Password Security and

Password Hygiene
Somitra Sanadhya
IIT Jodhpur
This set of slides were used for an invited talk in
National Cyber Security Awareness Month - Oct 2022.
1st Nov 2022
 Today morning’s email to me
CERT-In : VPN Credentials of 4 users of IIT J are being
sold on dark web

We have verified the advisory and found it to be true.

Example:

User1: email_id = xyz.1 password = xyz.1234

 Credits

Bollywood, Serials, Web-series: for memes used in this

talk

Internet: For some pictures in the slides

News Articles: For security incidents referred

 Aim of the talk

Intended for general audience

NOT intended to be technical … & mostly remains so

Emphasis is on “Cybersecurity Awareness”

 Anonymity on the internet

Image source: The New Yorker

(c) Peter Steiner

July 5, 1993
Authentication

“The act of proving the

identity of a computer
system or a user”
- wikipedia
Authentication failures lead to
Cybercrime
Criminals use this lack of authentication to fool people into
believing fake identities

Emails, Facebook messages, Bank SMS, …

This talk focuses on some aspects of protecting you

 How to prove who are you?
Method 1:

What do you have?

Method used by smugglers

in Hindi movies in the 80’s
and 90’s
 How to prove who are you?
Method 2:

Who are you?

Shreedevi, Nagina, 1986 Handprint, Thumbprint, …

Tom Cruise, Minority

Report, 2002
 How to prove who are you?
Method 3:

What do you know?

Security questions

Passwords
 Combining these methods

Money withdrawal from ATM: Card + PIN

Travel: Ticket + document to prove identity

…
 Passwords as authenticator
Easy to use

Most widely used method for online authentication

However, insecure when used poorly

We discuss what are these poor usage, and why so

 Password based login
Short or “easy” passwords
Everyone tells users not to use short passwords
But users …
Too easy to guess

“Shoulder surfing” attacks

How does password get stored at
the ser ver ?

Suppose the password gets stored as it is.

Then a database leak leads to leakage of everyone’s

password
Source: ZDNet.com Sept 26, 2012
 Storing passwords
Do not store passwords directly

Store a value derived from the passwords

 Stolen database

If the database gets leaked, the passwords are still safe.

Because the server only had “hashed passwords”.

Source: IndianExpress.com
May 19. 2017
 Preventing (ser ver-side)
brute-forcing of passwords

May lead to Denial of Service (DoS) attacks

 Preventing (ser ver-side)
brute-forcing of passwords

Audio, Text, … Captcha.

Maybe difficult for people with disabilities or old-age
CAPTCHA’s don’t even work

Youtube Course project report: Stanford, 2017

“Strong” passwords
 “Strong” passwords
At least 8, but better be 12 to 15, characters long

Do not use consecutive keywords, or dictionary words

Use the entire keyboard

Do not use personally identifiable information in the

password (child’s name, DoB, car number, …)
 Caveat:
Assumption that the
attacker is using a
standard computer
“Strong” passwords
 Generating strong passwords
(1) Generate using a passphrase

Example:

Phrase: I first went to Disneyland when I was 8 years

old and it made me happy

Password: I1st w2DLwIw8yrso&immH

Example taken from: https://cybernews.com/best-password-managers/how-to-create-a-strong-password/
 Generating strong passwords …

(2) Generate using multiple dictionary words

Example:

Words: Jigsaw, quest, trait, fork

Password: Jigsaw%Quest7trait/fork48

Example taken from: https://cybernews.com/best-password-managers/how-to-create-a-strong-password/

Multiple websites and ser vices
 Same password everywhere?

If the information leaks from one place, it gets leaked

from everywhere

Imagine losing money from your bank, just because your

song streaming app leaked your data

Hence, Different passwords are needed for different accounts

Same password everywhere?
Same password everywhere?
What if you forget passwords too
frequently?
“Reset password” attacks
 Solution

Use Multi-Factor Authentication (MFA) wherever

possible.

Use phone based app, or SMS, offline codes, or another

device to confirm login or password reset.
Generation Gap

Source: Google sur vey,

December 2018
 Post-it passwords

Luiz Dorea, Head, International cooperation, Brazil Federal Police

At an event promoting the security of Soccer world cup final,
Brazil 2014
 Post-it passwords …

Hawai emergency agency 2018

Missile alert warning (possibly linked to the password leakage)

Periodic password change
 Periodic password change
Good hygiene

Eric Griffin, (writer for PC Mag online)

“Passwords are like under wear. You should change them often
(okay, maybe not every day). Don’t share them. Don’t leave
them out for others to see (no sticky notes!). Oh, and they
should be sexy. Wait, sorry, I mean they should be mysterious.
In other words, make your password a total mystery to
others.”
 So far …
Strong passwords

Different for each website/app/ser vice

Do not post the passwords where they are visible

Multi Factor Authentication

Change passwords periodically

Usability ?
Lock the account after 3 wrong
tries?
 How do you know if your
password was breached?
Security engineer Troy Hunt has created a website which
tracks and collects data from known security breaches
Gap bet ween exploit and its use

Password database breaches may not be known for long

times

Historically, the gap bet ween a breach and its exploit has
been few months, on an average
How to realise that the DB has
been breached ?
Store fake account info in the database

If someone accesses those accounts, it is a good sign that

the database was breached
How to realise that the DB has
been breached ?

ACM CCS 2013

 Generating and memorising
multiple strong passwords
Humans are bad at generating “random” passwords

Analysis of password breaches shows that most common

passwords are:

Password, 12345, qwerty, asdfg, …

 US Military passwords

In June 2011, an attack against Booz Allen

(boozallen.com) leaked 90,000 US military passwords

22 of them were “123456” !

Similar numbers for many other common and weak

passwords.
Password managers
 Password managers
Invest in a good password manager

They allow you to generate multiple strong

passwords,

Change them periodically, and

Keep you notified if any breach takes place on any

ser vice used by you
Password managers

Source: Google sur vey, Dec. 2018

 Public Wi-Fi
Public wifi may be un-encrypted

Hackers may be listening to your communications

Including the passwords

Fun incidents in coffee shops are/were common

Public Wi-Fi …

NYTimes, 4 Aug 2021

Public Wi-Fi …
What if you think like this?
 The reality …

Your data may be used for phishing attacks

And may be used against your friends and family

Your private information may get leaked

 Single Sign On
Many sites allow you to login via your social media or
mail accounts

Very common these days.

 Avoid Single Sign On

You are giving more information to these organisations

(they already know too much about you !)

If the main account gets compromised then all your

other accounts may also be under risk
Avoid saving password info in the
browser
Specially, if your computer is also used by others

Makes it easy for others to gain access to your login

credentials

Sometimes, the browsers have not stored the passwords

securely
 Don’t fall for Phishing
One of the most common methods to gain access to your
accounts

Relies on human nature - we trust easily

Hence a human problem, less technical, more social

However, technology may make falling for phishing

harder
 Don’t fall for Phishing
If a deal is too good to be true, it is usually so

Do not give your information to random websites,

salespeople in the mall, …

Don’t click shortened URL’s

Check links (and not the text of the link)

Essentially, develop a habit of distrust

 Implementation issues

Passwords may be good, the algorithm may be good, but

the implementation may leak the password

Consider a timing leakage in an implementation of login

verification
 Implementation issues …
if (password == saved_password) …. else …. ;

The way string comparison works in many programming

languages, it will leak the time when the comparison
failed

This allows for a byte-by-byte brute force to recover the

password
Implementation issues …

byte-by-byte brute force to

recover the password

Image source: https://www.sjoerdlangkemper.nl/2016/11/01/tenex-password-bug/

Password leak in Tenex Operating System, 2016

 Lessons learned
Use strong passwords

Use different passwords for different ser vices and apps

May be, use password managers

 Lessons learned …

Use Multi-factor authentication whenever possible

Do not share your passwords with anyone

 Lessons learned …
Change passwords periodically

Avoid entering passwords on public computers or (unencrypted)

public wifi hotspots

Do not write down your password and stick the paper on your
computer (or near it)
 Lessons learned …

Avoid saving passwords in browsers

Be aware of security pitfalls in the algorithm or its

implementation at the server side
The “method” of transforming
passwords at the ser ver
The method is known as “password hashing algorithm”

Industry uses bcrypt or scrypt

But slowly switching to stronger methods like

Argon2

Refer to Password Hashing Competition 2014-17

Our work on password hashing
With Dr. Sweta Mishra, Dr. Donghoon Chang, Arpan Jati,
we designed a Password hashing algorithm RIG

Available at: https://eprint.iacr.org/2015/009

Implementation available at: https://github.com/arpanj/

Rig
Your feelings right now …
More technical info …
 Fun stuff
Standup comedy by Michael McIntyre:

https://www.youtube.com/watch?v=aHaBH4LqGsI

Standup comedy by Gaurav Gupta:

https://www.youtube.com/watch?v=8ZX86pVN-l4
(Caution: occasional use of inappropriate language)
 somitra@iitj.ac.in
https://sites.google.com/view/somitra