Password security

Re-using complex passwords can give away identity

Pro
Image: IDGNS

4 January 2018

The analysis of writing style, things such as word choice, punctuation and sentence structure, has long been a way to de-anonymise “hackers, trolls and malware writers,” as well as to unmask the people behind other anonymously posted online content. Even programmers can be de-anonymised from their coding style. But did you know people can be de-anonymised through their use of complex passwords?

Granted, we should not re-use passwords at all. But password re-use is not something that only people with pathetically weak passwords might do. Password managers are the wise move, but sometimes it is “fun” to come up with a password that will theoretically take decades or more to crack. A person trying to stay anonymous might think that if they were to reuse that password, there would be no way to unmask their identity. Yet that is not true, according to an article posted on STS Cyber Research.

Rare and unique
In this case, the research showed, the rarer your password is, the more it “uniquely identifies the person who uses it. If a person uses the same unique password with multiple accounts, then that password can be used as a digital fingerprint to link those accounts.” Although this is not something previously unknown, there seems to be a lack of awareness about the practice.

The researchers wrote:
“We demonstrate that a large number of anonymous account users who are savvy enough to have complex passwords but still use their regular password with an anonymous account are vulnerable to being de-anonymised by even the limited credential leaks available to the public.”

To prove this, they started with the now-defunct Tor Mail, as well as the 1.4 billion clear text credentials that were found on the dark web. Then they took Tor Mail accounts with “sufficiently complex passwords” — meaning it had to have at least 10 characters or have at least three characters out of the types lowercase, uppercase, digital and symbol — and linked them “to non-anonymous email accounts that used the same or similar passwords.”

Lack of awareness
Put another way, the researchers were able to de-anonymise 157 of the 1,019 Tor Mail accounts using publicly available data sets. They believe this is due to a “general lack of awareness of the privacy implications to re-using an existing password when creating an anonymous account.”

After the analysis, they wanted to point out a few examples of how a password “gives away details about the user without necessarily correlating them to another account.”

  • Using real initials and full year of birth as a password (e.g. jwd1974)
  • Using full date of birth in a password (i.e. YYYYMMDD or something of that sort)
  • Using a real name or non-anonymous username with a number on the end (e.g. JohnDoe1)
  • Using an anonymous account name as password on a regular account
  • Copying and pasting a regular password twice as an anonymous password

 

 

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie