It’s Time to Get Rid of Passwords
Hello readers and welcome back. In this blog I will be covering the password problem; the dangers of weak passwords, and the problem with their reuse – using a password for more than one website. In future blogs, I’ll cover some of the new technology heading our way; however, for now, let’s change any bad password habits so we can improve the security of your accounts.
Passwords Are No Longer Sufficient to Protect Your Information From Theft
Have you ever thought that no attacker could guess your password? After all, what attacker is able to read my mind, right? Correct, they can’t; however, let’s dispel the myth that they need too in order to compromise your accounts.
There are some technical aspects how passwords should be handled by a website that we need to cover to help you understand the attackers process to get your password. A common security practice for web accounts is to covert the free-text form of the password into a hash using a cryptographic mathematical function. Assuming our not-so-creative password is ‘letmein’, then its MD5 hash is ‘0d107d09f5bbe40cade3de5c71e9e9b7’. This long string of numbers and letters is a unique representation of ‘letmein’; however, you cannot put this into the password entry box to log into a web site.
Hashes are a one-directional math calculation. You cannot reverse the math to calculate the free-text password from the hash. However, for each word, phrase or object, the hash is unique. What this means is that ‘letmein’ is always calculated to be ‘0d107d09f5bbe40cade3de5c71e9e9b7’ when using the MD5 algorithm. OK, that’s a lot to take in.
When an attacker compromises a business web site or computer systems, they will look to steal all user data, including username, email address, password hash, phone number, etc. Armed with this information they’re in a position to begin compromising customer accounts. Let’s see how they can do this.
[Tech demonstration] Copy the characters [5f4dcc3b5aa765d61d8327deb882cf99]
between the brackets (but not the brackets), open Google and paste into the search bar. You’ll discover this set of characters is the MD5 hash of the word ‘password’. When an attacker steals business customer information, which may include yours, they can simply paste the information into the Google search bar and recover many passwords, even when the passwords were protected using a hash.
Because we typically have many accounts, there is a chance we reuse the same password for multiple web sites. There is a limit to how many passwords we can remember and you probably don’t carry around your password list on a slip of paper in your wallet. Additionally, we may keep our passwords simple, so it’s easy to remember. If you do any of these, I recommend you change this practice as the risk for further compromises dramatically increase.
Armed with your email address and the password, an attacker may attempt to log into your email account. Do you have business or personal information saved in your email account? Is this email account used as the account name for other web sites? If so, could an attacker request a password change for another web site? They sure can, and having access to your email account, they would be able to make the password change with relative ease.
There is a great web resource you can use to determine which passwords and email addresses have been discovered in compromise postings. I recommend you visit https://haveibeenpwned.com and check to see if your email and passwords have been seen in past compromises. There isn’t much you can do about changing an email address, they are too integrated into our lives. However, if your password shows up, change it and don’t use it again.
To strengthen your security posture, there are a number of techniques and technologies you can utilize; however, you should only use one strong password per web site. Should a website be compromised and your password reversed to its free-text form, the attacker would not be able to utilize it to log into any of your other accounts.
This presents a problem though; how do we remember all these unique passwords for hundreds of web sites? This is where a password manager comes in handy. Not only will a password manager help securely store your passwords, you can use it to generate long complex passwords for which an attacker could not use a reverse-lookup to discover its free-text form. I use no less than a 16-character complex password generated by the password manager. Here’s an example of a strong password ‘02F_7|Awiq27VFp5’ generated by a password manager. Couple this technique with multi-factor authentication, the security protecting your accounts is dramatically improved.