I recently set up a server, and predictably it started seeing brute-force password-guessing attempts on SSH. The host only permits public key authentication, and I also used fail2ban to temporarily block repeat offenders and so stop my logs from being filled up. However, I was curious what attackers were actually doing, so I patched OpenSSH to log the username and password for log-in attempts to invalid users (i.e. all except my user-account).

Some of the password attempts are predictable (e.g. username: “root”, password: “root”) but others are less easy to explain. For example, there was a log-in attempt for the usernames “root” and “dark” with the password “ManualulIngineruluiMecanic”, which I think is Romanian for Handbook of Mechanical Engineering. Why would someone use this password, especially for the uncommon username “dark”? Is this book common in Romania; is it likely to be by the desk of a sys-admin (or hacker) trying to choose a password? Has the hacker found the password in use on another compromised system; is it the default password for anything?

Over the next few weeks I’ll be posting other odd log-in attempts on my Twitter feed. Follow me if you would like to see what I find. Feel free to comment here if you have any theories on why these log-in attempts are being seen.

The usability community has long complained about the problems of passwords (remember the Adams and Sasse classic). These days, even our beloved XKCD has something to say about the difficulties of coming up with a password that is easy to memorize and hard to brute-force. The sensible strategy suggested in the comic, of using a passphrase made of several common words, is also the main principle behind Jakobsson and Akavipat’s fastwords. It’s a great suggestion. However, in the long term, no solution that requires users to remember secrets is going to scale to hundreds of different accounts, if all those remembered secrets have to be different (and changed every couple of months).

This is why, as I previously blogged, I am exploring the space of solutions that do not require the memorization of any secrets—whether passwords, passphrases, PINs, faces, graphical squiggles or anything else. My SPW paper, Pico: No more passwords, was finalized in June (including improvements suggested in the comments to the previous blog post) and I am about to give an invited talk on Pico at Usenix Security 2011 in San Francisco.

Usenix talks are recorded and the video is posted next to the abstracts: if you are so inclined, you will be able to watch my presentation shortly after I give it.

To encourage adoption, I chose not to patent any aspect of Pico. If you wish to collaborate, or fund this effort, talk to me. If you wish to build or sell it on your own, be my guest. No royalties due—just cite the paper.

I’m liveblogging the Workshop on Security and Human Behaviour which is being held at CMU. For background, see the liveblogs for SHB 2010, SHB2009 and SHB2008. The papers are here and the session reports will appear as followups to this post.

In the aftermath of Anonymous’ revenge hacking of HBGary over the weekend, some enterprising hackers used one of the stolen credentials and some social engineering to gain root access at rootkit.com, which has been down for a few days since. There isn’t much novel about the hack but the dump of rootkit.com’s SQL databases provides another password dataset for research, though an order of magnitude smaller than the Gawker dataset with just 81,000 hashed passwords.

More interestingly, due to the close proximity of the hacks, we can compare the passwords associated with email addresses registered at both Gawker and rootkit.com. This gives an interesting data point on the widely known problem of password re-use. This new data seems to indicate a significantly higher re-use rate than the few previously published estimates.

A simple intersection yielded 522 email addresses registered at both sites. This is about a 1% overlap, small but reasonable given the very different niches of the two websites. Eliminating throwaway addresses from sites like Mailinator and dubious addresses like spam@spam.com (it’s not clear that either site properly checked the validity of enrolled emails) left 456 pairs.

Analysing password re-use requires inverting the hashed passwords since the sites used different hash algorithms (and Gawker minimally salted their hashes). Rootkit.com’s password implementation is worse than Gawker’s, with no salts at all and just a single iteration of MD5, meaning it’s quick to test a huge dictionary of known passwords. I cracked 44% of the accounts using a dictionary of about 10 M entries in less than 5 minutes. I previously used the same dictionary on the Gawker dataset and cracked 54% of the accounts (despite this, the passwords at rootkit.com were generally weaker, with many more being from a smaller list of common passwords).

Of the 456 common users, 161 had their password cracked in both datasets, 46 only had their rootkit.com password cracked and 77 only had their Gawker password cracked, leaving 172 with neither password cracked. Of the accounts for which passwords were cracked at both sites, 76% used the exact same password. A further 6% used passwords differing by only capitalisation or a small suffix (e.g. ‘password’ and ‘password1′). Some of these were due to the use of crypt() at Gawker, which truncated longer passwords to 8 characters. The remainder appeared to use unrelated passwords and I saw no site-specific password tailoring such as ‘gawker-password’ and ‘rootkit-password’.

