Passwords: Beware

I held out as long as I could; I have never used a password vault, thinking that I could remember all of my passwords for several dozen sites and applications without having to trust them to any third party.

Of course, many of the passwords I used were reused a few times, and oftentimes I would have to ask a site to remind me of what my password was.  I finally broke down and said okay, I was going to do it.

I signed up for the site that a trusted friend recommended; I even spent the $12 to get the premium service (mostly so that I could use multi-factor authentication with my Yubikey).  I then downloaded the app to my laptop.  I installed the app…

…and what happened next scared the wits out of me.

I should mention that I knew this was the case; I have in the past used tools to discover passwords on peoples’ computers (and on mine when I forgot them).  So why was I surprised when the password app showed me a list of every site I have ever visited from this computer, with a button that said ‘Click here to display passwords’??

Yes, it is true.  Unless you take special preventive measures, your computer saves every password you ever use; they are hardly even secured – this program did not take hours or even minutes to list them off, they were readily viewable in under ten seconds… including the passwords for my online banking.

How could this be?  It’s simple… passwords suck.  They are probably the best option that most of us have available to us, but they really do suck.  Multi-Factor Authentication (MFA) solutions like a Yubikey or smartphone authentication programs provide much better solutions, but there are problems with those – firstly they require you to have a device, and secondly they require the site (or application) that you are connecting to support their tool.  So if you are connecting to YouTube (which is a Google site) you can use Google MFA; however if you are logging on to some random site where you participate in forums, there is a good chance that this will not be available to you, and you will have to use old fashioned passwords (see article).

The problem with passwords isn’t that they are hard to use, it is that most people do not use them correctly.  That is a pretty broad statement, but if you are honest with yourself, how many passwords do you use that are over 90 days old?  How many of your passwords are repeated across sites?  Some password vault tools will let you run a test across all of the sites in the vault, and it is a cold splash of water in the face to run one of these tests and get a 32% score (yes, I am as guilty of many of these behaviours as everyone else).

PasswordsFor years I said the worst enemy of IT security was yellow sticky notes, and they still are.  However it has gotten so much worse than ever, because every site wants complex passwords, and to get around the complexity rules people are using things like DogName1, then DogName2, and so on.  I see stickers like the one shown more often than I care to say.  The more often we have to change a password, the worse the situation will be.  The problem grows exponentially when we have more sites forcing us to do the same thing. So if we have to change a password on ten different sites every ninety days, we are exponentially more likely to pick the same passwords, or derivatives thereof.

But is it reasonable to expect everyone to pick completely random, un-guessable passwords?  Is *880638Z7965 a good, completely secure password?  Probably not.  For one thing, it is going to be impossible for us mere mortals to remember, and so we are going to write them down; for another, if someone gets access to your computer (or smartphone, or any device that you use to log onto whatever site you are trying to keep secure).  Remember… if the Password Vault software can determine what your passwords are, so can the hackers.

I recently sent out an e-mail called The Ways of Small Business IT in which I highlighted some of the perils of a small business IT environment; one of the issues I highlighted was users leaving their unlocked workstations unattended.  There are much more dire (and scarier) consequences to this behaviour than having your local information stolen.  Simple programs installed from a USB key can reveal and steal every password you have ever used on the workstation – business, pleasure, banking, personal, dating sites… everything.  So the miscreant would not have to sit at your computer for very long to own you – all they have to do is sit down for a minute and then walk away with all of your sites, usernames, and passwords.  Then at their leisure they can access your life from wherever they want.

Scary?  Yes.  Preventable?  Of course.  A user who locks their computer when they walk away has taken great steps to prevent this attack.  But what happens if the miscreant did not target your computer?  What if they target a site where you use your catch-all password?  Well it shouldn’t be a problem because that site will shut itself down until it has fixed its own security holes, right?

WRONG.  The scary phrase in that last sentence is catch-all password.  Here’s what I mean, and for the moment we are going to use the example of a site that we know to have been recently hacked.

Yeah I know you didn’t have an account, and you are completely faithful to your partner, but for the sake of the example, the user list on AshleyMadison.com is compromised.  They have your credit card information, but that’s okay because your credit card is insured; they have your name and dating preferences, and that’s a damned shame… but there are fourteen million other men (and seventeen other women) who are in the same boat as you. It’s in the media and it’s ugly, and you are spending half of your time fighting with your partner that someone had used your credit card (and name, and picture, and your sexual preferences) to create their own profile on the site, and the other half of the time speculating about who else was on it, and… you know, doing whatever else you do during the day.

What you do not spend any time doing is changing the password on YourBank.com, YourTradingCompany.com, YourOtherServices.com, and so on.  It doesn’t matter that you had been using the same password on those sites as you did on AshleyMadison.com, because… well, in truth you just never gave it much thought, and isn’t it just so much easier to use the same password everywhere so you don’t forget?

Now the bad guys have your password… and believe me, it isn’t tough to guess your username for all of those sites… especially since you also used the same password for your e-mail account, so what they can’t easily figure out they can easily ask all of the other businesses to resend it and the businesses will do it because the hackers asked from your e-mail account.

Is there a good solution?  For businesses there are several… multi-factor authentication, soft tokens, and so on.  For individuals?  Well, there’s vigilance… and listening to people like me when we tell you not to use the same passwords, and not to write them down, and to change them frequently.

In my next article I am going to use a lot of the tools I discussed in this piece to demonstrate why your work laptop should only be used for your work resources.

Advertisements

2 thoughts on “Passwords: Beware

  1. Mitch, you are heading in the right direction. The movement towards U2F (Universal 2 Factor) authentication, and UAF (Universal Authentication Framework) are being spearheaded by a number of working groups within the FIDO Alliance, an org which our company Cicada Security Technology is a member of. There is no question that passwords suck, but the one thing worse than passwords is the fact that most forget more than a few, and typically recycle a small pool of rarely updated simple passwords.

    I suggest you take a look at fidoalliance.org to learn more about how U2F platforms such as Yubikey, can eliminate this risk. UAF is another interesting beast, where the device is the authentication point, typically hosting a UAF stack to engage in a complex validation process often occurring in a chip based trusted execution environment or at the OS level.

    I live by LastPass and Yubikey NEO. The NEO has the U2F support in it, as well as NFC capabilities enabling ubiquitous support across all platforms.

  2. Pingback: Why You Need a Personal Computer If You Have A Corporate Computer « The World According to Mitch

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s