{"id":927,"date":"2008-11-14T17:52:19","date_gmt":"2008-11-14T16:52:19","guid":{"rendered":"http:\/\/www.craigmurphy.com\/blog\/?p=927"},"modified":"2009-01-25T18:05:27","modified_gmt":"2009-01-25T17:05:27","slug":"passwords-alone-are-not-enough-even-if-they-were-are-they-hard-to-break","status":"publish","type":"post","link":"https:\/\/www.craigmurphy.com\/blog\/?p=927","title":{"rendered":"Passwords alone, are not enough. Even if they were, are they hard to break?"},"content":{"rendered":"

[As quoted in the Guardian: http:\/\/www.guardian.co.uk\/technology\/blog\/2008\/nov\/23\/technology-letters-blogs<\/a>]<\/p>\n

\n

Relying on a single password for more than one purpose, e.g. logging on to your web-mail, instant messaging service, Facebook, Bebo, etc. is probably very commonplace.  Indeed, expos\u00e9s such as Twitterank, and even it\u2019s parody site TwitterAwesomeness<\/a>, highlight the ease at which folks will essentially surrender their username and passwords.  Twitterank didn\u2019t just catch the unsuspecting Internet user, they also caught a number of people who really should have known better.  <\/p>\n

Sites that do need your Twitter username and password, such as BrightKite<\/a>, use it in order to post tweets on your behalf.  In BrightKite\u2019s case, it tweets each time you \u201ccheck in\u201d to their \u201cwhere am I\u201d service.  The check-in process involves you telling BrightKite<\/a> where you are, it then sends out a Tweet telling the world.  Such sites make their intentions very clear in the Terms Of Use<\/a>, Code of Conduct and Privacy<\/a> pages.  <\/p>\n

However, so did Twitterank. The site made it clear what it wanted you to believe it was doing with your username and password.  Even if you didn\u2019t read the Twitterank terms of service or FAQ<\/a>, it was embedded within the source code, as Barry Dorrans<\/a> carefully points out.  The speed at which the Twitter population flocked to Twitterank suggests that were there any ulterior motives, the site would be well placed to exploit a significant portion of the Twitter accounts that it had opportunity to harvest.<\/p>\n

Twitterank was different.  It relied on our instinctual want to graded or rank ourselves amongst our peers.  No matter how hard we try, we\u2019re all competitive by nature.  We want to know where we stand\/sit in relation to our peers.  Some services, such as Twitter Grader have managed to achieve this without the need for a Twitter password.  Granted there\u2019s only so much Twitter Grader<\/a> can do, however it\u2019s a polite service that has introduced me to a number of Twitter users in Scotland<\/a> \u2013 users that I may not have discovered.<\/p>\n

There was little indication whether a Twitterank of 100 was good or bad.  Some users reported ranks of over 200, others, as we\u2019ve seen already, received a rank of zero.  The mathematics behind the site were reported via a comment in this blog as being \u201cReal Math(tm)<\/a>\u201d and were comparable in accuracy to Google\u2019s PageRank<\/a> mechanism.  I\u2019m not a mathematician so I won\u2019t be debunking any formula, algorithm or approaches.  Well, not just yet at least.  For Twitterank to have been useful, it would need to allow us to determine whether our rank was better or worse than other Twitterankers (there it is again, I do apologise). <\/p>\n

Twitterank didn\u2019t really try to hide its intentions, however because of the the site\u2019s ease of use, instant gratification and rapid publicity, its uptake was huge (it trended TweetStats<\/a> and Twitter Search<\/a>, and at the time of writing, continues to do so \u2013 outdoing \u201cObama\u201d and \u201cJames Bond\u201d).  The publicity was part of what made it so popular – it sent out a Tweet announcing your Twitterank, including a link back to the site thus encouraging users to discover their own ranking.  In most cases, this would probably be fine, however spare a thought for the Twitter folks who received a ranking of zero<\/a> \u2013 and there where many of them!  Indeed, many Twitterankers (can I really get away with saying that?  Too late now!) tweeted their dissatisfaction at their ranking.  <\/p>\n

Amusingly, Twitterank\u2019s creator (@ryochiji<\/a>) reported on his Twitter feed that low rankers should try again tomorrow.  Oh, so that\u2019s how it works \u2013 everybody\u2019s Twitterank will improve over time, that\u2019ll work, great system, yes?  Further information may be found on the Twitterank blog<\/a>, assuming WordPress haven\u2019t deemed it necessary to close it down.<\/p>\n

It\u2019s not all about gullible users though
<\/strong>This morning, at the time of writing, a few hours after Twitterank was exposed for the social experiment that it probably is (or was), saw me reading Bruce Schneier<\/a>\u2018s Read me first<\/a> column in the Technology section of The Guardian.  Bruce writes a great piece explaining how passwords don\u2019t need to be broken per say, but that they are inherently easy to guess. <\/p>\n

Without spoiling the article too much, assuming that you are going to read it<\/a>, Bruce highlights our password selection techniques.  One such method, and one that is certainly very familiar to this writer in his corporate environment, is the keyword+appendage<\/strong> approach.  Users often take their child\u2019s name, their dog\u2019s name, etc. and add a numeric digit or two after the name, e.g. frank01 or rover12.  <\/p>\n

Today\u2019s processing power means that software can intelligently guess huge combinations of keyword+appendage passwords in a relative short and acceptable period of time.  Gone are the days when passwords would take days or weeks to crack.  If you need more convincing, think about how long it takes the average WiFi hacker to crack your wireless router\/modem WEP encryption<\/a> keys.  Or even your WPA encryption<\/a>?<\/p>\n

Bruce makes the suggestion of using a personal sentence as your password.  Not the sentence itself, but an obfuscated version of the sentence.  His example (yes I\u2019m spoiling the original article, sorry) uses \u201cThis little piggy went to market\u201d \u2013 it creates an obfuscated password of tlpWENT2m.  Such as password would take a significant amount of time to be guessed using processing power alone.  Just in case you were tempted, Bruce rightfully advises that we don\u2019t use tlpWENT2m ourselves\u2026oddly enough.<\/p>\n

Increasing security, some options
<\/strong>With the ease at which Twitterank coaxed visitors into typing in their username and password, it seems the days of the password as a single source of authentication are numbered.  We need to be considering more secure alternatives that involve \u201clevels of authentication\u201d.  Usablity is the key to widespread acceptance, any product in this space must be easy to use; its interface must be fundamental such that selection of a secure-level authentication token requires little more effort than offering a basic-level token.  <\/p>\n

With Twitterank-like incidents becoming more common, I predict that during 2009 we will see the general acceptance and widespread uptake of such authentication mechanisms such as OpenID<\/a>, and CardSpace<\/a> (further reading here<\/a> and here<\/a>).  You should familiarise yourself with these mechanisms because major web-sites such as Yahoo are gradually introducing them as part of their login process.  Indeed, even the likes of Facebook<\/a>, where you can be whoever you want to be<\/a>, may<\/strong> have to succumb and implement a more secure user registration and identity verification process.<\/p>\n

Beyond authentication into verification<\/strong>
Going beyond authentication, we need to consider verification, particularly of identity.  The internet has little in the way of process that can help us confirm an individual\u2019s authenticity and identity \u2013 how do you know that the person your are tweeting with or Facebooking is the person they say they are?  Twitter had the great fake Sarah Silverman<\/a> incident of October 2008.  Facebook has many impersonation cases, a few of which I discuss in elsewhere on this blog<\/a>.  <\/p>\n

Firms, such as NetIDme<\/a> are well placed to take advantage of the needs of the authentication and identity verification marketplace.  Identity verification through NetIDme processes involves a combination of stages, if you’re in the UK or US they boast a 95% “automatic verification” rate. The remaining 5%, or if you are a child, requires some form of personal contact with the NetIDme team \u2013 whether it is a fax or a phone call.  However, prior to the personal contact, you are invited to provide such things as your Driving Licence Number, National Insurance number, Social Security Number or Passport number in order for third party checks to take place.  Obviously this is much more involved and potentially more invasive than a simple username\/password combination. The fact we are now able to authenticate and verify who we are, including how old we are, is a key step forward in the growth and maturity of the Internet.<\/p>\n

