Barbarians At The Password Gate

Editor’s note: Igor Sill is managing director of Geneva Venture Management.

We’re now using the Internet for a wide range of everyday activities, including online banking, stock trading, online shopping, bill paying, socializing, gaming, entertainment and online research.  In the last few years there’s been a massive growth in the number of social networking sites such as Facebook, Linkedin, Twitter, Craigslist, Instagram, Tumblr.  We share all kinds of personal details on these sites as well as music, pictures and videos, most of which we would certainly prefer to protect, safeguard and keep private.  Unfortunately, all of these sites have been “cracked” by hackers who exposed passwords and other personal information from thousands of users.  If you haven’t had your password hijacked, it’s really just a matter of time.

Today you need to remember or store many passwords for all your online accounts, the list is endless. If you’re like most, you use the same or very similar password for each account, essentially your password is only as secure as the weakest site you access with it when a hacker cracks that site, you then become victim of identity theft. The criminal who has stolen your personal data can use it to fraudulently obtain goods and services in your name.

A hacker armed with the right password can get almost anything of yours including hijacking cloud-storage accounts, accessing your bank account, obtain credit cards in your name, apply for a new drivers license or passport in your name, then, simply steal money directly from your bank account. Identity theft is occurring more and more frequently, it happens to thousands every day.

In addition to threats we face from website cracking, most of us have at some point had our smartphones and tablets misplaced, lost or stolen making it easier for these thieves to exploit our misfortune. According to the KPMG Data Loss Barometer, 1 billion people have been affected by lost and stolen information in the last five years.

Exposing ourselves

Unfortunately, the more personal details we make available, the more exposed we become to online identity theft.  Hackers can access your personal life’s assets from anywhere on the globe with an internet connection, and from a virtually untraceable location.  Hackers generally buy your password from data breaches. As you have probably already heard, a gang of Russian hackers, codenamed CyberVor, accomplished one of the biggest data breaches in history.  CyberVor cracked 1.2 billion usernames and passwords, along with 540 million email addresses from 420,000 sites, according to Hold Security.

More than likely, you’re already using more than a few of those compromised sites. CyberVor will most likely sell that information on a per name, per account basis to individual hackers with criminal intent. These hacks are personally devastating and cost businesses billions of dollars every year. So, you probably need to start thinking about protecting yourself.

The Hacker’s Method

One way that CyberVor may have stolen that much information is through SQL, the structured query language used by popular databases which is where most sites store user information. This was the method used by hackers to breach the retailer, Target. The number of data breaches so far this year represents a 20.5% increase over the same time period last year and continues to grow at an increased rate, says the Identity Theft Resource Center, in a report issued last week.

Large-scale password cracking like CyberVor’s is simply a process of exploiting system security flaws to recover passwords from stored data on your computer or other devices or running brute force attacks. However, the real trouble begins when groups like CyberVor sell the data they’ve stolen to individual hackers.

Let’s say an individual hacker purchases your email password or one of your social network passwords. That hacker can use that particular account as a tool to exploit website account recovery methods for your other accounts. They’ll initiate password reset and wait for the email to arrive, or use popular features like “Login with ‘your favorite social network’” to access your other accounts. Once the hacker has reset your password, they’re in charge and have full unauthorized access to your accounts, internet websites and sometimes your computer.

With so many company websites being hacked this year, news of yet another major data breach seems routine.  JPMorgan Chase’s announcement this week that it may have been the target of a major cyber attack is a sign that hackers have found a way to breach one of the most protected computer systems in our economy.

Successful breaches against financial institutions are unusual because banks have the strongest cyber security of any industry. JPMorgan Chase said it plans to spend $250 million on cyber security protection this year. Chase may have been breached through the negligence of one of its own employees, who personal computer was hacked in order to enter Chase’s network, according to the Wall Street Journal.

So, how secure are you with that secret password of yours, that singular protective word that’s supposed to consist of both upper case, lower case string of alpha characters and numerics that you can barely remember? It’s purposely so super secret because it’s used to authenticate your identity so only you can gain access to your most treasured assets. Its so difficult to remember that most will store their passwords in their browser for convenience. The obvious problem with saving your difficult to remember passwords in your browser is that it’s easy for someone who gains access to your computer to instantly access all your passwords.

What happens when you do forget your password? Well there are ample, readily available solutions for retrieving forgotten passwords. Password cracking is generally a process of recovering/resetting passwords from stored data from your computer or other devices so as to recover the forgotten passwords, but of course, in the wrong hands it is conveniently used for gaining unauthorized access to your computer, accounts and internet websites.

How easy is it to “crack” your password?  In the “old days” thieves used software tools, such as Cain & Abel for cracking the password sequences (hash).  This sort of tool used CPU core power for cracking and converting passwords into a plaintext form.  So, assuming your password was complex and sufficiently strong (password which includes upper and lower case, alphanumeric and special characters), it would take many weeks and possibly years to process the plaintext from hash.

Besides this method, there are other ways at a thief’s disposal for password cracking such as by merely guessing your password (using your pet’s name is a common mistake), by using tools such as keyloggers, phishing attacks, social engineering, dumpster diving, peeking over your shoulder, or of course, buying it directly from cyber thieves like CyberVor, etc.  But of course, the easiest and most efficient is by use of easily downloadable freeware designed specifically to locate your password.

There are many available online, Hashcat, Rainbow Crack, PWAudit, Accent RAR, and a new super-fast password cracker developed by Ivan Golubev, IGHashGPU, to name a few.  Ivan’s cracker tool can crack approximately 790 Million hashes per second, finding that hidden password in seconds.   Amazing.

Defensive Measures

So, it’s important to create strong passwords that are different for each of your accounts and it’s strongly recommended that you update those passwords regularly.

Truth be known, password security depends heavily on the attack method.  People often think that a short password of random characters such as “+*4F#0$”  is super secure, but actually a long string of combined random words such as “ferrarimonkeydatemonger” is actually far stronger. This added length causes uncertainty and is computationally more difficult to crack.  Essentially, avoid real words that a hacker or cyber thief will find in a dictionary.  And, certainly avoid the simple to remember, simple to crack: 123456, Iloveyou, 0000, Fido, etc.

Stronger password security can be had via two-factor authentication (2FA) which split the password between two different systems and devices, making it very effective, but not perfect.  It means that hackers need to crack two codes instead of one.

A higher level, and dare I say, far more secure is the multi-factor authentication (MFA) being implemented by major software vendors, telecommunications, governments and financial institutions. Newer MFA solutions provide tokenless security and give formal verified proof by constantly shifting the user password. The MFA market is understandably growing at a feverish rate and expected to reach $5.5 Billion by 2017 according to Markets and Markets latest research report. Microsoft’s newly released Office 365 products offers an advanced multi-factor authentication, Swivel Secure, as their safeguard to insure password security in the federated cloud.

Of course, Microsoft and other vendors are even more concerned over enterprise-wide security for large-scale organizations, thus are evolving towards the data federation model which provides an organization with the ability to aggregate data from divergent sources so it can be used for all aspects of corporate business purposes. This federated model is especially useful for those organizations moving to the “cloud”.

The next level of advanced password security is biometric authentication, essentially the process of determining whether someone is actually who they say they are via fingerprint or facial features. Of the many varieties of strong authentication options, fingerprint biometrics provides strong security, simplicity and user convenience. Fingerprint biometrics are indeed stronger because they cannot be easily faked, altered or stolen.

If you’re seriously concerned about your password, and you should be, strengthen it using the suggestions above or start using biometrics and/or multi-factor authentication as a company or as a user. You really need to be protected.