Earlier this year, we looked at a cybercriminal attack method known in the jargon as credential stuffing, which was was showing up again and again in cybersecurity news stories.
Here, we’re visiting this simple but effective attack once more, this time in a bit more detail, with some additional tips in the What to do? section at the end.
Banks with safe deposit vaults don’t set them up so that every box gets the same key, for obvious reasons.
Likewise, if you had safe deposit boxes at two completely different banks, you’d be surprised if their keys turned out to be identical.
But when it comes to online accounts, some of which we use for storing secrets as important as the documents we keep in deposit boxes, we’re not always so careful.
Ironically, this happens even though we almost always get to choose our own access codes for online accounts.
In contrast, safe deposit keys are chosen and issued by the bank that’s providing you the service, and you can’t easily judge the reliability of the process they follow when issuing new keys.
As it happens, even though it’s unlikely, two safe deposit keys of yours could match, at least in theory.
There are only so many manufacturers of safe deposit boxes, only so many different sorts of lock, and only so many different physical key configurations for each lock.
For example, a lock with six levers, each of which can be set to open at five different positions (these correspond to the depth of the cut into the key at that point) has just 56 = 15625 different keys.
Even a seven-lever, seven-depth lock has a maximum of 77 = 823,543 different possible key shapes.
Don’t let your safe deposit keys get into photographs. The profile of the key determines the setting, or depth, of each lever inside the lock, which can easily be worked out by superimposing a grid over a picture of the key, as depicted above, allowing a duplicate to be made.
In contrast, even an eight-character password consisting of upper-case letters only (A-Z
) has 268 = 208,827,064,576 different possibilities, which is more than 200 billion, assuming you choose randomly instead of picking PASSWORD
because it’s easy to remember.
With that many combinations, it feels as though you should be safe against any attacker guessing the password to any account, even though many websites will refuse to accept basic eight-letter passwords these days on the grounds that they aren’t complicated enough.
If you try a bit harder by choosing from upper-case letters, lower-case letters and digits (A-Za-z0-9
), and using 14-character passwords, you ramp up to a whopping 6214 combinations, which is 1.25 septillion, or about 284, which is an 84-bit binary number.
Even if you take into account the fascinating Birthday Paradox that we studied recently, you have only a minuscule risk of ending up with two accounts having the same password.
The Birthday Paradox shows that picking randomly from a set of N choices results in a so-called collision – an unexpected duplicate choice – very much more readily than most people first think.
In the case of matched birthdays, where there are 365 different choices (for computational convenience, we ignored those rare folks born on 29 February), we found that a shared birthday was more than 50% likely in room of just 23 people, and 99% certain in a meeting with 57 people present.
That 50-50 cutover point doesn’t arrive when you pass half the number of choices (N/2), which would be 183 in the case of the set of possible birthdays or 283 in the case of our 14-character passwords, but at just over the square root of N (very close to 1.177√N, in fact), which feels worryingly counterintuitive at first.
Nevertheless, with 284 different possible passwords to choose from, you’d need to create more than 5 trillion accounts of your own before there was a better-than-50% chance of two accounts sharing a password, because 1.177√284 = 1.177 × 242, which is just over 5 trillion.
And even if some random pairs of your accounts had the same password, that wouldn’t be any real use to an attacker, because they wouldn’t know which two of the 5 trillion accounts they were, or the actual password they shared.
(If the crooks had a list of all your accounts and all your passwords, they could pinpoint the collisions, but those matches would then be of academic interest only, given that they’d know every password already.)
Surely, then, a randomly-chosen 14-character password should be more than safe enough against most, if not all, types of cyberattack?
In theory, yes.
But as the old saying goes (variously attributed to Yogi Berra, Richard Feynman and Albert Einstein, but probably coined by early American industrialist Benjamin Brewster), “In theory, theory and practice are the same. But in practice, they aren’t.”
Password size, it turns out, isn’t everything.
Judging a password just by its length isn’t sufficient, because length alone doesn’t make a password unpredictable.
By some accounts, for example, when Apple increased the shortest legal iPhone lock code length from four digits to six digits, the most common lock codes shifted from 1234
to 123456
, and from 0000
to 000000
.
The new codes were 50% longer, but just as obvious and easy to guess.
(Modern phone lock codes, like bank chip PINs, can safely be much shorter than regular passwords because they are handled in a tamperproof chip that will unavoidably wipe itself after a small, fixed number of failed attempts. But online passwords can’t provide this sort of certainty, and therefore need to be complex enough to survive an essentially unlimited sequence of guesses.)
Quite how passcode surveys know what millions of people actually used as their phone lock codes is rarely explained, given that those codes are never transmitted over the internet and can’t easily be extracted from the phone, if at all. So these ‘studies’ may simply reflect the fake answers that people came up with when asked a question that didn’t deserve a valid answer. But the examples nevertheless reflect the problem of relying on what humans think of as ‘extra complexity’.
Passwords don’t become significantly more difficult to guess as they get longer if they follow some sort of algorithm or pattern, or if they are selected from a predictable set of known choices.
Attackers are unlikely to try the password ENTOMOLOGICAL
before they try PASSWORD
, or even before they try obvious variants such as PA55WORD
or Pas55word!
, but both words appear in even the most basic online dictionaries.
As a result, ENTOMOLOGICAL
is almost certain to be tried out by an automated password cracker long before the shorter but less likely JHDPO6VZ
.
Fortunately, most online services these days impose what’s known as rate limiting to stop attackers from guessing at a single user’s password over and over again rapidly, which limits the reach of so-called dictionary or guessing attacks.
Unfortunately, rate limiting only works if there is no way to test a password other than by interacting with a website’s official login page, where such limiting can be enforced.
If a website maintains a database of passwords, even if they’re cryptographically scrambled to prevent the original password data from simply being read out in plaintext form, and that database gets stolen in a breach…
…then attackers can test their password guesses against the stolen database directly, using program code of their own choice, without any limit on the speed or quantity of their tries.
They can also harness any number of processors or computers at the same time, to try out thousands or millions of different passwords in parallel.
Fortunately, well-managed password databases take precautions that increase the time needed to test each password, which slows down regular online logins slightly but not enough to be inconvenient (an extra second to verify your password every time you login makes little difference to usability), while at the same time making automated password guessing programs too slow to be useful.
In short, if you will pardon the play on words, online passwords should not only be as long as you can conveniently tolerate, but also be as unpredictable as you can make them.
This helps to ensure that they can’t easily be figured out from personal information on your social media pages, guessed from your favourite songs, or found even in the most extensive word lists.
Ideally, you’ll use some sort of random password generator, such as a password manager application, that can come up with long, pseudorandom concoctions such as DgCQCt5W6nx+RWXn
as easily as you can think of BESTNOTTOUSETHIS
, and can remember a different password for every service you use.
Password managers, however, come with challenges of their own.
Firstly, you need to find one you trust, given that it may end up holding all the keys to all your online castles.
Secondly, you need to learn how to install and use it on all the devices from which you might access your accounts, and how to keep your own password database safely and securely consistent across those devices.
Thirdly, you need to come up with a master password of your own that you can remember, so you can unlock the password manager itself to give it access to the rest of your passwords.
But if you’re going to the trouble of inventing a memorable but hard-to-guess password or passphrase of your own anyway, which could be a random choice of four different words, such as backstoryoctopusairplaneBaltimore
, or a coded phrase such as I simply wasn't yet ready to commit to a password manager for everything
that you translate mentally into ISw'tyR2c2aPM4e
…
…well, why not simply commit that password to memory and then use it for everything?
The problem, of course, is a cyberattack known by the vaguely confusing name of credential stuffing, where ‘credential’ is really just a fancy way of saying ‘password’.
At first reading, credential stuffing sounds very much like a guessing attack, or even what’s known as a brute force attack, where cybercriminals aim to try every possible password if the range is known in advance.
(A brute force attack is rather like trying to open a bicycle combination lock by spinning the dials through every combination from 0-0-0
to 9-9-9
in sequence until it pops open at the right number.)
But the jargon term credential stuffing refers to an attack based on breadth, not on depth.
If the crooks find out any one of your passwords, they will typically try that same password on every online account that they think belongs to you, just as soon as they can.
That way, if you have re-used that password on a second site or service, the attackers immediately compromise two accounts for the price of one, without running up against any rate limits.
In practice, the crooks may try multiple similar or related passwords on each account, thus mounting a mini-dictionary attack of sorts, such as adding sequence numbers or account abbreviations if they suspect you might have varied the master password slightly for each account.
For example, if they get hold of your Facebook password and notice that it is rAnDomT3xt-fb
, then rAnDomT3xt-gm
would be a good guess for your Google password.
After all, if the text -fb
is a mnemonic that you added for Facebook, then -gm
makes a likely choice for Gmail.
Simply put, in a password stuffing attack, the criminals don’t stuff lots of different passwords into a single login form in the hope that they can figure out your password for that account.
They stuff a single password from one account into as many other login forms as they can think of, in the hope that they can quickly find a way into other accounts at the same time.
In an attack like this, size definitely isn’t everything.
In fact, size isn’t anything, given that the crooks probably didn’t acquire your password by cracking it, or by trying billions of choices over many months of determined attacking.
They could have got hold of that known-good password in its full and final form, regardless of its length and complexity, in many different ways, including:
Here are some practical, human-centric tips:
5
key, which helps you find the right digits even if you can’t see them.)A small but reasonable amount of password caution goes a long way!
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of safe deposit boxes by Tim Evans via Unsplash.