Why It’s Time to Drop Passwords for Federal Networks

It will probably surprise no one that users continue to use weak passwords that are easily guessable. And if not guessable, they are at least quickly revealed by dictionary programs, rainbow tables and other cracking tools. I obtained a few of these attack kits to see how they fared against various password-generating schemes, and the results were not good. It may be time to eliminate passwords all together from federal government networks in favor of better forms of security.

What got me thinking about passwords is a recent report from NordPass that showed the most common passwords used in 2019. These were gathered from lists of compromised passwords obtained in data breaches throughout the year. Basically, hackers stole those lists of passwords and put them up for sale. They were obtained and analyzed for the report.

The same weak passwords topped the charts again, with 12345 being the most popular. That almost three million people still use the very first password that any script kiddie is going to guess is mind-blowing. But it also showed that some people were at least trying to use somewhat better passwords, though not by much. For example, 1q2w3e4r5t was number 62 on the list, so at least people were trying to be slick by using the popular keyboard run. But it’s not the secret they probably hoped it was, with 55,318 other users setting their password exactly the same.

There are some interesting password attempts on the list. The band One Direction must be doing pretty well because 30,388 people chose it—without a space or any capitalization—as their password. Jesus is still well-represented at number 151, protecting 34,220 accounts. But he’s not as popular as chocolate, at number 48 and assigned as 62,325 passwords.

John the Ripper

Seeing the list of compromised passwords is fun, but the fact is that any password tied to any form of popular culture or shared knowledge can be easily cracked, and this is true even if it’s used with substitutions like putting zero instead of the letter O or adding numbers and special characters to the front or back of words. To prove this, I obtained the John the Ripper brute force password cracker along with updated versions of other hacker tools I have previously used in the lab.

I set up some passwords that people might think are pretty good, modified them slightly with substitutions and additions, and then unleased the tools against them. These tests were performed in a closed network environment, so the tools were able to operate extremely quickly but shouldn’t fall too far outside of their real-world performance. None of the passwords did very well in stopping attacks.

For example, House Targaryen from Game of Thrones only held out as a password for 32 minutes. Unlike the show, they did ultimately beat House Stark, however, which fell in half the time. House Baratheon defended its account for the longest at an hour and 39 minutes on average against all cracker tools. And Game of Thrones itself was compromised almost instantly, with or without spaces and using all forms of capitalization, in under two minutes.

Staying on the fantasy theme, and really wanting to dive into this issue, I turned to someone who I consider a master storyteller who was ahead of his time, H.P. Lovecraft. I recently read the complete works of Lovecraft, so his strange alien hierarchy and creepy cults were at the front of my mind. At one point in his most well-known story, Call of Cthulhu, the Louisiana swamp-priests and wizards chant, “In his house at R'lyeh dead Cthulhu waits dreaming.” Only they say it in their otherworldly language, which is represented in the book as “ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!”

Now, one would think that “ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!” would be a pretty secure password. But it’s not. Because it’s tied to popular culture, the crackers found it on an average of less than 45 minutes.

Falling Under the Rainbow

And that was just using brute force tools. Advanced hackers these days use rainbow tables among other methods, which are enormous datasets made up of hash values matched to possible plaintext passwords. The hash value is what your password gets turned into when sent to an authentication server. Hashes are used because databases don’t store passwords in plain text, as that would be a security vulnerability. Instead, they store a cryptographic hash of a user's password. When you enter in your password, the server hashes it and compares the resulting value to the stored hash table looking for a match.

If the hash table gets stolen, it’s no good by itself because users can’t directly enter a hash as input for a password. If they did, it would simply get hashed itself and turn into something else that doesn’t match. So you need a rainbow table to convert it back to a matching word.

To use a rainbow table, you first have to steal the hash table from an authentication server or know the algorithm used. And while grabbing a hash table is sometimes difficult, they are often not robustly protected because administrators mistakenly think that because passwords are encrypted and hashed that they pose no real risk if stolen. 

The problem is that rainbow tables allow hackers to reverse the hashing process, which results in very quick password compromises. It's even possible to have different passwords share the same hash value, which means that hackers don’t even have to guess what the original passwords was, just a word or phrase that corresponds to the matching hash value. And the tables make that quick work.

The only other downside to using rainbow tables is the huge amount of storage required to maintain them. The fairly simple one that I maintain in my lab for security reviews and testing purposes is over 10 terabytes. That used to be a problem, but with storage being so cheap these days, and cloud solutions offering unlimited space, the rainbow tables can spread out for not much money.

So when you hear that passwords were compromised in a breach, but that they were encrypted and hashed, that’s not necessarily an ironclad guarantee that they won’t be reverse-engineered and used by hackers. 

Stealing the hash table for these tests wasn’t difficult since it was all inside my own lab. Once obtained, it took seconds on average to crack most passwords or to find passwords that shared the same hash value, and thus could be used to gain access. Compared to using the crackers, the rainbow tables worked in minutes or even seconds.

And here is the thing, if hackers are using rainbow tables and other similar attack methods, stronger passwords won’t really help, since that method preys on the weakness of the hashing process, not the strength of the password itself. Longer passwords would force the use of bigger rainbow tables, but that’s about the only real defense. In that case, the Cthulhu password was the best, since it was the longest.

The End of Passwords?

The fact is that passwords are probably always going to be fine as an authentication method for some things. Your personal desktop computer that sits alone in your home office is perfectly safe with just a password since someone would need to be standing there to try and crack it. But shared and networked systems, and those on federal networks, are a different story.

Sure, most federal networks use multifactor authentication, with at least two things required for access. But if one of those protection methods is a password, then it’s still extremely weak. If a password can be easily compromised, then suddenly that dual-factor authentication becomes, in reality, a single protection method. True multifactor authentication for highly protected systems these days requires multiple access control methods, and passwords probably shouldn’t be one of them anymore.   

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys