A recent webinar by Lorrie Cranor, a professor of computer science and Engineering & public Policy at Carnegie Mellon University, on the topic of the ‘Human side of Cybersecurity’ went into depth on the human element in cybersecurity, specifically in reference to passwords and privacy. In this blog, I discuss the main observations.

The human threat?
When we talk about “human error” we are really talking about four types of humans. Firstly, and most commonly, malicious humans who are basically the attackers that want to cause harm to our secure systems. Secondly, humans who do not realize there are certain security critical tasks that they should carry out or do but do not know how to carry them out. Thirdly, unmotivated humans. They may know they might have to do something but have no motivation or incentive to do so. Lastly, there are humans that are constrained by human limitations. These are people who struggle to complete security tasks because they are difficult to do such as memorizing large passwords with a number of different characters.

Password Hygiene (and the lack thereof)
In a 1999 USENIX Study called “Why Johnny cannot encrypt”, the idea of why security encryption software is so hard was put forward with the intention of trying to make encryption easier to understand for users. 22 years later, Johnny still cannot encrypt, and encryption software is still in a state of limited usability. This is because we rely on users to do security tasks who are not good at things such as creating unique and strong passwords, and this leaves users in a position where they are practicing poor password hygiene. One of the causes of this relates to users’ misconceptions about passwords.

Examples of misconceptions about passwords

Misconception 1: Keyboard patterns are secure
An example of a keyboard pattern password is ‘1qazxsw2’. If you actually follow the keys on the keyboard, you will notice that this seemingly strong password is actually rather simplistic. The misconception here is that people believe passwords like this are strong because they seem random, but the truth is that there is an underlying pattern, which makes this an unsecure way of password creation.

Misconception 2: Adding ‘!’ to your password makes it more secure (e.g., ‘password!’, ‘iloveoyou1’)
Adding an ‘!’ to your password is a common strategy that users adopt to create strong passwords. The reason behind such attraction to this symbol has to do with website feedback, especially when websites tell users (during the creation of their password) to try and add a symbol. The same reasoning applies to numbers, where generally we will add the number ‘1’ at the end of our password.

The same could be said for common phrases. Imagine if one had to decide which of the passwords, either ‘iloveyou88’ or ‘ieatkale88’, are the most secure. Most people would say that both passwords are equally secure because they both contain the same number of letters and the exact same digits. This is a misconception. A 2016 study found that ‘ieatleak88’ is much stronger than ‘iloveyou88’. This is because when we make passwords, we tend to make them about things we like and have good memories of, thus making ‘iloveyou88’ a much weaker password. Simply said, everybody ‘loves someone’ while ‘eating kale’ is much more limited.

This raises the question of why websites include these password meters in the first place if the feedback they provide doesn’t actually result in a strong password.

Reuse of passwords
What has become practice in society today is the reuse of passwords on multiple websites. One study in 2017 found that on average, participants had 26 different accounts yet only 10 distinct passwords with 51% of them having partially and exactly reused their passwords. This is a massive problem as attackers can exploit password reuse. For example, an attacker could have a stolen list of passwords that they would crack and then use to find out where else they can use the same passwords (e.g., will try online stores, banks). If the password does not work, the attackers will try some variations (i.e., partial reuse) of that password, thereby increasing the chances that they gain access to the user’s other accounts.

One might propose the reasonable solution of encouraging or even mandating (in company structures) the consistent changing of passwords over a certain period of months. The whole rationale behind this is that if your account has been compromised and you’re not aware of it but change your password, you will lock out any attacker from accessing your account that you did not know was there. Research, however, shows that this theory is fundamentally flawed. A 2010 study showed that knowing old passwords is very useful in predicting newer passwords.  Although this still requires the attacker to make the effort to crack the old password, the study showed that in a simulated online attack 17% of accounts were cracked within five guesses while in an offline attack 41% of accounts were cracked within three seconds. To understand why this is so significant one needs to understand the difference between an online and offline attack. An online attack concerns the traditional type of attacks against a web server or logon interface where the attacker will try a number of username/password combinations to get access to a specific system or account. An offline attack is a bit more complex as it first requires the attacker to find the hashed form of the password which can be done in many different ways such as dumping your computer’s memory contents. The way this works is that once an attacker gains administration access to your computer he/she can dump the contents of its memory, thereby revealing the hashes of all local accounts on the system. After getting the hashed password, the attacker will take the hash offline, meaning the attacker will use a computer to try find the plaintext value that computes to that hash.

Although more complex than online attacks, the advantages of offline attacks are much more evident. Firstly, in online attacks most applications have an alerting mechanism to identify when someone is trying to brute-force their way into an account whereby if a password has been guessed to many times in a row, that user will be blocked from entering that account. In offline attacks, however, this problem doesn’t even come into play as the attacker is never attempting to login to the application server and therefore can’t be the subject of account lockouts. Secondly, offline attacks are not limited by the speed of the application server in sending requests back and forth. Rather, because it’s offline, a cracking machine can be used by the attacker which could, in principle, attempt 3 billion password guesses per second. It is because of the complex yet advantageous nature of offline attacks that has resulted in 41% of accounts being cracked within 3 seconds. This suggests that forcing people to change their passwords consistently does not substantially improve security.

What about two-factor authentication & password managers?
Two-factor authentication (2FA) is one mechanism that can enhance password security. However, the adoption rates of 2FA are generally quite low (unless mandated by certain organizations). A 2018 study on the implementation of 2FA at Carnegie Mellon University found that people who have never used 2FA need substantial convincing, either because they did not think it was needed, there was nothing important in their account or they just found it to be an inconvenience. However, after adopting 2FA, many users said it was not as bad as they thought it would be. It is clear that the difficult part of 2FA is in convincing people that they should adopt it, but this does not take away the necessity of still ensuring you have a strong password as 2FA alone does not protect against all threats.

Password managers are another way in which one can maintain a high-level of password security, but their adoption rates are just as low as 2FA. There are a number of reasons for this such as lack of awareness, underestimating the risk of password reuse and usability and reliability problems. The most common reason for people tending to stray away from password managers is because they overestimate the risk of password manager compromise. In practice, there are really only two ways a password manager can be hacked.

Firstly, at a more general level, a password manager company could have a software flaw in its systems which allows someone to hack all the password managers that the company makes. A reputable password manager will let you know ASAP if this happens so you can change your password quickly. In the past where such breaches have occurred, the prompt response of password manager companies have stopped the damage of such an attack extending to users. Secondly, the password manager of an individual can also be hacked. This is possible but unlikely if your password is really strong and you are vigilant of social engineering techniques like shoulder surfing where attackers can gain entry into your personal accounts just by looking over your shoulder while you type in your personal info.

The human side of cybersecurity is clearly evident and cannot be ignored. This blog has shown how misconceptions on password security has created a cybersecurity caveat where the technical aspects of systems are secure but are nonetheless exploitable due to the human beings that use them. In order to fill this caveat, we need to put policies in place to ensure that users know how to create strong passwords and maintain good password hygiene. Whether the implementation of such policies will be left to the law or mandate of companies themselves is to be seen.

Written by Ingmar Blok, a third-year European Law School student. With the Maastricht Law and Tech Lab, he conducted research on cybersecurity as part of a MARBLE project.