Poor Password Choices

As we stated previously, users are notorious for choosing highly unsecure passwords for their accounts. To expand on that proof point, let’s look at the top passwords of 2015 (listed in Table 1-1), compiled by SplashData from files containing millions of stolen passwords that have been posted online during the previous year.²

Before we get too far up in arms about people choosing these passwords, we need to be aware of some possible issues with the data used to compile this list:

• Because most of this data comes from information leaks, it could be that these passwords are just easier to crack through dictionary or brute-force attacks.

• We don’t know the source of much of this data, so we can’t validate the security measures in place on the sites or services.

• The data may contain anomalies or simply bad data. If a default password is being set by a service with a lot of leaked data (and never changed), it will push it higher on the list. If we are analyzing data from multiple sources using information that was poorly parsed, or has those anomalies, the list will be skewed.

With that said, even though those passwords may constitute a smaller number than the lists purport them to be, and the data may be highly skewed, they still exist. When building a data and identity security system, you have to provide an adequate level of protection for these people. Typically, you want to build for the weakest possible authentication system, which, depending on your security requirements, might comprise this list.

In many ways this is because of what we expect of people when they are creating a password: provide a password with mixed case, at least one symbol and number, and nothing recognizable in a dictionary or guessable from those who know you. These types of expectations create poor usability for users, in that they won’t be able to remember the password, and also ensures that they either pick the easiest way they can to enter the site, or write down that complex password on a Post-it note on their display. Usability needs to be a part of identity security for it to be effective.

Security over Usability

Favor security too much over the experience and you’ll make the website a pain to use.

Anthony T, founder of UX Movement

Your main objective when handling the data and identity of your users is to ensure their security, but at the same time you don’t want to alienate your entire user base by making your sign-in forms complex, or by forcing a multiscreen, manual checkout process for purchasing goods, or by continually challenging users for identification details as they are trying to use your service. Those are surefire ways of ensuring that your users never return.

The concept of usability versus security is always a balancing act. You need to ensure that you have a high-enough confidence in the security of your users, and at the same time do as much behind the scenes as you can so that they aren’t forced to break out of the experience of your site to continually verify themselves.

Here are some of the questions that we can ask ourselves, when thinking this through, are:

• Can I obtain identity information to increase my confidence that the user is who she says she is, without imposing additional security checks?

• If I have a high confidence that the user is who she says she is, can I build a more usable experience for that user versus one that I have no confidence in?

• What content requires user identification, and when should I impose additional levels of security to verify that?

We’ll explore these concepts further in Chapter 3, as you learn about trust zones and establishing identity information on a user.

Improper Data Encryption

Data security and identification isn’t about planning for the best, it’s about planning for the worst. If there is the possibility of something happening, you should assume that it will happen and have a plan in place to decrease or mitigate the damage that is done.

On March 27, 2015, Slack announced that its systems had been breached, and user information was stolen. The damage of the security incident was lessened because of its strong data encryption methods. From the company’s blog on the incident, “Slack maintains a central user database that includes usernames, email addresses, and one-way encrypted (hashed) passwords. Slack’s hashing function is bcrypt with a randomly generated salt per password, which makes it computationally infeasible that your password could be re-created from the hashed form.” In addition, following this incident, Slack introduced two-factor authentication for users, as well as a password kill switch for team owners that automatically logged out all users, on all devices, and forced them to create a new password.

In this case, data encryption and quick action prevented a massive theft of user accounts, and lessened the damage to Slack’s credibility and the confidence its users had in the company. Data encryption isn’t always about trying to prevent data from being stolen; it’s meant to slow down hackers long enough to make it infeasible for them to decrypt massive amounts of data, or to delay them until you can take appropriate action.

Single Sign-on

Single sign-on, also known as SSO, is a technology that leverages existing user accounts in order to authenticate against various services. The idea behind this concept is prefilling and securing a central user account instead of forcing the user to register at a variety of services over and over again.

Common choices that try to accommodate the wish to reuse user profiles to either provide profile information or to simply authenticate against other services include OpenID, OAuth 1.0, OAuth 2.0, and various hybrid models like OpenID Connect. In Chapter 4 we will focus on a selection of authentication techniques and will discuss the technical implementation details as well as the security implications.

Entropy in Randomly Selected Passwords

When we look at randomly selected passwords (computer generated), the process for determining the overall entropy of the passwords is fairly straightforward because there is no human, random element involved. Depending on the symbol set that we use, we can build a series of passwords with a desired level of entropy fairly easily.

First, the generally accepted formula that we use to calculate entropy is

where

• H = The password entropy, measured in bits

• b = The number of possible symbols in the symbol set

• l = The number of symbols in the password (or length)

To come up with the value of b, we can simply choose the symbol set that we are using from Table 1-2.

Using the formula, length of the password, and numbers of symbols in a given symbol set, you can estimate the bits of entropy from a randomly generated password.

Entropy in Human-Selected Passwords

Before we get into measuring entropy levels within a password that was created by a human being, rather than being randomly generated based on security standards, we need to understand that these numbers are nontrivial. Many methods have been proposed for doing so (NIST, Shannon Entropy, Guessing Entropy, etc.), but most of these fall short in one way or another.

Shannon Entropy is seen to give an overly optimistic view of password security (while providing no real actionable improvement hints), and NIST a nonaccurate (yet conservative) one. Because we always want to err on the side of caution with password security, let’s quickly look at the NIST study on how to measure human-selected passwords, as that will give us a good starting point.

According to NIST special publication 800-63-2, if we take a human-selected password, we can measure the assumed entropy with the following guidelines:⁶

• The entropy of the first character is 4 bits.

• The entropy of the next 7 characters is 2 bits per character (they state that this is “roughly consistent with Shannon’s estimate that when statistical effects extending over not more than 8 letters are considered, the entropy is roughly 2.3 bits per character“).

• Characters 9 through 20 have an entropy of 1.5 bits per character.

• Characters 21 and above have an entropy of 1 bit per character.

• A 6-bit bonus is given to password rules that require both uppercase and nonalphabetic characters. (This is also a conservative bit estimate, as the NIST publication notes that these special characters will most likely come at the beginning or end of the password, reducing the total search space.)

• An additional 6-bit bonus is given to passwords with a length of 1 to 19 characters that follow an extensive dictionary check to ensure the password is not contained within a large dictionary. Passwords that are longer than 20 characters do not receive this bonus because they are assumed to consist of multiple dictionary words placed together into passphrases.

Let’s take that idea and see what the entropy of a few examples would be:

monkey (6 characters) = 14 bits of entropy

4 bits for the first character, 10 bits for the following 5 characters

Monkey1 (7 characters) = 22 bits of entropy

4 bits for the first character, 12 bits for the following 6 characters, 6-bit bonus for uppercase and nonalphabetic characters being used

tvMD128!Rrsa (12 characters) = 36 bits of entropy

4 bits for the first character, 14 bits for the following 7 characters, 6 bits for the following 4 characters, 6-bit bonus for uppercase and nonalphabetic characters being used, 6-bit bonus for a nondictionary string within 1–19 characters

tvMD128!aihdfo#Jh43 (19 characters) = 46.5 bits of entropy

4 bits for the first character, 14 bits for the following 7 characters, 16.5 bits for the following 11 characters, 6-bit bonus for uppercase and nonalphabetic characters being used, 6-bit bonus for a nondictionary string within 1–19 characters

tvMD128!aihdfo#Jh432 (20 characters) = 42 bits of entropy

4 bits for the first character, 14 bits for the following 7 characters, 18 bits for the following 12 characters, 6-bit bonus for uppercase and nonalphabetic characters being used

You can start to see some holes in the assumptions that the NIST study makes with the last two password examples. First, one additional character causes the loss of 6 bonus bits of entropy because of the assumption that the password is of significant length that a user would not have chosen a complex string. Second, that if a string of that length was used for a password, it is most likely several dictionary words put together, such as “treemanicuredonkeytornado,” which, based on the NIST study, would actually give us 41 bits of entropy.

As we go further, you can see why determining the security of a human-created password can be tricky, and that’s because humans are unpredictable. If we plug a system of security requirements into a computer-generated password system, and store that in a password vault application like 1Password, KeePass, or LastPass, then we can have a very predictable environment. That’s why, for the most part, we usually take one of two steps (sometimes both) in securing identity in web development:

1. You require users, when they create their password, to strengthen their login. This can be requirements for length, nonalphabetic characters, uppercase and lowercase characters, nondictionary words, etc. For obvious reasons, the usability of this solution is quite bad, and it may alienate many users, but the security increases. The problem here is that when we make it harder to create a password, the user will more likely forget that password, and then require the use of the “forgot your password” reset flow.

2. You attempt to harden the data, as best you can, behind the scenes. This usually involves encryption, salting, and key stretching (all concepts we will dive into in Chapter 2), to try to help prevent weak passwords that are stolen from being compromised. When you have a solution like this, you may also see a mechanism that allows only a certain number of login attempts before temporarily locking the account, to prevent potential brute-force attacks against weak passwords. This solution is higher on the usability side, because users can pick practically any password they want, but lowers the overall security of their account.

In the end, we’re back to questions of usability versus security, and the truth of the matter is that our ideal scenario, for all parties, is somewhere in between. Remember, the two aren’t mutually exclusive.

Good and Bad Security Algorithms

Not all encryption algorithms are created equal when it comes to the security of our data and privileged user information. Some are built for speed, for quickly and accurately encrypting and decrypting large amounts of data. Others are designed to be slow. Let’s say your database of a million encrypted user records has been stolen, and the attacker is attempting to crack the encryption, such as by trying every word in the dictionary, to reveal the data underneath. Would you prefer to make this as fast as possible or as slow as possible? The correct answer is that you want this process to be as slow as possible for the attacker.

With regular cryptographic hash functions, an attacker can guess billions of passwords per second. With password security hashing algorithms, depending on the configuration, the attacker may be able to guess only a few thousand passwords per second, which is a massive difference.

Account Recovery Mechanisms and Social Engineering

After we’ve reviewed the details worth protecting, we should take this knowledge into account when looking at recovery mechanisms. Often social engineering or weak recovery mechanisms lead to exposure of information—even though protection mechanisms were implemented in order to prevent exactly this. If you are familiar with these matters, feel free to skip to this chapter’s wrap-up.

Popular examples include customer support providing account details they’re not supposed to share, and badly planned password-reset flows. A compromised email account can lead to easy access to a user’s account—securing our users by offering sensible security questions and allowing them to provide specific responses can help lower the risk of information leaks.

Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.⁠⁷

TechTarget SearchSecurity

The Problem with Security Questions

While the overall knowledge and consciousness about secure passwords is steadily growing, another volatile area—security questions—is often ignored. Instead of offering users an array of personal questions or even allowing for the definition of their own security questions, many generic phrases are offered that are often as easy to find out as searching for a person’s social media profile.

Security questions often appear as repetitive and sometimes even inadvertently comedic collections that can be cumbersome to answer and hard to remember (“What was my favorite dish as a child?” “What’s your favorite book?”). Soheil Rezayazdi published a list of Nihilistic Security Questions on McSweeney’s Internet Tendency that should at least cause a slight smile on your face—here are our personal top five:⁸

1. When did you stop trying?

2. In what year did you abandon your dreams?

3. At what age did your childhood pet run away?

4. What was the name of your favorite unpaid internship?

5. What is the name of your least favorite child?

In all seriousness, the impact of social engineering is often completely underestimated or even ignored. It is often easier to pass barriers instead of circumventing and breaking them down. The scope of social engineering can be anything between looking up some facts about a person online and sneaking into office buildings; while this might sound like an exaggeration (and often does not have to happen), it makes sense to prepare and train staff accordingly.

If you are looking for more information on this topic, great resources on social engineering are Kevin Mitnick’s books Ghost in the Wires (Back Bay Books), The Art of Intrusion (Wiley), and The Art of Deception (Wiley).⁹