Weak vs Strong Passwords at Online Retailers

  • May 7, 2015

You may have heard of recent password breaches at well-known web sites and might be wondering if the passwords your registered customers use to checkout at your ecommerce site are too weak and just how strong do you need them to be.

Unfortunately, much of the common practices regarding password security comes from the world of securing corporate computer systems that employees login to and is often poorly applicable to shoppers logging in over the Internet.

First consider that you probably have hundreds of thousands or millions of user-created passwords. A hacker needs to be able to guess just a tiny percentage of these passwords to be able to place a good quantity of fraudulent orders shipped to an address they provide or picked up in store by a person they designate.

Can your password policies protect you?

Length vs Complexity

Traditionally, password length was considered the main deterrent against cracking a password. An 8-character alphanumeric password, for example, can have 1 trillion possibilities. 10 years ago this would be considered plenty secure - even if the hacker obtained access to the encrypted password, it would have taken months and months to crack a single password by which time it probably would have changed. But today's GPU-accelerated computers can test billions of combinations a second on a single computer and can crack such a password in a day, so for securing your laptop, your password should be more like 15 characters long!

However, this doesn't apply to guessing online passwords. A hacker can't send a billion requests a second to your servers to brute-force-guess a shopper's password. Or more accurately, your servers can't respond to requests this quickly, so a brute-force attack for even a 6-character password (~200 billion possibilities) would take a year to guess a single password.

The problem, though, is passwords created by human beings are not random at all. (See this recent study). People often use dictionary words, which makes for only about 50,000 possibilities. A recent study by Dashlane revealed that 55% of top 100 online retailers retailers allow users to create such extremely weak passwords as 'password', '123456' or 'abc123'.

Some retailders do try to combat this by introducing complexity requirements (mixed case, numbers, punctuation) but this doesn't really help. Many users make simple and predictable alterations to a dictionary word, i.e. 'password' simply becomes 'Password1!'. At best, the hacker might need 2-3 additional variations per dictionary word, so it becomes 150,000 possibilities.

Today's dictionary databases used by hackers even contain such common obfuscation techniques as number or symbol for letter substitutions (i.e. p@55word) and even patterns formed by 'drawing lines' on the keyboard. And, remember, the hacker doesn't need to guess every password, they just need to guess a handful of the weakest ones.

Hacker vs Retailer

So, can you, the retailer, protect your ecommerce site against a hacker attack using such a 'complexity-aware' dictionary?

Could you lockout the user account after, say, 50 invalid login attempts? Unfortunately no, because, you would then be hostage to the hacker who could continually lock out all your customer accounts with what becomes a denial of service attack.

Could you instead block the IP address that had excessive login failures? First, you would have to have a very high limit. For a major retailer, it could be in the thousands? Why? Because with billions of smartphones and computers accessing the internet, there are not enough IP addresses for each one. As a result, computers in large organizations, some whole countries and many smartphones appear to access your servers from just a handful of IP addresses.

With such a high limit, given that hackers have access to botnets with tens or even hundreds of thousands of computers, each with a different IP address, hackers could easily run through 150,000 combinations. Even if you use throttling techniques hackers can guess many, many passwords, especially over a longer period of time. Remember, unlike corporate computer systems, your shoppers don't regularly change their passwords on your site.

The real threat

So, it appears you can't block the hacker. Security experts have always known that the most secure password that people can actually remember is a combination of words or a passphrase. Could you get all your shoppers to use such a password when they register? Perhaps you could if you require a minimum of 15 characters and disallow whole word and excessive same-character repetition and check against commonly used keyboards patterns...

Sadly, even with all this, it won't stop cybercriminals either. It turns out they actually have a much better attack vector than brute-force guessing. This attack vector relies on what has always been considered a good security practice - passwords that people can actually remember so they don't write it down on a post-it and stick it to their monitor.

This attack vector is phishing. If your customers can actually remember their passwords, then hackers can phish these passwords out of some of them. In the world of mobile devices with small screeens, it is surprisingly easy to phish retailer logins even out of savvy users - see this blog post for more details.

In the end, the only guaranteed way to protect yourself against hackers stealing shopper passwords (and to stop torturing your customers with password hassles) is to completely get rid of user passwords with a password-less login solution like CardPass.

comments powered by Disqus