I recently read a fascinating article by Thomas Baekdal about why the password “this is fun” is 10x more secure than “JS4!2” – I highly recommend taking a look at it. His point is essentially that passwords need not trade readability and memorability for secureness. But, although the issue of password complexity vs security is interesting, it seems to me almost pointless to address it until we find solutions to larger problems with password use.
Of course, not that I’m the first (or thousandth) to realise this. As is often the case: the relevant XKCD strip.
The fact is that as long as people continue to a) reuse passwords across different services, b) write them down on paper or c) store them in plain-text files on their computers (a lecturer at uni did this), we should worry less about the inherent security of a password and more about how likely it is that someone will get their hands on it without even having to run any brute force attacks.
To Baekdal’s credit his whole point seems to be that a memorable pass-phrase should negate points b) and c) – but it does nothing to prevent people reusing passwords for different websites, meaning that an XKCD-style plan of acquiring one password and signing in to other websites with the same email/password combination could still succeed.
So what if we lived in a world where noone ever reused passwords? What could an evil genius do to acquire login details for a person’s entire online presence? I had a vision of an evil plan to do just that.
Step 1: Create a website and attract people
Preferably, create something you’re not going to have to spend a long amount of time maintaining. That could mean outsourcing your content. I leave that step up to you – how about scraping the link to the top video on YouTube every day and embedding in on www.BestTube.com? Bam, instant 10,000 hits a day. Then spam the appropriate sources – Digg, YouTube comments, whatever.
Step 2: Force users to sign up and log in
Take a business tip from the drug dealers: make the first link free and all subsequent hits require an account. Make signing up as easy as possible! This is valid advice in any walk of web development, but doubly so for our nefarious purposes: we want as many people to sign up as possible. Store the date they joined – that’s important. Also important: do not allow the user’s browser to store their password for them. You’ll notice that online banking already does this – just set AutoComplete to false on your form.
Step 3: Force login failure
Maybe 2 weeks after the user’s signup, start failing their login attempts.
Now if I know people (and I’ve met a few) this will result in Bob retyping the same password once, maybe twice, then switching strategy and trying every other password he knows. Because “Hey, I must have used a different password”. So he types “bob1”, but that results in a login failure too. Huh, maybe “hello1bob”? Failed again. And here comes the crux of the evil plan:
Step 4: Store every password attempt
We now store every password variation which Bob attempts to sign in with.
A certain amount of subtlety comes into play here depending on how quickly you want your results, if you actually care on retaining your users, and whether you care about being found out. Assuming you’re in it for the long haul and you’re clever enough to realise you don’t want to spook your users, you might want to limit the amount of users who you do this to – maybe only target 1 in 5 of your users for this treatment. And maybe only fail the first 4 login attempts, and let the 5th password work (no matter what it is).
By the 5th attempt Bob will very likely click the “Forgot your password?” link (if there is one) anyway. Again, depending on your goals you may want to completely avoid implementing “Forgotten Password” functionality, thereby forcing the user to just keep trying passwords until they give up. You’ll maximise the number of passwords in the short term, but you’ve lost any chance of keeping the user on a long-term basis.
Step 5: Do evil things with those passwords!
Assuming a website attempted this approach, they would then have a nice list of email addresses, each of which had an associated list of passwords which the user regularly used. The evil individual behind this could now run a smarter brute force attack on common websites with a much smaller list of potential passwords – leading, I bet, to a much higher hack success rate.
This whole technique is known as phishing, though typically this sort of approach is done through website forgery and not forcing login failures. Unfortunately I have a feeling this could be a very successful method of hoarding someone’s passwords. In all likelihood, this is already happening, so it’s worth discussing out in the open.
There are a few things we can do to prevent this:
- Only sign up for trustworthy websites.
If a website smells fishy, Google it! You’re very likely to get a good indication of whether this site is all it seems to be within the first 10 hits. If you really have to log in, use a temporary email address and a password you’ve never used before or will ever use again.
- Don’t try all your passwords
If your password has failed and you’re sure it’s not a typo, just click the “Forgot my password” link and wait for the email. At worst you’re losing an hour.
- Use a password manager
KeePass is an example of a great way of storing all your login information in a single file using NFA-approved encryption. All you have to remember is one secure pass phrase (and that’s where Thomas Baekdal’s advice comes in handy) to encrypt and unencrypt the file. So if a website’s login fails even though you’re sure the password was correct, you can always double check with the entry in your password manager. KeePass also has the ability to automatically populate login forms for you if you really don’t fancy remembering anything anymore :p
Throughout the history of the internet, there always have been, and there always will be, clever people trying to get your information on the internet. The only protection is a healthy dose of paranoia, and maybe some high-tech encryption to boot.
The steps listed in this post are not provided as a tutorial but as an illustration of the power that any website can have over you. My intention is to inform about the hazards of password misuse, not help others capitalise on it. If I’ve managed to think about it already, so have much smarter people than me.