Step up you password game

 

 

The problem

A couple of weeks ago, 117 million compromised passwords from LinkedIn’s breach were released.  As expected, immediately following the release, the password attacks escalated throughout our customer base.  This is typical because unfortunately, users generally have poor password hygiene.  Users tend to re-use passwords which puts them at a greater risk of breach.

The issue is as follows; you have a username and password for you corporate Active Directory account.  You sign up for an Amazon.com account and use the same username and password as your corporate account because you have already memorized it for work, and it may meet complexity standards (P@$$w0rD-^12e).  Now you sign up at a website that has a knowledge base forum used to support some product or some weight loss tips, etc.  You again use the same credentials; why not, it is a strong password after all.  Unbeknownst to you, the forum website was hosted on WordPress and was vulnerable to an attack.  In this attack, the attacker was able to compromise the credentials of all the users.

The attacker now has a bunch of usernames and passwords and quite possibly some corresponding email address.  This attacker now tries to login into Amazon.com with the email address and the password compromised from the WordPress site and BINGO, they have access to your Amazon.com account.  Here they can have access to the last 4 digits of your credit card on file that in some instances can be used to reset password from yet another site.  Now, they look at the email address and the associated domain (e.g. udtonline.com) and attempt to log into the Outlook Web Access portal with the email address and the compromised password and voila.  Obviously in this fictitious scenario, there are a lot of assumptions that were made for the purpose of saving time.  However this is the framework that is followed when these breaches occur.

What to do

There are many different things that you can do to protect yourself. Some of them are just habit forming while some require technology assistance and a price associated with them.

First and foremost, NEVER REUSE PASSWORDS.  For obvious reasons (see above), this is not a good idea and it will just be a matter of time before you get popped.

Pass-phrases instead of passwords

This is a biggie.  Hackers use many techniques to crack passwords; one being brute force attack using dictionary lists.  You should never use any password that includes your name, birthday, dog’s name, dictionary words etc.

Example of bad password:  Password123

Example of better though not recommended password:  P@$$w0rd12e

Example of a passphrase instead of password: Mp@$sW!$e(uR3-^

I derived the passphrase using this phrase:

“My password is secure”

It contains caps, lower case, numbers, symbols, and contains 15 characters.

Password generators

In my life as a security practitioner, I am constantly using passwords for VPN (Virtual Private Networks), service accounts, login credentials etc.  There are many random password generators on the internet.  Here are a few:

https://passwordwolf.com

http://passwordsgenerator.net

https://identitysafe.norton.com/password-generator/#

These sites do produce randomly generated passwords and for the most part are a better option than your dog’s name followed by 123.  The downside to them is that they have no rhyme or reason to them and are almost impossible to remember.  Users tend to right them down or save them inside a file on their computer thus making them vulnerable.

Password Managers

I love my password manager and cannot live without it, literally I would not survive in the Internet world without it.  Here are some options

1Password is a multiplatform solution that runs on Mac OS X, IOS, Android and Windows.  If you purchase the additional modules, there are a lot of cool features.  One of which is called “WatchTower”.  This is a service that monitors compromised websites and checks to see if you have an account on them.  It will then warn you that you need to change the password.  With the rate of breached sites, this is worth the ~$60.00 for the product.   It synchronizes via Dropbox or ICloud and can sync with your Window, iPhone or Android.

LastPass is similar to 1Password but stores the password database in the “Cloud”.  You access it by using browser extensions and your mobile device.  It is a very viable solution and feature for feature is very close to 1Password even some additional features not available to 1Password.  The reason I do not use it is that the password vault is stored in the cloud and I do not feel like I can trust it 100%. (*This may have changed as I used it early on in the product’s life).

Keepass is a password manager that started its life, and continues as an open source application.  There are many ports for it and works on almost any platform.  Not as feature rich as the other two, but in the absence of a budget, recommended.

I have over 400 passwords in my password vault and not a single one uses the same credentials.  As a matter of fact, I would not be able to log into anywhere unless I had access to my 1Password vault.  My passwords (where allowed) are over 50 characters long and extremely complex (e.g. bdQ%oZXJYg+&=L7P6WNE[v7eGBzRU ^ddiypoeMxybfT.AGh73ey ).  The key to this is making sure you have a complex enough master password that you NEVER write down for the vault.

These password vaults are able to store attachments and notes.  One of the things I do for additional security is screenshot the “security questions” I answered since they are NEVER the same.  For instance, I may be asked what is my favorite book and on one site I may write Harry Potter while the next site would be Pride and Prejudice.  Favorite colors are never the same and I use non-standard colors each time (e.g. Periwinkle or Malachite).  I then attach a screenshot of the answers I gave to allow me to reset the password if future needs may require.

 Two-Factor Authentication

This is by far the newest technology and is slowly being adopted by many sites.  Some of the sites have their own 2FA solutions that will send you a one-time-password to a pre-registered and validated SMS account.  Some of these are  Facebook, GoDaddy, Microsoft etc.  Other solutions should be available as technology matures here are just a couple.

       

Additional recommendations

You should create a gmail, yahoo or Hotmail (something credible) account with random information (e.g. aeL7ais@gmail.com) Then enable two-factor authentication.  Use this email address as a recovery or authorization for domain-name accounts, other gmail, yahoo, Hotmail etc. accounts.  Using this method, you minimize the risk of someone social engineering their way into you DNS account where they can redirect mail and other malicious activity.  Do not use this account for any email at all.  This is simply a “air gap’ish” account.

There is a site you may want to look at https://haveibeenpwned.com In hacker speak, pwn means you have been owned.

“Pwn is a leetspeak slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated (e.g., “You just got pwned!”).” ~ Wikipedia