If you think just because you use different passwords for different services you're safe, think again

If you think just because you use different passwords for different services you're safe, think again

Summary: Adding numbers, reversing or using 'l33t speak' to differentiate passwords on different accounts does avoid password re-use, but it's an ineffective way of adding security to online accounts.

TOPICS: Security

According to the common wisdom on passwords, you should pick different passwords for different accounts. But
if your way of remembering your passwords is to make them slight variations of one another, you could be making hackers' lives easier than you might think.

Most people know it's bad practice to re-use passwords across multiple accounts since hackers that steal a password database from one service can use it to compromise the victim's other accounts. That's why Facebook scoured Adobe's leaked customer credentials following a recent hack of its user database and forced those who had employed the same email and password combination on Facebook to change their passwords.

Those who were in Adobe's database of users whose credentials had been, but who were wise enough not to re-use their passwords for Facebook, are thought not to have got the same treatment.

However, new research shows there's a high chance non-identical passwords only deviate slightly from one account to another — and they were probably created using one of seven transformation rules that can be modelled to aid an online password attack.

In a new research paper The Tangled Web of Password Reuse (PDF), Anupam Das, a computer science PhD student at the University of Illinois, and his fellow researchers compared password pairs linked to just over 6,000 email addresses that appeared more than once in 10 major password leaks at Gawker, Facebook, Hotmail, Yahoo, CSDN.net, militarysingles.com, myspace, youporn.com, and porn.com. 

The researchers found that for those addresses that appeared at least once, 43 percent of passwords were identical — they're the easiest pickings for the hacker with a leaked password database.

But it turns out that around a third of the 57 percent that had non-identical passwords are also vulnerable to having their account hijacked. The researchers found that 19 percent of password pairs in the dataset were based on a 'substring' of another: these include insertion or deletion operations at the beginning or end of another password, so that "password" at one account becomes "password1234" at another. Meanwhile, 38 percent of pairs were completely different.

"We weren't sure going in if most passwords would be identically re-used, completely different, or slightly modified, and it turns out slight modifications are an important category — about 20 percent of all passwords are formed by adding or deleting characters from a password the user used at another site," Joseph Bonneau, a Googler and security researcher who co-authored the paper, told ZDNet.

"This is a significant fraction of all passwords, and for these most follow one of a small number of predictable modification patterns. Most users said this was simply to satisfying different websites' policies, but nearly as often they said this was to increase security. So, users are trying to add characters to a basic password for security. Unfortunately, our work suggests this may not be working as well as users intend."

To demonstrate that slightly varied passwords could be guessed, the researchers used common password transformation rules to create what they claim is the world's first 'cross-site password-guessing algorithm'. The top rules included insertions, deletions, capitalisations, leet speak (writing 'password' as 'pa$$w0rd', for example) and sub-word modifications, where 'darkknight' on one account might become 'DarkKnight' on another.

They also wanted to show it could be designed for an online guessing attack, which could but often don't face obstacles such as rate-limiting login attempts. (The researchers note that most sites don't effectively rate-limit incorrect guesses while Facebook and Google allow more than 10 guesses in some circumstances.)

According to the researchers, their prototype guessing algorithm was able to crack approximately 10 percent of the nonidentical password pairs in less than 10 attempts, which rose to 30 percent with fewer than 100 attempts.

"This makes a real security impact as an attacker with a leaked, non-identical password can mount an online guessing attack with orders of magnitude higher success than an attacker without a leaked password," Das and company note.

The researchers will present their paper at the NDSS conference in San Diego in February 2014.

Read more

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So basically, no matter what our password is, we're screwed.

    Is that the general idea, Mr. Tung?
    • Why shoot the messenger?

      1) I believe you might want to direct your frustration with the truth at the authors of the paper that Mr. Tung is reporting on.

      2) If you reach the logical conclusion here, then you're only screwed if you try to use the same base for all your passwords. If you truly create unique passwords, you've compartmentalized any damage done by a breach of a website you use.

      Which all leads to the need for LastPass and other SSO services which allow you to have very unique passwords on different websites while avoiding the headaches of trying to remember all your passwords yourself.
      • Oh please..!

        It's one piece of bad news after another after another from these guys. How about breaking it down on what to do to protect yourself instead of having to wade through a river of horror to get armed? He should have a little frustration thrown his way. He and the rest of them.
        • Moving targets

          Hi :)
          There is plenty of advice on how to get it right. As with most advice it is generally and widely ignored and the people giving the advice are often undermined.

          See in the comments in this thread various people suggest various password-management programs that encrypt all the passwords they contain. Such password managers generally take care of specific advice which you can also follow yourself without the use of password managers. Such things as

          1. Use very very long strings of at least 16 characters. This number keeps rising. It's probably more like 18 or 24 or higher now.
          2. Avoid dictionary words, dates, and obvious patterns. Until a couple weeks ago stringing a few words together was adequate but that no longer works apparently.
          3. Use a wide variety of types of characters; eg upper&lower-case, special symbols, numbers etc
          4. Don't write your own passwords on a post-it note stuck to the edge of the screen in a multi-user or public environment (other favs being under the keyboard or in the top-drawer)

          So, there is plenty of guidance out there but it all gets ignored by almost everyone. It's only horror-stories like this that get the attention and that is the way we reach for sensational gossip but not for calm advice, ie it's readers fault, not the authors!
          Regards from
          Tom :)
      • I have LastPass and I love it, mostly,

        but it has a few weaknesses. Sometimes it seems that after changing the password on a site, LastPass insists on filling in the old one, prompting enough errors before that fact is established to trigger ANOTHER password reset. Also, the URL used by many sites to do the password reset is DIFFERENT from the one used for the normal login, and LastPass searches the vault by URL. Sometimes password-managed random passwords cannot be used because they may have to be entered by hand on devices not supported by the password manager (and often when the device on which the vault could be displayed as a reminder is not available), so they must be memorizable by the human user.

