Oh my passwords ... how I loathe thee!Page address: http://www.mnsu.edu/its/security/ciso/ciso_passwords.html
Password has become a dirty word in today’s world. Everything is online and everything has a password. Banking, shopping, survey, and REFRIGERATORS! Yes, household appliances are now online. Everything has a password and every password is supposed to be unique and complex. What a pain in the arse! Why can’t we all get along and sing “Kumbayah?” I wish it were that easy. I wish we didn’t have to worry about these things. All of our lives would be easier. OK. Since we can’t live in fairy tale land, that means we have to live in the real word. The real world is that being online presents risks for us all. We need to take steps to reduce that risk and try not to be the next victim. Attackers are after anything that will make them money. Sometimes, they just like to wreak havoc with your system.
Passwords are our front line of defense. Think of them as keys to our house and our belongings. When we lock our doors at night, we do so confident that the only people that have a key are the ones that should. Cracking and breaking passwords are like picking locks. Sometimes, it is so easy to do and sometimes it is hard to do. How easy do you want to make it for attackers to get into your house and belongings? Do you want a simple skeleton key that can be broken in a matter of seconds or do you want the newest most sophisticated key that is much harder? The top 10 most used passwords of 2014 (and the ones that attackers try first were:
Just as we’ve “grown up,” our passwords need to “grow up” as well. Most passwords are stored in a scrambled format using a mathematical algorithm to scramble them. This scrambling is known as encryption. When a password is encrypted, the mathematical algorithm is kept extremely secret and is designed not to be known. When passwords are cracked, there are two ways of cracking them. Either by brute force “guessing” of passwords or by reverse engineering the mathematical algorithm that is used to secure them. Before we explore how passwords are cracked and why it matters, let’s explore how to handle passwords and how to secure them properly.
Passwords are everywhere. Everything has a password. I can’t go a single day without using at least 5 or 6 passwords. Most days are more than that. I’m not always typing them in, but my computer, tablet or phone is doing it for me in the background hundreds of times a day. While we can’t prevent every single hack from happening, we can limit the damage of any one hack so that the rest of our online lives aren’t compromised. Here are a few simple tips on how to protect yourself and how to prevent a hacker from completely owning your online life:
Use a password management application
First and foremost, if we are going to go down the muddy road of creating strong unique passwords for everywhere we go, some sort of password manager is essential. I use LastPass for my non-University passwords. In one week of using it, I had 20 passwords in LastPass. These were just the common passwords I used every week. This doesn’t include accounts I don’t look at very often such as online magazine sites that I don’t look at all the time. Over a year or so, I wouldn’t be surprised if I ended up with 50 or more passwords in LastPass. The number of sites requiring a password has grown immensely in the last few years. Passwords are everywhere! LastPass allows you to store these passwords in a secure online vault and have them available on any device I use. LastPass allows me to create random, complex and long passwords for every place I need one.
There is always the chance that LastPass will be breached. It has been breached in the past. Fortunately, the past breach did not disclose passwords. Let me re-phrase this a little bit. I fully expect that LastPass WILL BE BREACHED at some point in the future. I will have to cross this bridge when it happens. Until then, the best I can do is continue to use one really awesome password for LastPass. I see this as a risk/rewards trade-off. So many places have been breached in the last few years. LastPass allows me to avoid re-using my passwords.
I know that all of my online life is at risk with LastPass. Knowing this, I use two-factor authentication for LastPass. LastPass won’t allow me to simply enter my password and get in. LastPass has to verify that I am who I say I am every time I enter my password. It has to know that it is me. Multiple factor authentication is comprised of 2 or more things from these categories:
Something you have … some physical object. Often times, this is a key fob on someone’s key ring with a rotating code. Something you know. This is where your password comes in. You know your password. You know the answers to certain questions. Something you are. These are biometric factors. Things like fingerprints, palm prints and retina scans.
LastPass supports all three to some degree. The mutli-factor authentication is one more layer of security that makes it that much harder for attackers to get to my LastPass account.
Do not re-use passwords
As a security professional, I know what I’m supposed to do. As a human, it is so hard to do without assistance. We are all human. I have reused passwords. I have had variations on the same password. It is very difficult to come up with passwords that are unique, yet easy to remember. I often find myself wondering which variation did I use here? Which password was it? When did I create this password? My passwords have evolved over time and gotten better, but since I was reusing them for simplicity sake, it has left me vulnerable in places I probably don’t even realize. Having a password manager allows me to create unique passwords without having to remember what they are. I can create long and complex passwords and not have to rely on re-using them everywhere. It has now become an automatic habit for me to create new passwords for every site I visit. If I can’t remember the password, I reset it with a new unique and complex password.
Longer is better
Researchers have shown that 8 character passwords can be broken in a matter of hours now with commodity graphics card arrays. These are still expensive and not for the average user, but a group of attackers pooling their money together could do this. Nation state attackers certainly have the money to put together even bigger computers to do this with. The longer the password, the longer it takes to crack the password. A 12-character password is orders of magnitude harder to crack than 8-character passwords. The longer, the better!
Complexity of passwords
Password complexity is just as critical as length. The more complex the password, the harder they are to break. The best memorable passwords are called passphrases. Passphrases are either multiple words strung together to form a phrase or sentence. Including strange punctuation helps this even more. Spaces are considered characters as well and are often accepted as part of passwords. Each site will vary slightly on what the requirements and limitations are. With a password manager, I’ve taken to creating completely random passwords. They aren’t phrases at all. They are completely random characters and symbols. Whenever possible, I’ve taken to creating at least a 20-character completely random password. Using a password manager application allows me to do this and it’s a risk I’ve decided to accept for myself for my personal life.
Use a password manager other than your browser’s password manager feature
The password manager feature of your browser is simply a form filler. It isn’t a very good password manager. All it requires is that your computer is logged on and your browser will fill in the details of the password. Built-in browser passwords savers have typically been insecure and easily cracked. A full-fledged password manager such as LastPass require a separate authentication and have the ability to require a second factor of authentication. LastPass is in the business of securing passwords. It’s their job and they take it very seriously.
For more information on passwords, check out Brian Kreb’s blog on Password Do’s and Don’ts.