According to various studies, most people use the same few passwords for all of their accounts, most of these passwords are weak, and many people don’t realize how weak their passwords are. Using the same 2 or 3 passwords for many accounts is analogous to storing all of your keys under the outside doormat of your locked front door – it doesn’t take much effort for a thief to have access to everything.
In this post, I describe the typical home user system for managing passwords and how attackers exploit this system.
The Usual Way to Manage Passwords
Many home users manage their passwords something like this:
- For accounts that are unimportant (forums, news sites, etc.), the same password is used for all of them. This password is likely to be a short, easily remembered word or name, perhaps followed by a single digit.
- For accounts that are somewhat important (Gmail, Facebook, etc.), this same weak password may be used, or perhaps a moderately stronger password that is a little longer and has one or two digits or symbols thrown in. But again, the same password is used for a number of different sites.
- For accounts that involve finance or commerce (banks, brokerage, e-commerce, etc.), most people are more cautious. Some people use (what they believe to be) a stronger password for all of their finance sites, while others may have a separate strong password for each financial site, keeping track of the passwords with a password protected spreadsheet or on a piece of paper.
It is possible my description is too optimistic, as 33% of participants in a Sophos study indicated that they use the same password for every site. Only 19% indicated using a different password for every site. Two-thirds of respondents to a 2010 Consumer Reports Survey use some variation of the same password or personal identification number for all or most accounts. Bruce Schneier’s analysis of actual passwords indicates that many are weak.
What’s Wrong with the Usual Way to Manage Passwords
The key weakness is the use of the same password for many accounts. There are many ways to capture passwords, and once an attacker has the password to one account, it can be used on all other accounts that use the same password. Even worse, an attacker may be able to get additional passwords if able to get into your e-mail account. In my opinion, email accounts should be protected with even greater diligence than your financial accounts, because they have fewer layers of safeguards and attackers can use information in old e-mails to gain access to other accounts.
How Attackers Exploit a Weak Password System
Here is an example to illustrate how typical password management fails:
Your name is John Doe. You use the strong password Fm18bIgaP911.$bIli! for all e-commerce, bank, finance accounts, and paid subscriptions including JohnDoe@chase.com, and JohnDoe@burghound.com. You use the weaker password John123 for all the rest, including your Gmail account JohnDoe@gmail.com.
One day, the user list for superduperfastcars.com gets stolen. You posted 3 messages to superduperfastcars.com 2 years ago but then lost interest and forgot all about it. The attacker uses a rainbow table to decrypt over 70% of the hashed passwords from superduperfastcars.com, including your easily crackable John123 password.
The attacker then uses software to automatically try logging in to Gmail, Yahoo mail, and Hotmail using the user information and passwords obtained. One combination that is tried uses the first and last name of the user and the password obtained: JohnDoe@gmail.com using password John123. This one actually logs in.
Next, the attacker searches Gmail for “password.” Many online services automatically e-mail you a user name and password upon sign up. Sure enough, two passwords are found among a number of such e-mails: John123 and Fm18bIgaP911.$bIli!. The stronger password was in a confirmation e-mail you received from burghound.com upon registering for this paid service several years ago.
Now the attacker has your two passwords and can log in to all of your accounts that were discovered in your Gmail archive. Here are some examples of what the attacker can do with this information:
- Transfer funds out of some of your financial accounts
- Copy your contacts’ e-mail addresses into a spam mailing list.
- Send a message to all of your contacts to ask for emergency money to be wired
- Send a message to all of your contacts discussing a really cool site – just click on this link (and if they do, malware is installed)
- Use the information obtained to try to break in to a corporate network, by testing your password on your work account.
The famous Twitter hack of 2009 had many elements in common with this example. An even simpler attack is to capture e-mail login information when someone is logging in using an open WiFi hotspot.
All it takes to limit the damage from these kinds of attacks is to have a different password for each account. If the Sophos survey is accurate, only 1 in 5 people do this. Most people can not remember more than a few passwords, so any approach to password management must take this into account.
Note that attackers are well aware of common password practices and can take advantage of these practices when trying to steal passwords (either automatically or manually). So if whatever approach you take to password security is unusual, that in and of itself is a good defense. Effective use of a password manager is currently one such approach.