Why changing passwords isn’t the answer to a data breach

Another day, another retailer hacked, with user accounts (potentially) compromised. Cue some blanket advising all users to change their passwords.

But is this an effective way to deal with cyber attacks? Should we be renewing passwords as a matter of course? Is this practice even necessary, and is it sustainable? What lessons in password management post-breach can we learn from the recent spate of attacks suffered by the retail sector?

Customers have repeatedly been issued with the same advice to change their passwords following a flurry of retail breaches (eBay, Office, Lakeland etc.). But the number of missives being issued is starting to create a sense of apathy.

Days after the eBay breach, a significant proportion of customers still hadn’t changed their passwords. Moreover, those that attempted to do so found it difficult to access the site.

>See also: An angry letter to eBay: 5 questions it must answer about its security breach

As more breaches occur, and the same advice is repeated, users will become frustrated and may even become desensitised to what is a very real threat.

Such apathy may see the initiation of emergency response measures, such as a global password reset to force the user’s hand. Inevitably, this would result in yet more passwords that meet the minimum complexity requirements, and probably the same one used on several other sites, thereby prompting more compromises as those passwords are used to attack other sites.

Retailers need to stop this knee-jerk reaction of issuing dictums that merely see one weak password replaced by another, and begin offering concrete advice that improves password creation and management. It should then seldom be necessary to change passwords at all.

When you create a password on an ecommerce site, unless the web site developers were extremely cavalier, the password will have been one-way hashed and (hopefully) salted with extra random data. This means that it is not the password that is stolen – it’s the password hash.

To recover the password, the hash has to be cracked. That’s done by taking a dictionary or a wordlist from another breach and running the plain text through the one-way hashing algorithm to see if the hash matches. Once it matches, it’s possible to determine what the plain text password was.

Tools such as hashcat allow for incredibly fast processing of hashes – the entire Oxford English Dictionary would take a fraction of a second to process, depending on the hashing algorithm. It can even cope with ‘mangling’ of words, such as replacing the letter ‘o’ with a zero and the like.

Furthermore, passwords made by combining (‘concatenating’) words are also relatively easy to crack using similar tools. There’s a wonderful cartoon written by XKCD that suggests ‘correcthorsebatterystaple’ is a really good password. Sadly, it isn’t that great, owing to the power of cracking tools like hashcat.

Passwords that are cracked from breaches are almost invariably the weakest. Dictionary words and names succumb very quickly. Adding uppercase and numbers helps but still won’t protect the password hash from a determined cracker.

A password clearly needs to be complex and long. Non-alpha characters are a must (!$% etc), but ideally characters that are unique to your language (e.g £, ö, ¥ etc). Break up words using special characters. An easy way to enter characters that aren’t on your keyboard under Windows is to type Alt then a number between 0104 and 0255, for example. This gives you access to the Windows Extended character set.

So, if you have a genuinely strong password, it is unlikely to be cracked, even if the hash is stolen in a breach. Strong means more than 12 characters, probably based on a phrase to make recall easier, but with the words broken up with non-alpha characters e.g. co%rre£ctho^rseba&tteryst(aple. Robust passwords do not need changing.

Perhaps the advice from breached retailers should actually be ‘change your password if it was weak’. Although there are exceptions.

If the retailer has been negligent enough to store passwords in plain text, or the attacker has managed to gain sufficient access to the website to capture passwords before these are hashed, the password could still be compromised. Such incidents make a password change mandatory but also show a lack of data protection and poor web site security on the part of the retailer.

Users should demand more information from breached retailers. More transparency equals a more effective incident response. For example, what hashing algorithm did they use? Some are way, way stronger than others, making cracking the hash thousands of times harder. Were the hashes salted – adding some extra, random data when computing the hash? Again, making the crack harder. Did the breach involve access to plain text passwords?

>See also: A third of security professionals unaware of data breach penalties

In the eBay incident, a number of angry users complained that they wanted to know more about how their password had been stored. If the answers to the above are quickly determined and communicated, it’s possible to safely decide whether passwords need to be reset or not. And, if adequate steps have been taken, the advice to change passwords is unnecessary.

Users do of course have the responsibility to protect themselves online. Swapping one weak password for another offers little protection. So set a strong password: use song lyrics, or phrases that mean something to you, then add some numbers and symbols. But if that sounds too onerous, use a password vault to create a barrier between you and the retailer.

Ultimately, if afforded sufficient protection, a robust password may not need changing if the hash is stolen in a breach.

Sourced from Ken Munro, partner at ethical hacking firm Pen Test Partners

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach