Many of the most notable data breaches have involved the compromise of user passwords
on various web services. The severity of the breach really depends upon the state of the passwords at the time of the breach and/or the method by which they are stored.
Methods of Password Storage
Ideally, passwords should be stored in an encrypted form, called “hashes” and additionally salted. Salting adds a random element to the password hashes that make it very difficult for an attacker to brute force hashes he may have obtained during the breach. This is not to say that it is impossible for an attacker to crack the password hash, only much more difficult.
Unsalted password hashes, while encrypted, are vulnerable to simple brute force attacks. Many tools exist that can make this process very simple for an attacker. If the password is a simple dictionary word, or less than ten or so characters and having low complexity, the hash can be cracked in seconds. Thanks to newer processing techniques that can utilize GPU (graphical processing unit) power, even 12 character passwords can be brute-forced in a reasonable amount of time.
Some on line services and companies have even been found to use techniques which they call “encryption” but are more “obfuscation.” If a service claims to use something like BASE64 to encode passwords, this is not encryption at all, and an attacker need only to convert the text back to normal text to read the password.
In past breaches, some companies and services have been found to store passwords in clear text. In December 2009, Rockyou.com was breached, exposing the customer data of some 30 million customers. All of the data, including passwords, was found to be stored in clear text. Password complexity and length were of no benefit to the security of rockyou.com users. To this day, the Rockyou.com password list (which was widely circulated after the breach) is a standard file used when attacking anything utilizing passwords due to its size. It is representative of popular passwords still used by many people today.
If the company or service you use stores its passwords in clear text, there is little to protect you. Depending on the type of service being provided, such as with an on-line bank, it would be worth your while to read about their security practices and even contact them before signing up.
Company employees should never be able to access the clear text of your password. If they can retrieve it for you, this points to a glaring hole within their security. The most they should be able to do is provide a link by which you can reset the password. If you forget your password and request a new one, and you are sent an email with your old password it clear text, this typically means that they either do not encrypt their data or they are using an easily reversible process. If they can reverse it, an attacker may be able to do so as well. Also, think about the fact that your password was just emailed to you in clear text. Can you be certain that your emails cannot be intercepted and read by others? If you are in a coffee shop or airport terminal using a public wireless network, the answer to this question is a clearly “no.”
While you cannot create a password long enough protect you against companies storing it or being able to retrieve it in clear text, you can create one that makes it extremely difficult for an attacker to brute force if encrypted. We assume that most on-line services are providing some basic level of encryption, but are they salting the hashes? It is best to not leave our security in their hands.
When creating a password, think pass “phrase” rather than pass “word.” Choose a phrase that you can remember but has complexity. Phrases like “AllMyShoesAreBlue” are decent. Even better adding numbers or characters such as “AllMySh03sAr3Blu3″. This increases the size of the character set and makes brute forcing take much longer. Avoid common phrases such as cliche`s, movie titles, or famous quotes.
The reason I stress “phrase” rather than “word” is because you need good password length. Given the methods and computing power attackers have at their disposal today, I personally would never choose a passphrase with less than a minimum of 15-20 characters if allowed by the application.
Suppose you are using an on line service and you choose a really good pass phrase such as IH@ve@nt$1nMyP@nt$ (I have ants in my pants). Unknown to you, this service stores its passwords in clear text and eventually, this company is the victim of a data breach. The length and complexity of the password does not help you. It is out there for all to see. Many of the passwords in the rockyou.com password list are very long and complex, but they were stored in clear text.
This situation may not be so bad. It is only one company that was compromised. However, if you use the same password for everything, the attacker may be able to use other exposed data, such as your email address, to compromise other services and companies that you use. In other words, an attack on your World of Warcraft account could lead to an attack on your online bank account.
Because of this risk, it is highly advisable to practice password diversity. Different passwords should be used, especially for services involving finances or personal information. One breach should not provide attackers the proverbial “keys to your kingdom.”
The complaint oft expressed by people when discouraged from password reuse is “how in the world do I remember all these different passwords? And now you want them to be more complex phrases?” It is an understandable gripe. Fortunately tools exist to help keep you passwords organized, protected, and readily available, such as Password Safe and KeePass.
With KeePass, you can organize passwords into different groups and categories, and will also generate passwords for you. The database file is, itself, encrypted and protected with a password. Whatever you do, don’t forget your KeePass password.
Other tools and methods exist for the purpose of storing, organizing and securing passwords. Whatever you use, make certain it is from a reputable source. You do not want to hand your entire password collection over to an attacker.
We can seldom be completely certain what on-line companies and services do to protect our passwords if they do not explicitly provide the information on their website. In all honesty, that representative you speak with on the phone may have no idea either. Play it safe and take control of your own security. Use long pass phrases, try to make your passwords diverse, and store them in a reputable tool like KeePass if needed.