Thales Blog

How To Lose Your Password

November 14, 2017

The tsunami of passwords that exist across every aspect of our digital life means that there’s a thriving underground industry of cyber-criminals trying to get at them. To borrow from Shakespeare’s Macbeth: “Each new morn, new widows howl, new orphans cry, new sorrows slap Internet giants on the face”.

The modern era of mass data breaches perhaps began in 2009, with the hack of 32 million account credentials held by software developer RockYou, in which a SQL injection attack revealed that passwords were simple held in cleartext in a database table. The following year saw a leak from Gawker Media’s servers, with another 1.5 million records exposed. This time passwords were lightly protected by the 1970s-era DES algorithm.

How to lose your password

Then, like Premier League transfers, the numbers went up and household names began to appear: 2012, LinkedIn, 178 million records, unsalted SHA-1 hashes. 2013, Adobe, 153 million, home-made obfuscation.

You may not remember your MySpace password from 2008, but the Internet does: 360 million email addresses and passwords were allegedly offered for sale last year.

Yahoo!, Equifax - I could go on, but you might want to play with this visualisation instead.

Taking a password dump from a server isn’t, of course, the only route to compromise. Tricking a user into entering a password into some malicious program or other pre-dates the modern web.

The first mention of ‘phishing’ dates back to the days of the AOL bulletin board service - a program called AOHell paved the way by automating the process of sending out fake security messages. The discovery that a weak and obvious fraud could still be effective when amplified through mechanisation, and hidden behind online anonymity, was ground-breaking.

If your target users are smart, of course, it may be necessary to steal passwords literally from under their fingers. Keyloggers - programs or hardware which record keystrokes to be retrieved by an attacker - are Cold War technology that is still with us.

Back in the Brezhnev Era, US diplomats working in Moscow used electric typewriters to write up memos and reports, with not an Internet connection in sight. Following the discovery of a bugging device in the French embassy, NSA engineers examined some 44 IBM Selectric models in minute detail, dismantling and X-raying the parts. They were amazed to discover - by making a tiny modification to the power switch - that hidden inside them was a sophisticated electronic eavesdropping device which detected the movement of the typewriter’s print head using magnets and relayed the information in short radio bursts. It’s estimated they had been in place, unnoticed, for up to eight years. The investigation, referred to as Project GUNMAN, has now been published in documents available on the NSA website.

As I mentioned in my first post, we’re all currently drowning in passwords. Given the lengths to which people will go in order to get their hands on them, we really should be doing as much as possible to keep them safe and secure.