2017-03-14 20:04:31, In: Security, Other
In the last few years, questions about password complexity emerged from time to time. There are list of common passwords, they are counted in leaked daabases, in hashed and unhashed forms. Blog entries are usually alarming about the poor complexity and length of passwords. Recently, a Password rules are bullshit post on Coding Horror blog shows how password rules are bad idea. However, they seem to be insecure in totally ignored mechanism having nothing to do with their length.
To illustrate this problem, let me tell a story about graphics card drivers. In 1997, to download a new driver to my video card, I could do the following thing:
1. Go to my card manufacturer's website
2. Click Support, then Downloads
3. Connect to FTP in "pub/drivers" directory, or select board from the list
4. Download driver for my OS. Mission accomplished, driver in my disk.
20 years later:
1. Go to my card manufacturer's website.
2. Register to support...
3. ...to get information that manufacturer has no idea about card they manufactured, although older are present on list.
4. Look for unofficial drivers on boards users' fourms.
5. Avoiding programs which will download drivers by themselves. (plus ransomware!)
6. After countless registrations on forums, find the proper user's forum and register there.
7. Register on Mega-Rapid-Diarrhea file sharing site in which archived driver files are hosted.
8. Wait, watch some ads, maybe register to skip some.
9. If you are lucky, get file without any adware downloader.
So, do you expect I will use ANY of these accounts again? No! They are disposable. So I will use simple passwords. Because businessmen running such services are quite cut out from real world (they look on it using stats without much thinking where the numbers come from), they will see only the increasing number of registerd users and they will think that their site is popular. While... nope.
Warning, this is intentionally outdated. Today there are limitations of numbers of registrations, logins and downloads quite effectively stopping anyone without nice proxy set to perform such "attack". Let me introduce a portal named C. C. is a popular file hosting site in which every user can register and store files for public sharing. Every week, users get some file transfer to download larger files renewed, and they can purchase additional transfer by SMS service. Uregistered users can download files not larger than 1MB, while registered - few tens of MB.
A very popular service of "disposable e-mails" has quite strict addres generation rule: Letter, changed every few months, and 7 digits. Probably there are 6-digit combinations too, but let's stick with 7-digit numbers. In C., during registration, user name is by default generated from e-mail (all characters before @), user may change it, but it just autofills field when user enters e-mail address. So let's check C. portal for users whose name is their e-mail login in "dispoasble" accounts. Because every user has its shared directory with nickname in URL, I can just spider through random values looking for existing directory or no user. Results were that after ca. 10000 tries I had 70 accounts verified, of course without any shared files at all and with quite antique last login dates. Few days of harvesting (and changing letter, and using proxy) made me discover about 500 logins, users who logged in once few years ago and then left the account, because they registered to download one file. Then I finished, 500 will be a nice sample.
So imagine you are such user. Lazy one. What password would you choose? The registration form says:
"Password must be at least 8 characters long".
OK, so 12345678. I tried it in registration dialog. But then, dialog displays information that there must be a letter in password. So my "dictionary" for the attack was following:
Quite large one, huh? :). So Proxy, Tor and let's try account by account. With the proper timing not to totally "woodpecker" the servers, and after 4 days I got 87 working login-password pairs! Almost one-fifth!
However, there is no big thing I could do with these passwords. No accounts have files on them, most of them were used more than than 2 years ago and they were made to download some file and then abandoned. I can... well, I can download some larger file. Resources "secured" by weak passwords are not worth much.
0. We are terribly predictable. To maintain anonymity online, some random generators should work for us in our free time.
1. Simple passwords are problem, but not so big problem as it is shown, as most of them are for useless, disposable accounts used once.
2. However, there is a risk that users will copy this behaviour they got used to on junk sites to another, more important accounts or will start to use e.g. forum with such password without changing it when activity increases.
3. A relatively nice mechanism of eliminating such behaviour would be prompting to change password in account and manager if password becomes used too heavily. If password will be complex, security-aware user will click "do not remind". If not, will change it.