The Password Reset Conundrum (and supernormal stimuli)

Lots of systems require regular password resets. If you properly hash passwords, the only requirement you can make is “not the same as your previous N passwords.” Unfortunately, this leads people to e.g just increment the number on the end of their passwords by 1.

Now, what happens when an attacker grabs the password and password history databases? Chances are if you crack “sw0rdfish02” you can also crack “sw20rdfish01.”

Once the compromised firm or whomever tells all their users to reset their passwords due to the breach, that’s a pretty good place to start guessing about the new password.

Supernormal stimuli: I’m not sure exactly how, but this seems terribly relevant to social engineering. Also, porn.

“We all know that users have developed strategies for dealing with required password updates. Some are more obvious than others. The simplest example is with a simple increment / rotation of a given root: e.g. P@ssw0rd1, P@ssw0rd2, P@ssw0rd3… This works great, as it meets the complexity requirements at once, is easy to remember, and can be reset back to P@ssw0rd1 as soon as the history requirement is met, e.g. after P@ssw0rd9 for a history limit of 10. Some users even use the same root for multiple websites as we’ve seen with the analysis of the Linked In published passwords. Such behaviors are clearly disadvantageous for the individual users, since knowledge of the cleartext password on one site is, unfortunately, likely to allow an attacker to predict that user’s password on another site, either because the password was reused in whole or the derived root was reused in whole. Interestingly enough it is _also_ disadvantageous for the website owner as well. Here’s why.[…]

Once the attacker has this large store of current and historical password hashes, and after some quality time with hashcat (or the hash cracker of their choice), said hacker has little work before him before the pattern of a single user’s rotation can be discovered. Given the example above, how long will it take the attacker to decide that the next guess of P@ssw0rd11 might be the next logical choice for a given user? For any given user, there is clearly a non-zero likelihood that the search space can be reduced to find the user’s next password based on the history. This doesn’t even account for other patterns that can be learned, such as how the user prefers to create passwords (e.g. simple words with character substitutions, pairs of words, the first letters of common sentences, favorite topics, etc.) In other words, what does a password history say about how the given user chooses a password? What does your password history say about how you will pick your next password?”

%d bloggers like this: