Professional Documents
Culture Documents
Background
The first use of passwords was in the 1960s1, when a UNIX based computing system at
an MIT lab2 needed to be outfitted with a security procedure. They implemented a password-
based system that would allow a variety of users to log into the computers and only see their own
files. At this point in time, each users password was kept in plaintext in a file on the computer.
Plaintext in the context of passwords refers to the actual text of the password without any
encryption applied. This, of course, is very insecure. Anyone who gains access to the file would
be able to immediately see the passwords of everybody in the database, and then be able to
access all that information.
To combat this measure, the Multics project developed a basic encryption algorithm that
performed some basic transformations to the text and stored the product in a file instead1. This
made the file extremely hard for a human to read without manipulation, but because this
algorithm was so basic, involving only a square root and the AND operator, it could easily be
reverse engineered by intelligent mathematicians. Using the transformed text in the file,
mathematicians were able to work backwards and find the password used to generate it. Because
of this, the code was cracked quickly, and researchers began searching for a better system of
scrambling information that used an irreversible mathematical process so that even someone
with the scrambled text would not be able to find out what the original passwords were.
Thus, encryption was born. This complex mathematical process converts a password into
a password hash, which is an encrypted form of the password that cannot be decoded to find
the original password. However, there remains one main method of password cracking, the brute
force approach3, that is one of the last remaining ways hackers can find your password. The brute
force approach is lengthy, but given enough computing power and time, will always return the
correct password.
The brute force method essentially guesses every password until it finds one that matches
the hashes provided to it. Computer experts have worked hard at optimizing this process,
including guessing passwords that people use frequently4, gathered by examining past data
breaches. Even without this optimization, many of the most frequently used passwords take less
than a second5 to crack. After optimization, hackers can get at extremely large passwords very
quickly by making the computers observe patterns in the patterns it has already cracked, and
using those patterns to create better guesses6 for the remaining passwords.
Figure 1:
This graphic shows the time it takes to crack a variety of passwords released in an actual hack.
Most of the passwords did not last longer than two hours.
Image: A
Impacts
The loss of any password is likely to expose large amounts of data, and when password
hashes are stolen, they are usually stolen in large quantities. As technology has advanced and
individual companies have started to command information about greater numbers of people and
concurrently have made themselves increasingly lucrative targets for hackers. Yahoo had a data
breach in 2013 where sensitive information including password hashes was stolen from the
Yahoo servers7. By scraping the usernames and passwords from databases like Yahoos, hackers
can gain access to users accounts. This in turn can give them access to bank accounts and credit
card information because email accounts are so often used as the backup security method to reset
passwords.
Hacks to non-email services can also be extremely dangerous. Students often fall victim
to the illusion that one password is enough, and use the same username and password
combination across many websites. As a result, finding a students login information for a blog
or social media site can often give internet thieves access to other, more sensitive accounts. This
extremely prevalent problem is termed password redundancy or password reuse8. As a
result, any kind of data breach involving hashed passwords, even well hashed ones, can pose a
great risk to a student.
Phishing attacks also create a risk to students on the internet. The term phishing refers
to a practice whereby an attacker baits their victim into giving them their login credentials, often
by masquerading as a trusted site. These attacks can be avoided easily by taking care to avoid
untrusted links and checking site identities before logging in, but not all students take these
precautions. Phishing has an advantage over conventional hacking because it does not involve
the computationally intensive process of a brute force attack and it immediately returns the users
password. The drawback for hackers is that the quantities of information are significantly
smaller.
There are many ways that a students login information can be compromised, and it is
more important now than ever to protect online identities. Even though these attacks can come
from a variety of sources, there are also common sense measures that any Penn Stater can take to
protect themselves that should be implemented on a wider level.
Solutions:
Although the risks to students are various and daunting, there are easy ways for
individuals to combat the many risks they face when creating accounts online, and many, like the
two below, are relatively cheap to implement and scale. From the descriptions above, a few
common sense measures suggest themselves. Use unique passwords for different websites and
ensure that they are long and have a variety of different characters. For many students, this can
be a lot of information to keep track of. Although this greatly enhances security, forgetting
passwords is often a large hassle and involves several steps, including logging into an email
address and setting a new password.
Figure 2:
Longer passwords are shown to have much longer times to hack, so creating longer passwords is
very good for security.
Image: B
-Password Manager
One interesting solution is the password manager. Password managers are applications
that integrate themselves into phones and web browsers, and automatically fill username and
password fields on pages they have been configured to interact with. They typically use
extremely long passwords composed of randomly generated sets of a variety of different types of
characters, which are extremely secure and too complex for users to remember. Because they are
so unique, they avoid following patterns found in human-generated passwords, which eliminates
another vulnerability. Though these applications frequently cost money to purchase, password
managers like LastPass and Dashlane9 are free to use.
These managers work by identifying username and password fields from different
websites and automatically filling in those fields. Students need to log into the password
manager itself, which is itself potentially a very large security risk as a hacker with just one
password will suddenly have access to all that students information. However, the companies
that create these password management systems are highly security conscious and extremely
sensitive about managing their own systems to ensure a breach does not occur. For example,
LastPass, one of the free to use password managers, was hacked in 2015, but moved quickly to
stop any damage from occurring10. Another potential difficulty when using a password manager
is giving another person temporary access to your account. Because all your passwords are held
by the manager, a user would have to share the highly complex computer-generated password.
This, however, is a mild inconvenience.
Despite this potential downside, password managers remain the best way to generate
highly secure passwords that are essentially impossible to crack using a brute force attack. These
companies rarely, if ever, get hacked, so students can approach them with a high level of trust.
Interestingly, they tend to make browsing experiences more convenient for users than normal
because users will only need to log in once, to the the password manager. Subsequent login
attempts are all handled by the password manager. Overall, password managers increase usability
and security for students and should be more widely implemented and promoted.