Back in the infancy of the Internet you could browse to a webpage and consume its contents without creating an account or worrying too much about your personal information telemetry. The current iteration of the Internet has made usernames and passwords ubiquitous among online service providers and with that comes a level of fatigue and frustration when creating accounts that are unique both usernames and passwords. The practice of account reuse is not smart for multiple reasons; below we will talk about just a few of these reasons in depth and what you can do to make your digital life not only easier but more secure.
Traditionally we have been conditioned to think of passwords as a random set of characters that are somehow meaningful and memorable to us as the user. An example of this would be something along the lines of “Spring2020!” Creating a password like this abides by a couple of rules, we can write those down as “Season” + “Year” + “Special Character”; this is called a Schema. More or less what that means is that you have a repeatable ruleset for creating an artifact, in this case, a password. Now for this kicker… This is a bad idea and you should not create passwords using this method.
When we create passwords this way, we are inadvertently giving attackers the blueprint to what our future passwords might be before we even create them. There are many lists of passwords schemas that have been made public; using a password like this not only immediately lowers the integrity of that password but opens you up to further attack by letting the attacker know that you craft passwords in this way; although there are ways to make phrased passwords both memorable and secure.
Here are two very good ways of creating passwords; you can either craft a good passphrase or utilize a password manager to generate long secure passwords for you (More on this in a bit). Crafting and using a passphrase may be a little daunting at first glance but once you get the hang of it not only will it be memorable for you and also secure but you can have fun creating them. One of my favorite ways to come up with a passphrase is by using the first sentence of a chapter of my choosing from a book on my shelves. (Ex: The first line of the third chapter of the fourth book on my shelf) Then you can iterate on this in whatever way makes sense to you when you need to change it. Could be skipping a chapter or two, grabbing the eighth book from the shelf, or moving to magazines or newspapers if you want.
The point about passphrases is two-fold; First, make sure that the creation process is interesting and fun as to be memorable if you ever needed to reference it, and second, to make it easy to create and remember a long password. The longer the password, the more secure the password!
Now that we discussed how to create strong passwords, it’s time to talk about how you will never need to create a password again! Confused? It’s ok, let me explain. Managing those super-secret artifacts and creating them over and over when necessary can be time-consuming and cognitively draining. Here is where a password manager comes into play. Tools like BitWarden, OnePass, KeyPass, etc. all offer ways to manage your ever-growing list of account credentials. Not only do they help manage, take stock, audit, and even sometimes help you change them but they can also create randomly generated super long passwords that you never have to know! Think about that for a second. It is a tool that not only manages and keeps track of your accounts but also creates and audits your passwords for you? Sounds like digital account heaven!
The best passwords are ones that are long, randomly created, and something that we don’t even know ourselves. This means you will never have to give up your passwords while being tortured at a black site, oh wait it’s enhanced interrogation… Let’s hope this isn’t a situation that you find yourself in on a regular basis but the principle is still the same. I would very much recommend that everyone research and use a password management tool that suits their needs and learn how to use it effectively. Utilizing the password generation features to ensure that you are not reusing passwords is a godsend in current times where password dumps are becoming more and more common.
Multi-factor Authentication (MFA):
Prefaced by 2FA (2-Factor Authentication), MFA is less of a feature and more of a security mindset when you think about it. The idea with 2-Factor was that you would have a second form of authentication that went along with a username and password in order to verify your identity when accessing whatever resource it was that you were trying to access. The concepts at work here can be traced back almost 40 years but not until the past 15 to 20 years have these concepts been required to protect our personal identities and data.
There are many kinds of MFA available and they all have their pros and cons and should be researched outside of this article to identify what is most of use to you. Personally, I recommend that you use MFA wherever available and enable it for all mobile banking applications and your primary email account (the one that is used to sign up for your online service accounts). Now more than ever we must be diligent about protecting your bank account because that is where your money, credit score, and financial wellbeing information is stored. Your email accounts need just as much security as your bank information because the chance is pretty high that you use it as your primary account for “Forgot Password” links. If you secure all your accounts but leave your email open and an attacker can read your email, well I have some news for you. If I were to click the forgot password button on your bank account and was able to get into your email due to the password being published on a breach report on the dark web I can now reset your password to your bank and possibly even remove your multifactor settings.
Another kind of Multi-Factor authentication is your security questions, these can be easily guessed if answered truthfully by spending some time looking into someone’s social media accounts so with that being said please do not answer these questions truthfully. You can come up with your own answers and store these as notes in most password managers so you can refer back to them when necessary.
I would advise that if your choices for MFA provide any other option than SMS to choose the other options due to SMS MFA being susceptible to multiple attacks that can capture your code on its way to you. My choice of MFA would be threefold, I personally use Google Authenticator that can be downloaded from the Google Playstore and the Apple Appstore, I have a physical MFA device that is on my keyring, Yubico is a good vendor for physical tokens, and last but not least I use the MFA capabilities built into the Android operating system. (Android MFA) Together all of these allow me for greater flexibility and ease of use while offering me peace of mind knowing my accounts are as secure as they can be.
Passwords are not like underwear:
There used to be this idea that passwords were like underwear and you should change them often as a good practice. This is actually only half true. Yes, we need to clean our passwords and make sure they are not reused or insecure but let’s not change our passwords more than necessary and I’ll explain why. Remember before when I was talking about the use of Schemas (“Season” + “Year” + “Special Character”) in creating passwords and why that may not be a great idea? Now pair that with current password rules like requiring complexity and only being between six and ten characters and other not-so-great rules out there. Picture this: you have an eight-character password and your service provider or company is requiring complexity. This means that you need to have a lower case, upper case, number, and special character in your password that totals four of the eight characters. So I as the attacker already know that in four of those eight characters there HAS to be one with a number, an upper case, a lower case, and a special character. That information alone lowers the overall entropy space of the password from the get-go.
Now let’s pile on a Schema such as the one from the beginning of this article and assume that users must change their passwords every 60 to 90 days. We end up having a password like “Spring2020!”, I can all but promise you that the next one will be “Summer2020!” or something very similar. This opens you up to be a victim of an attack called password spraying. That means that the attacker writes a script that just iterates through some easily guessable schemas with rules like complexity in place to very quickly guess users’ passwords.
Fortunately, we can avoid all of this by using password managers and having these purpose-built applications create long strong passwords and store them for us as well as only changing passwords when there is evidence of a compromise. A compromise can be anything from internal logs showing that a workstation has been hacked or checking websites like Have I Been Pwned regularly to make sure our accounts have not been affected by any recent data breaches.
No such thing as free WiFi:
When it comes to the internet, we all love to stay connected. We have grown accustomed to instant access to information and the ability to stay in touch with our loved ones and the rest of the world. We crave that connection so much that we routinely log into unsecured hotspots without really giving any thought to the risks that we may be opening ourselves up to.
When using free or public WiFi hotspots we do not know what security controls are in place, we don’t know what client segmentation is enacted and we don’t even know if the hotspot is a legit access point and not something that an attacker stood up just to harvest all our data. I won’t bore you with the details but the point here is don’t use them. Using the guest WiFi at a client's office is ok as that’s not public and usually needs a password, what I am talking about here is the internet at McDonald’s, Starbucks, Airports, etc. Those are the ones that we need to be more skeptical about and if you must use them do not do any sensitive tasks on your computers such as banking or healthcare-related items UNLESS you are using a VPN (Virtual Private Network).
A VPN is a way to make all your internet traffic travel in its own little bubble and it would protect you and all your information in a situation like the ones I just covered above by creating essentially an encrypted highway for you and your data only. This is like having the entire road to yourself from your house to your destination. There are many good consumer products out there that all offer little different services and I would suggest if this is something you are interested in doing your research and find the one that suits you best.
The other good option if you don’t want to purchase a VPN would be to use the hotspot feature on your cell phone but that could possibly be limited by your cell providers’ rules on how much data you can tether to connected devices.
That brings us to the end of our 5 Steps to Better Password Hygiene. I hope this has done a little to demystify passwords and how we can be doing just a little bit more to make our digital lives all that easier. Please feel free to connect with me here or on Twitter @npittak