And finally\u2026
<\/strong>At the time of writing Twitterank is still up and running, whilst there appears to be no malicious intent on the creator\u2019s part, the whole debacle in the social engineering space has left a bitter taste in the mouths of many people.  I am sure that no ill intent was ever on the cards, however Twitterank has proven that everybody needs to think about their own on-line security and the implications of password surrender.  <\/p>\n

Just think what might have happened to your Twitter feed? \u201cAh,\u201d you say, \u201cbut it\u2019s just my Twitter feed, I don\u2019t really care if somebody hacks it and owns it.\u201d  That\u2019s fine, but a lot of users have a single password, and that is where the problem stems from.  Identity theft often starts from the smallest thing.  I have a colleague whose identity was stolen simply because she left her name on the door bell of her previous house. The house had been sold to a gentleman who then let \/ rented the house.  The new tenants used the knowledge of the previous owner\u2019s name to start off the identity theft process.  It is that simple.<\/p>\n

I\u2019ll leave you with advice that is mentioned elsewhere in this blog: <\/p>\n

    \n
  1. Don\u2019t use the same password for social networking sites and services that are more important to you such as your on-line bank or your web-mail.  If your password is harvested, as Twitterank could have done, you may find yourself compromised in more than one way. <\/li>\n
  2. Avoid simple passwords such as \u201cpassword\u201d, \u201citsasecret\u201d or \u201cletmein\u201d.  Amazingly, during my university days somebody actually told me their password was \u201citsasecret\u201d.  Indeed it was\u2026I logged in and was later accused of cracking the said password.  A little trouble ensued but it was soon dropped when I explained that i had actually been given<\/strong><\/em> the password in the first place!  <\/li>\n
  3. Consider \u201cupping\u201d your levels of security your OpenID \u2013 there are plenty of providers.  Yahoo<\/a>, MyOpenID<\/a> and NetIDme<\/a> to name just a few.  Any progress in this direction, is good progress. Of course, you could always demand OpenID<\/a>!<\/li>\n<\/ol>\n<\/blockquote>\n
    \n

    Safe and happy surfing!<\/p>\n

    Further reading:<\/strong><\/p>\n

    Password security \u2013 even big names fail<\/a>
    Twitterank – celeb or peon? @t_rank<\/a><\/p>\n<\/blockquote>\n

    Technorati Tags: Twitterank<\/a>,CardSpace<\/a>,OpenID<\/a>,password<\/a>,security<\/a>,authentication<\/a>,Twitterankers<\/a>,read me first<\/a>,The Guardian<\/a>,Bruce Schneier<\/a>,age verification<\/a>,tlpWENT2m<\/a>,social engineering<\/a>, identity theft<\/a>
    \n    BrightKite<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"

    [As quoted in the Guardian: http:\/\/www.guardian.co.uk\/technology\/blog\/2008\/nov\/23\/technology-letters-blogs] Relying on a single password for more than one purpose, e.g. logging on to your web-mail, instant messaging service, Facebook, Bebo, etc. is probably very commonplace.  Indeed, expos\u00e9s such as Twitterank, and even it\u2019s parody site TwitterAwesomeness, highlight the ease at which folks will essentially surrender their username and … Continue reading Passwords alone, are not enough. Even if they were, are they hard to break?<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,19,21],"tags":[202,199,205,197,204,198,710,203,201,196,200,206],"class_list":["post-927","post","type-post","status-publish","format-standard","hentry","category-on-blogging","category-opinion","category-security","tag-age-verification","tag-authentication","tag-brightkite","tag-cardspace","tag-identity-theft","tag-openid","tag-security","tag-social-engineering","tag-the-guardian","tag-twitterank","tag-twitterankers","tag-twitterawesomeness"],"_links":{"self":[{"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/927","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=927"}],"version-history":[{"count":15,"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/927\/revisions"}],"predecessor-version":[{"id":1366,"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/927\/revisions\/1366"}],"wp:attachment":[{"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=927"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=927"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=927"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}