The Usual Way to Manage Passwords and How Attackers Exploit it

According to various studies, most people use the same few passwords for all of their accounts, most of these passwords are weak, and many people don’t realize how weak their passwords are. Using the same 2 or 3 passwords for many accounts is analogous to storing all of your keys under the outside doormat of your locked front door – it doesn’t take much effort for a thief to have access to everything.

In this post, I describe the typical home user system for managing passwords and how attackers exploit this system.

The Usual Way to Manage Passwords

Many home users manage their passwords something like this:

  • For accounts that are unimportant (forums, news sites, etc.), the same password is used for all of them. This password is likely to be a short, easily remembered word or name, perhaps followed by a single digit.
  • For accounts that are somewhat important (Gmail, Facebook, etc.), this same weak password may be used, or perhaps a moderately stronger password that is a little longer and has one or two digits or symbols thrown in. But again, the same password is used for a number of different sites.
  • For accounts that involve finance or commerce (banks, brokerage, e-commerce, etc.), most people are more cautious. Some people use (what they believe to be) a stronger password for all of their finance sites, while others may have a separate strong password for each financial site, keeping track of the passwords with a password protected spreadsheet or on a piece of paper.

It is possible my description is too optimistic, as 33% of participants in a Sophos study indicated that they use the same password for every site. Only 19% indicated using a different password for every site. Two-thirds of respondents to a 2010 Consumer Reports Survey use some variation of the same password or personal identification number for all or most accounts. Bruce Schneier’s analysis of actual passwords indicates that many are weak.

What’s Wrong with the Usual Way to Manage Passwords

The key weakness is the use of the same password for many accounts. There are many ways to capture passwords, and once an attacker has the password to one account, it can be used on all other accounts that use the same password. Even worse, an attacker may be able to get additional passwords if able to get into your e-mail account. In my opinion, email accounts should be protected with even greater diligence than your financial accounts, because they have fewer layers of safeguards and attackers can use information in old e-mails to gain access to other accounts.

How Attackers Exploit a Weak Password System

Here is an example to illustrate how typical password management fails:

Your name is John Doe. You use the strong password Fm18bIgaP911.$bIli! for all e-commerce, bank, finance accounts, and paid subscriptions including JohnDoe@chase.com, and JohnDoe@burghound.com. You use the weaker password John123 for all the rest, including your Gmail account JohnDoe@gmail.com.

One day, the user list for superduperfastcars.com gets stolen. You posted 3 messages to superduperfastcars.com 2 years ago but then lost interest and forgot all about it. The attacker uses a rainbow table to decrypt over 70% of the hashed passwords from superduperfastcars.com, including your easily crackable John123 password.

The attacker then uses software to automatically try logging in to Gmail, Yahoo mail, and Hotmail using the user information and passwords obtained. One combination that is tried uses the first and last name of the user and the password obtained: JohnDoe@gmail.com using password John123. This one actually logs in.

Next, the attacker searches Gmail for “password.” Many online services automatically e-mail you a user name and password upon sign up. Sure enough, two passwords are found among a number of such e-mails: John123 and Fm18bIgaP911.$bIli!. The stronger password was in a confirmation e-mail you received from burghound.com upon registering for this paid service several years ago.

Now the attacker has your two passwords and can log in to all of your accounts that were discovered in your Gmail archive. Here are some examples of what the attacker can do with this information:

  • Transfer funds out of some of your financial accounts
  • Copy your contacts’ e-mail addresses into a spam mailing list.
  • Send a message to all of your contacts to ask for emergency money to be wired
  • Send a message to all of your contacts discussing a really cool site – just click on this link (and if they do, malware is installed)
  • Use the information obtained to try to break in to a corporate network, by testing your password on your work account.

The famous Twitter hack of 2009 had many elements in common with this example. An even simpler attack is to capture e-mail login information when someone is logging in using an open WiFi hotspot.

All it takes to limit the damage from these kinds of attacks is to have a different password for each account. If the Sophos survey is accurate, only 1 in 5 people do this. Most people can not remember more than a few passwords, so any approach to password management must take this into account.

Note that attackers are well aware of common password practices and can take advantage of these practices when trying to steal passwords (either automatically or manually). So if whatever approach you take to password security is unusual, that in and of itself is a good defense. Effective use of a password manager is currently one such approach.

Filed in category: Password management.

3 Comments

  1. June 27, 2011 at 9:04 AM

    “Many online services automatically e-mail you a user name and password upon sign up…”

    Once upon a time I tried to encourage people to complain to services that use this technique for communicating passwords that this wasn’t very considerate of their users’ privacy.

    I now think that’s a waste of time and effort, since (1) there are too many clueless service providers involved and (2) the responses I get to the complaints I send read ‘thank you ever so very very much for your concern blah blah bland reassurance’ but look to me like boilerplate that suggests that what they’re really saying is ‘oh, look, another paranoid nutter, la, la, la, not listening!’ with their fingers in their ears.

    You can lead a fool to water, but you can’t make him drink.

  2. June 27, 2011 at 9:45 AM

    Interesting to hear of your experience, Colin. It’s almost understandable that a forum site would do this. What I find especially disappointing is e-commerce: I’ve had more than one paid service site send a confirmation e-mail with my user name and password in the clear. I guess most sites act like most consumers: don’t worry about security until the first time you get hacked.

  3. Stuart
    August 11, 2011 at 12:45 PM

    In line with Colin’s experience, I’ve had a similar such experience of a corporation’s indifference to a legitimate security concern; particularly from a very large credit card and bank system. It concerned their “limit” of password length and characters. I contacted several different contact points through out the organization to express my concern in lack of security and was given the runaround throughout the entire ordeal. I ultimately was dismissed as overly concerned, though their limitation only allowed up to 8 characters and only one or two “approved” special characters. Its been a few years so they probably have changed on the advice of “professional recommendation”, but I am reluctant to trust that group any longer due to their inattention.