Cybersecurity Basics

Password hell!

You know what it’s like, you have just hit the ‘Register’ button on a website and you’re being asked to provide a password to set up an account. So you try to come up with something that you can remember and meets the website’s password policy which dictates the characters to use and its minimum length. I have posted a link in previous LinkedIn updates of a video of British comedian Michael McIntyre giving a perfect example of the thought process you may go through to come up with a password. It’s worth watching because it is very funny, but also very near to the truth, so here’s the link again.

However, passwords are no laughing matter. It is not uncommon for people to use the same password for most (if not all) their accounts so they only have one to remember or a slight variation of that single password. Unfortunately, if you use the same password across multiple accounts, it only needs one organisation to leak that password and suddenly all your accounts are potentially at risk. Hackers exploit known username and password combinations stolen from previous hacks and use automated tools to try these credentials against thousands of login screens in an attempt to access systems. This process is known as credential stuffing. Alternatively, hackers brute force widely used passwords against known usernames using a brute-force techniques. Either way, your username and passwords are not necessarily kept as secure as you’d expect by some companies. I wrote about this last week.

But don’t be fooled that your password is too clever to be exploited. I have seen instances of people using ‘*********’ thinking that a potential attacker will believe the password is still obfuscated! Troy Hunt runs the have i been pwned website, which allows users to check whether their email address has been involved in a breach. The site also contains a tool to see how common your actual or intended password is. If your email address and password are in the list, you’re already using credentials known by a hacker. So, the advice that cybersecurity experts give is to use strong unique passwords for each account you have.

Unfortunately, users often have accounts across multiple websites making it almost impossible to remember so many unique passwords, especially when they are a mix of alphanumeric characters and symbols. You may decide to use a clever algorithm to help you remember, but it can be a pain if one or more of your accounts requires regular password changes. To overcome this problem, there are tools out there called password managers such as 1Password, Dashlane and LastPass which allow you to store hundreds of unique and complex passwords in a secure vault. The passwords are never stored in the clear and they are encrypted using a key that you manage. You can access your passwords from all your devices that support these tools such as smart phones, desktops, laptops and tablets using just one strong password that is easy for you to remember (more on this in a moment). You don’t even need to know the passwords that are stored. When you attempt to log in to a website, you just copy the username and password to the relevant fields. Some password managers fill these fields in automatically when you visit the login page.

Of course, protecting this vault is important and you want to use a password that you can remember, but one that is still strong enough to beat the most powerful computers tasked with cracking them. One very effective option is to use a passphrase made up of three or more random words that you can remember. The following image explains why this is an effective method.

password strength cartoon explaining why pass phrases are easier for humans to remember but harder for computers to crack

Another option to consider is to use multi-factor authentication (MFA) where websites support it (not all websites support MFA but if they do, you should activate it). So what is MFA? Well, identifying that the person is who they say they are requires the person to offer up at least one of three pieces of evidence: something they know, such as a PIN or password, something they own, such as a bank card or smart card, and something they are, such as a fingerprint or their facial features. However, combining two or more of these attributes (or multi-factors) provides greater assurance of the person’s identity. There are several ways a website uses MFA. One option is allows a user to register a mobile phone number with the site. When the user logs in with a username and password (something they know), a unique one-time passcode (OTP) is sent to the registered phone number (something they own), which the user must enter to complete the login process. A vulnerability in mobile phones called sim-jacking has made this a less desirable option. Therefore, an alternative OTP generation process requires the user to install an OTP utility on their mobile device. During the login process, the user opens the utility and enters the code they see into the website they are trying to access.

Managing passwords doesn’t need to be Hell on Earth. If you use a password manager you can safely store all your passwords and access them across multiple devices. Effectively, you only need to remember one password. However, rather than thinking of a password as a combination of lower case, upper case characters, numbers and special characters, you should consider using a passphrase. Finally, I strongly recommend you activate MFA (sometimes referred as Two-Factor Authentication or 2FA) on the sites that support it. Ultimately, we will welcome you to Password Paradise.