        LastPass for applications has a flaw with respect to Quicken, for one: the password is associated with the individual Quicken database FILE, not the application, and different files should, ideally, have different passwords, but LastPass (and possibly other such programs) associates ONE password with the application PROGRAM, and has no way to organize a sub-level of the vault by filename within program.

        The same is true of applications used by more than one familiy member who trust one another enough to use the same password manager account and vault, or a user with multiple accounts on the same site (multiple gmail or yahoo accounts, for example).

        So there are limitations to the password manager, and they do misinterpret the web sites they are asked to handle occasionally (some sites do not label their password fields as passwords so that they COULD be recognized by a P.M. and others have one time code fields mislabeled as passwords, causing the P.M. to prompt the user to save them). It's enough to make me wish that all passwords could be replaced by fingerprints, until I remember how the Mythbusters used rubber cement, enlarging, manual filling in, and reducing to spoof a fingerprint.
    • Yes

      No security system is foolproof. When I was fresh out of school, I was told that public key was impossible to crack. Turned out not to be true. I've been told all sorts of encryption/security techniques that are in use are impossible to crack, until they get cracked.

      The key to making a viable security system is to make it so the effort in breaking it out weights the reward. The problem with this is Moore's Law and human ingenuity. Humans come up with solutions to problems that are "outside the box" and therefore not forseen by the creators of the security system. And Moore's law lowers the cost of the effort needed to break the security.
  • So it does not matter if I use KeePass2, right?

    As long as I use a 25-character strong password and keep my key file safe?

    What a sensationalist headline I've read.
    Grayson Peddie
    • I disagree

      People need to know these things, even if they choose not to change their behaviors. If you use KeePass or any good storage/generator program, this article isn't really aimed at you. But I know lots of people who use a single password with a few permutations for EVERY site. This definitely applies to them!
  • How would Facebook know a user's password was the same?

    Facebook shouldn't be able to see users' Facebook password. Good password management dictates that the account provider can't access the user's password. Ever. If Facebook can see a user's password then they're doing it wrong. Thank jeebus I don't have a Facebook account. Not with that glaring security hole in place.
    • ^ Yes

      I think the real headline here is 'Facebook administrators have full plain text access to your passwords'. Shocking!
      • The secret is called "hashing"

        From the article Mr. Tung did on this Facebook proactive security process, quoting the FB Security guy:

        "We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time. Like Brian’s (Krebs) story indicates, we're proactive about finding sources of compromised passwords on the internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."
    • Facebook uses the same Identity Management System as HealthCare.gov...

      ... and that Identity Management System uses a two-way encryption method (encrypt/decrypt), so it is possible to retrieve the clear text password when needed (such as when it must be determined if a user's existing password still meets the minimum requirements of a newly updated password policy).
    • FB doesn't see passwords

      They see password hashes, like every other entity that maintains user ID/password authentication. You enter your password when you log into the service, the hash is created and it's then compared against the hash value FB has on file for your user ID. If it matches, you're in; if not, then you get a 'try again' message.
  • The real lesson ...

    is that the current "password system" is "broken" and all the password advice provided by "experts" is less than useful. All the mnemonics and tricks to creating "strong yet memorable" passwords work great *in isolation*, but fail when applied to a common situation of a given use having multiple (and possibly many) different passwords.

    I can devise a sufficiently strong and memorable password for any given site. But when I need to do that for 5, 10, 20 or more different sites / applications, now I not only have to remember my sufficiently strong password, I need to remember which one applies to which site. Most people can't do that, so they write them down or use the same password or use variations of the same password or use a variation of the site / application as part of the password. That's just a reality.

    I don't have a solution to that problem, and I'd be a rich man if I did, but that's why passwords are still a weak link in overall security.
    • Use a password management/generator application

      That's the solution. You can create sufficiently complex passwords and store them. There are enough options out there that are multi-platform that you should be able to find one to suit your needs.
    • LastPass, KeyPass...

      there you go.
      • Password Keeper apps

        ... are also a weak link (IMO).

        First, I need to create a memorable and extra-robust password for the tool, because it is now the "master key".

        Then I need to ensure I have access to the Password Keeper when I need to access the respective site / application, which may not always be the case.

        And then I have to trust that my "Password Keeper" isn't compromised or vulnerable in some way and is "always available" when I need to access a site / application.

        Certainly better than writing down a password or using the same password across sites / apps, but not a panacea by any means.

        Personally, I try to avoid those types of tools because it builds complete reliance upon them - without the tool you now cannot access the site / app (you can of course reset passwords etc., but that may or may not be convenient at the time).
        • Password Generating Apps

          Depending on the app you only need to remember on password and do not need to set up a seed of your own. Every site I visit gets its own password of whatever length is allowed or I am currently using. If I keep the password file encrypted, which is the default, and protected. It is kept on very few devices and places that are under my direct control.
  • Its Time Consuming - but worth it

    I would not use a password service. Take the time to make up a different password completely different for every single account you have so that you sometimes don't remember your own password and have to reset the password. Time consuming? Yes, but worth it. Make the memory system so complex that you fool yourself.

    If we always want an easy solution - well then we will become an easy target.
  • Security at work

    Most people in a social website know very little, if nothing, about computer security. A password should be unique 100% and not a deviation of another password. Also, passwords should be changed every 30 days, or 90 days at the most, and most be as complex as possible and keep it in a safe place (not the computer). However, most people in social networks never do that.