According to the common wisdom on passwords, you should pick different passwords for different accounts. But
if your way of remembering your passwords is to make them slight variations of one another, you could be making hackers' lives easier than you might think.
Most people know it's bad practice to re-use passwords across multiple accounts since hackers that steal a password database from one service can use it to compromise the victim's other accounts. That's why Facebook scoured Adobe's leaked customer credentials following a recent hack of its user database and forced those who had employed the same email and password combination on Facebook to change their passwords.
Those who were in Adobe's database of users whose credentials had been, but who were wise enough not to re-use their passwords for Facebook, are thought not to have got the same treatment.
However, new research shows there's a high chance non-identical passwords only deviate slightly from one account to another — and they were probably created using one of seven transformation rules that can be modelled to aid an online password attack.
In a new research paper The Tangled Web of Password Reuse (PDF), Anupam Das, a computer science PhD student at the University of Illinois, and his fellow researchers compared password pairs linked to just over 6,000 email addresses that appeared more than once in 10 major password leaks at Gawker, Facebook, Hotmail, Yahoo, CSDN.net, militarysingles.com, myspace, youporn.com, and porn.com.
The researchers found that for those addresses that appeared at least once, 43 percent of passwords were identical — they're the easiest pickings for the hacker with a leaked password database.
But it turns out that around a third of the 57 percent that had non-identical passwords are also vulnerable to having their account hijacked. The researchers found that 19 percent of password pairs in the dataset were based on a 'substring' of another: these include insertion or deletion operations at the beginning or end of another password, so that "password" at one account becomes "password1234" at another. Meanwhile, 38 percent of pairs were completely different.
"We weren't sure going in if most passwords would be identically re-used, completely different, or slightly modified, and it turns out slight modifications are an important category — about 20 percent of all passwords are formed by adding or deleting characters from a password the user used at another site," Joseph Bonneau, a Googler and security researcher who co-authored the paper, told ZDNet.
"This is a significant fraction of all passwords, and for these most follow one of a small number of predictable modification patterns. Most users said this was simply to satisfying different websites' policies, but nearly as often they said this was to increase security. So, users are trying to add characters to a basic password for security. Unfortunately, our work suggests this may not be working as well as users intend."
To demonstrate that slightly varied passwords could be guessed, the researchers used common password transformation rules to create what they claim is the world's first 'cross-site password-guessing algorithm'. The top rules included insertions, deletions, capitalisations, leet speak (writing 'password' as 'pa$$w0rd', for example) and sub-word modifications, where 'darkknight' on one account might become 'DarkKnight' on another.
They also wanted to show it could be designed for an online guessing attack, which could but often don't face obstacles such as rate-limiting login attempts. (The researchers note that most sites don't effectively rate-limit incorrect guesses while Facebook and Google allow more than 10 guesses in some circumstances.)
According to the researchers, their prototype guessing algorithm was able to crack approximately 10 percent of the nonidentical password pairs in less than 10 attempts, which rose to 30 percent with fewer than 100 attempts.
"This makes a real security impact as an attacker with a leaked, non-identical password can mount an online guessing attack with orders of magnitude higher success than an attacker without a leaked password," Das and company note.
The researchers will present their paper at the NDSS conference in San Diego in February 2014.