that you wish to publicise?  Then please get in touch.  We look forward to hearing from you.


This article was first published in OHM, Issue 33, 2016/2, p31


Leave a Reply