Passwords are not a phenomenon of the computer age; in fact, they are probably as old as humanity itself. Even in ancient Rome or in the Middle Ages, anyone seeking to gain access to heavily guarded areas had to give the password at the gates. And even in those days, passwords were not secure. Unauthorised persons who somehow managed to glean the secret code, such as by eavesdropping on conversations, could access all areas...
A similar situation prevailed in the US during the prohibition era of the 1920s. To enter the illegal speakeasy bars that served liquor, imbibers first had to give the doorman the current password. This theme features not only in legendary Hollywood films such as the Marx Brothers’ ‘Animal Crackers’ (1932) but also in one of the first successful graphical computer games, ‘Leisure Suit Larry in the Land of Lounge Lizards’ (1987), in which the hero must give a password in order to enter a bar. The phrase in question, ‘Ken sent me’, has since achieved cult status. Players of ‘Leisure Suit Larry’ also felt a little like hackers for other reasons: for instance, the questionnaire that served as copy protection was very easy to crack. It was just as easy to outwit the one-armed bandit in the amusement arcade to earn large sums of money.
The first computer hacker
Passwords grew commonplace in the IT sector when it became possible for people to collaborate in a shared digital infrastructure. One of the first ‘real’ hackers in this context is probably Allan Scherr (*1940), an American who worked on a project at the Massachusetts Institute of Technology (MIT) during the early 1960s. In what was then called the Compatible Time-Sharing System (CTSS), one of the first digital work environments in which multiple users could use and edit data as well as exchange messages, users authenticated themselves with personal passwords that were stored in a master list. Without too much effort, Scherr managed to get his hands on this list and use other people’s passwords to access the system.
Surely we have all been hacked at some stage?
It’s actually astonishing: people have known for centuries how insecure passwords are, yet passwords remained the most important tool for securing personal user accounts in company networks, webshops, social-media channels and government agencies well into the 2000s. In fact, they are still the target of hackers seeking to gain unauthorised access to digital networks. The best example of this is ‘Collection #1’, which was discovered on a file server by the Australian IT security specialist Troy Hunt in 2019. This set of 87 GB of data included 772,904,991 unique e-mail addresses, 1,160,253,228 unique e-mail/password combinations and 21,222,975 individual passwords and bundled data from multiple sources. Shortly thereafter, Hunt unearthed ‘Collections’ #2 to #5, containing almost 700 GB of data from roughly 2.2 billion online accounts. Troy Hunt could be described as an ‘ethical’ hacker – someone who fights cyber criminals with their own weapons. Hunt set up the web service haveIBeenPwned.com so that internet users can quickly check whether their e-mail address or telephone number were also compromised in the data leak.
The ‘human factor’ makes life easy for password hackers
Relying on passwords as a ‘security system’ is problematic for several reasons. Anyone who uses many different online services should pick a different password for each of them – and each password must then meet various requirements in terms of complexity (password length, use of lower- and upper-case letters, special characters, numbers and so on) to satisfy minimum security standards. Few humans can commit large numbers of complex passwords to memory, which is why users either write them down or adopt one of the two least secure strategies: using one password for multiple services or using very simple passwords. A password manager app could solve this problem. Yet passwords still turn out to be tiresome and not particularly user-friendly in the long run. Even IT professionals happily resort to ‘easy solutions’ from time to time. This was highlighted when the hacker group OurMine targeted the Twitter and Pinterest accounts of Facebook founder Mark Zuckerberg. The password Zuckerberg had chosen turned out to be ‘dadada’. The OurMine team claimed to have found it thanks to a data leak at the business service LinkedIn that occurred in 2012.
Brute force and friends: password-hacker strategies
The methods that hackers employ to access people’s passwords are comparatively unsophisticated.
- Brute-force attacks
- Brute-force attacks simply involve trying out countless character combinations automatically. This method is particularly effective against users who pick short and easy-to-remember passwords. Despite this, the possible number of attempts is usually limited because access is often blocked after several incorrect password entries. Brute-force attacks are also unsuitable for long and complex passwords because of the high levels of computing power required.
- Dictionary attacks
Dictionary attacks use lists of user names and passwords to crack passwords. This method is especially effective for typical passwords that consist of easily crackable names or dates of birth. If the user relies on the same passwords for multiple online accounts, dictionary attacks can inflict significant damage. - Phishing attacks
At some point, you will have undoubtedly received an e-mail containing a deceptively realistic facsimile of your bank’s corporate design and an urgent request to enter your username and password on a website in order to unlock your account. Hopefully, you did not respond to this e-mail but simply consigned it to your digital recycle bin. That is because this is a classic example of a phishing attack used by fraudsters who are trying to access your account details. In many cases, details such as the e-mail header or spelling mistakes in the text indicate that scammers are at work.
- Social engineering attack
Just recently, it was revealed that a hacker group managed to steal roughly 780 GB of data from video game publisher Electronic Arts (EA) – including the source code for developing software and new computer games. The culprits used the chat tool Slack to contact the company’s IT support team. Pretending to be EA employees who had lost their mobile phone, they requested a new authentication token so they could regain access to the company network – a typical social engineering attack in which knowledge about the company and about the recipients of the Slack chat was fraudulently used to gain their trust.
Conclusion: passwords alone are still not enough
The hacking examples mentioned above show how, time and again, password fraudsters can still fool even the savviest IT experts! Human factors such as laziness and carelessness, but also the increasingly sophisticated technical tricks deployed by cybercriminals, play a role in these scenarios. That’s why it is so vital not to protect sensitive data with just user names, e-mail addresses and passwords alone. These days, we have many ways of putting a stop to hackers, such as two-factor authentication or multi-factor authentication. Querying the biometric features of users is considered exceptionally secure. After all, who has the ability to readily simulate the original fingerprints, the iris or all the facial features of the authorised user during a login procedure? Passwords will certainly also be used in the future, but ideally in combination with additional, highly secure authentication procedures. Keeping one giant step ahead of the hackers is the name of the game.