This isn’t an accurate estimate, however, because none of the users whose password was cracked at only one site could have reused the same password (since the same dictionary was used). Including these numbers, the apparent re-use rate is only 43%. If we include the similar passwords, and assume that 6% of the passwords cracked at one site but not the other were also similar but one variation was not in our dictionary, we would estimate 49% of users employed very similar passwords between the two sites.

This still isn’t quite a complete comparison because we’ve ignore the 172 users with neither password cracked. We might assume that a roughly similar proportion of these users reused their passwords. It’s likely though that these more security-conscious users had a lower re-use rate, meaning 49% is an over-estimate. Still, we have to estimate at least a 31% re-use rate even if none of this last group of users reused the same password.

Either rate is much higher than what we would estimate based on the best published studies – Flôrencio and Herley’s empirical study (about 12%) or Gaw and Felten’s user survey (about 20%). Sampling error due to random chance shouldn’t be more than about ±5%, which can’t explain the difference. It could be that users are much more likely to reuse a password between Gawker and rootkit.com, since both protect access to forums and are of relatively low value. It could also indicate that password re-use has risen significantly in the past 5 years (which Gaw and Felten specifically predicted based on their survey).

More data is clearly needed because the difference between a 10% re-use rate and a 50% re-use rate would change the economics of large-scale attacks. It would also be very interesting to study the password overlap between higher-value accounts, such as those with a large email provider or an online bank, with low-security accounts like Gawker and rootkit.com which are more likely to be compromised.

I’m at SHB 2010, which brings security engineers together with psychologists, behavioral economists and others interested in deception, fraud, fear, risk perception and how we make security systems more usable.

Here is the agenda. I will be liveblogging the event in comments below this post. Here are the liveblogs for SHB 2009 and SHB 2008.

Paul Wilson, my esteemed coauthor on that paper on the psychology of scam victims that is currently attracting quite a bit of attention, has just started an entertaining and instructive new blog, The Real Hustler. If you liked our paper, you’ll probably enjoy Paul’s blog.

Well worth a bookmark and repeat visits for fans of the BBC TV series and for researchers who recognize the importance of the exciting new field of security psychology.

I have an op-ed in the Register on the history of the Regulation of Investigatory Powers Act following the unfortunate imprisonment of a mentally-ill man under the Act for refusing to hand over his PGP passphrase when the Met’s terror squad told him to.

This, which started as a contribution to Ross’s Security and Psychology initiative, is probably my most entertaining piece of research this year and it’s certainly getting its bit of attention.

I’ve been a great fan of The Real Hustle since 2006, which I recommend to anyone with an interest in security, and it has been good fun to work with the TV show’s coauthor Paul Wilson on this paper. We analyze the scams reproduced in the show, we extract general principles from them that describe typical behavioural patterns exploited by hustlers and then we show how an awareness of these principles can also strengthen systems security.

In a few months I have given versions of this talk around the world: Boston, London, Athens, London, Cambridge, Munich—to the security and psychology crowd, to computer researchers, to professional programmers—and it never failed to attract interest. This is what Yahoo’s Chris Heilmann wrote in his blog when I gave the talk at StackOverflow to an audience of 250 programmers:

The other talk I was able to attend was Frank Stajano, a resident lecturer and security expert (and mighty sword-bearer). His talk revolved around application security but instead of doing the classic “prevent yourself from XSS/SQL injection/CSRF” spiel, Frank took a different route. BBC TV in the UK has a program called The Real Hustle which shows how people are scammed by tricksters and gamblers and the psychology behind these successful scams. Despite the abysmal Guy Ritchie style presentation of the show, it is full of great information: Frank and a colleague conducted a detailed research and analysis of all the attacks and the reasons why they work. The paper on the research is available: Seven principles for systems security (PDF). A thoroughly entertaining and fascinating presentation and a great example of how security can be explained without sounding condescending or drowning the audience in jargon. I really hope that there is a recording of the talk.

I´m giving the talk again at the Computer Laboratory on Tuesday 17 November in the Security Seminars series. The full write-up is available for download as a tech report.