Tuesday, October 25, 2016

Why everything you know about passwords is wrong

Why is everything that you know about passwords wrong?

The short answer is because of articles like this: http://www.businessinsider.com/hacker-strong-password-2016-4

A better answer is, I don't know who you are: You may be an infosec professional, a password guru or someone else in the know and therefore the title of this post does not apply; but for the mass majority of people it certainly does.

The problem in the aforementioned article (and others like it) that this post will focus on is the concept of, "It's something that's easy to remember. All you gotta do is remember that sentence." That notion, that type of thinking qualifies as an epic failure. If you, as a user/consumer, are remembering passwords for websites (or apps, or accounts or whatever) you are failing miserably.

Let's skip right to the solution, then delve into reality afterwards...

The right way to deal with passwords is to use a password vault/safe - a software solution to store all of your passwords in an encrypted file. Period.

But not quite... Because nothing in the world of information security is ever that simple. First you need education, which takes time, effort, and motivation. Without this crucial first step you will be doomed even/especially with an encrypted password vault at your disposal.

What a password vault does is provides a way for people to store DIFFERENT, COMPLEX, AUTOMATICALLY GENERATED passwords for you. You never have to remember another password for any account that you login to*. This is the big secret, the capitalized words above are what make a password "strong". Your passwords have to be different for every account you use, they have to be crazy complex, generated for you and you can't remember them.

That is the whole point. Never remember passwords!* 

Depending on the account in question, my password is 90+ characters and I have no idea what it is; I copy it from my password vault and paste it into the password field on a website to login.
Here is the reality that most of us face:

How many different accounts do you login to? How many of those accounts do you use the same password for? Do you have accounts that you have not changed the password for in years? How did/do you come up with a "strong" password?

Many people have 1-3 dozen different accounts that they may login to throughout the course of a year, think about it: Social networking (3-9 accounts) Mail#1, Mail#2, Banking, Retail, Credit card website, Hotel(s), Flight/Travel, Business, (corporate not included), Phone, Computer, Entertainment apps, and many more.

Different people have different methods for how they handle passwords as well. Some people reuse the same password for all of these examples, others modify it slightly for each account while other people try hard to create passwords they think will help protect themselves from compromise. If you fall into any of these categories you are fighting a losing battle. As humans we are not great at remembering complex, random strings of characters. Of course there are methods to help with this (Thanks Randall): https://xkcd.com/936/

Some more Reality: Attackers aren't trying to crack your passwords in most cases. They are guessing your horribly weak password successfully or using a password reset feature to change it. In the case of the 500 million Yahoo! accounts being breached, attackers may actually be trying to crack your password as opposed to just guessing it. The website/account/application plays a huge role in this portion of your account security. Will Gmail lock out your account after x failed login attempts? How about Apple or Twitter or your online bank? What is stopping an attacker from trying to login to your account using thousands of passwords until one eventually works? Does the application/website even support complex passwords? Too often I come across a website that only supports some special characters or only 12 characters maximum for passwords.

What you do to protect your account plays an incredibly important role as well. Things such as using 2-factor authentication for sensitive accounts if it's an option.

I mentioned password vaults/safes and education at the beginning of this post and I would be remiss if I didn't clearly communicate the risk as well. Having all passwords in one file, no matter how well it's encrypted, is still a single point of failure... And there are several ways to fail with this method. If you choose to pursue a password vault/safe as an option for storing passwords be advised that you have to know how to use it, what it will do, it's limitations, and the downsides of which there are several; making this not the ideal choice for a novice user. This type of solution is not for everyone and can increase risk in some scenarios. *And of course having a vault/safe usually still requires that you remember at least one password; ironic isn't it?
You may hear that, "Passwords are dead" or that passwords are antiquated and while they are certainly not ideal, passwords are in fact here to stay for the foreseeable future. With this in mind it's important to come up with a better solution for dealing with passwords safely, the good news is that there are several good solutions currently available. Take your time, get educated and ask questions, here are a few ideas to get your research started: