Guidance on Effective Use of Passwords

Updated 4 February 2019 and 9 March 2019.

I want to talk to you about authentication in general, and how important it is to ensure your online identity is secure.

Passwords are going nowhere fast! Every time you login to a new device, be it a smartphone, tablet or some form of PC, you nearly always start out these days by entering a user name and password. Once you are authenticated using this method, you can then set up different methods of authentication namely:

  • 2-Factor methods, where you enter a 6 digit code from an authenticator app on your phone, or RSI dongle
  • Facial Recognition
  • Finger print Id
  • Pattern Id where you tap out, or swipe, a pattern on the screen
  • in some cases voice identification, where you say a passphrase that gets you access (e.g. ‘My voice is my password, authenticate me’).

In all cases the vendor of the device is trying to make it harder for someone to get access to the device and your information contained within the device. They may even encrypt the device, and there is then a secure encryption key that you have to keep in case you need to re-authenticate.

OK, so why is this a big deal?

Our devices contain a lot of very personal information, and give you access to various services that make your life easier. For example, ToDo Lists (e.g. Google Keep, Microsoft ToDo), Notes (e.g. EverNote, OneNote), email, instant messaging, your music subscriptions, personal photographs. While a lot of people may not consider this as personal information, it does describe you as a person, what your likes/dislikes are and to some extent provides hackers with the ability to impersonate you and/or predict what your passwords might be.

For example, if I looked at a random Facebook page, I am going to find out information about your life, where you went on holiday, what your birthday is, what your dogs name is, where you live (country and town/city at least). This is all information I could use as a hacker to predict what your password might be, and at the other extreme acquire a loan in your name. As a hacker, I could hijack your identity in ways that would make it very hard for you to get that important loan you need, or get a credit card, or maybe even get that job you so desire. This is why you need to secure your accounts with strong authentication that is as unique to you as possible.

How can I make my password less vulnerable to hackers?

Passwords tend to be memorable, so that you can remember them easily. So, you might use a memorable word, e.g. your first born’s name (lets say Francis). If you used this as your password, by looking you up on social media, I am sure I would come across that name and try it to break into your email account. You can obscure it by replacing letters with numbers and symbols, e.g. Fr@nc1s, which is secure, but as a hacker I know this pattern and I will try this first.

A better way is to use several words strung together, e.g. Francis London Unique, remove the spaces and then do character substitution, e.g. Fr@nc1sL0nd0nUniq9ue. That is more secure, and to do a simple dictionary type attack it is going to be harder to predict especially if your words have nothing to do with you personally.

This pattern simply substitutes letters that look like numbers, and characters that look like symbols. For example:

  • a=@, I=1, e=3, o=0, q=9
  • S=$, B=8, f=£, g=9, l=1,v=u, u=v.

You get the idea? It is best to come up with your own substitutions, although just doing this makes the password more complex. You can also substitute lower case letters for capital letters.

Another pattern is to string three or more words together, remove the spaces and then remove vowels, e.g. FrncsLndnUnq. This makes the password shorter, but the hacker has to know firstly the words you have used and that you have removed vowels. You can then add numbers and symbols to the password, e.g. &*FrncsLndnUnq#!100.  Now you are using more than one pattern – stringing words together, vowel substitution and random symbols, all make it harder for someone to crack the password.

What passwords Should I not use?

It is fortuitous that the most used password list has just been published for 2018 at https://www.welivesecurity.com/2018/12/17/most-popular-passwords-2018-revealed/.  These are simply passwords like 1234567, Donald, Password (yes people actually use that), qwerty. This site tells you the top 25 passwords in this list. Please, don’t use any of these as hackers will try these first. You should not use words that are directly attributable to you, e.g. your name, street address, make/model of your car, favourite rock band/composer, etc.

How do I manage all these passwords?

You should use a unique password for every service/website you access. Now, if you are like me, you will probably access hundreds of websites where you need to authenticate in some fashion to gain access to the website’s information or service. You should not write these passwords down in your diary, or on a postit note. But how do you manage all these passwords?

There are various solutions, and one that is becoming popular are password mangers like Last Pass. This is a premium service, available on all platforms as web browser plugins and largely supported across the industry. In this case you make an account at the password mangers website, create a master password and then install the relevant plugins into your web browsers and authenticate using your master password. From then on you will have the option for the service to create a random/complex password for you. From this point on you don’t need to remember the password for Amazon, or Google, or eBay, you just let the password manger provide that password when you try to login to the website. There are literally hundreds of password mangers out there and you need to choose the service very carefully to ensure:

  • the security on the service is top notch
  • they keep things private and encrypted on their database
  • no-one employed at the service can decrypt your password/profile details
  • They have a longstanding track record and not going to collapse as a business.

The problem I see with password managers is that they are a prime target for hackers, and the security of the service is paramount in keeping your information private. Also, if a hacker gains access to the services database of master passwords, all your logins are concentrated on one service and that makes you highly vulnerable. Your master password (for the password manager service) has to be a really good one to prevent someone predicting your password. Hence the service’s security is very important. A lot of people use password mangers, and they rely totally on their ability to keep their passwords complex and secure. However, the risks remain.

What else can I do to make things more secure?

You can generate random passwords using apps you can download onto your smartphones. In this case you have to be sure that the app does not transmit anything out of the phone. You can also use password generators on websites, but ensure the same applies here too. What is entered into the app/website, stays there and is not transmitted to the owner of the website. These password generators tend to generate non-readable passwords like SL8NLG5dY7Frxtv{f98, and good luck remembering that and typing it into a website every time.

You should also use a different Id for each login. If you use an email address, then various email providers (e.g. Outlook.com) allow you to create up to 10 aliases that are valid email addresses. Email to these aliases will appear in your main account. The benefit here is that if your login is disclosed in a data breach, you just change it for another alias. However, you have to remember the alias you used, and the password for each website/service you use. All very complex if you don’t use a password manager.

What else can you do? Well, you can write them all down! What I hear you say!! OK, here is a suggestion. Create a .txt file for each website you access with the name of the service (a .txt file is readable on any system you might use). Put the website URL into this file, together with the email address and a hint to the password (not the full password). You then secure it by compressing it using something like WinZip and apply a password to it. When you need this username/password, you open the zip, provide the password and then you can access to the login info. You could secure several in the same ZIP file. You then have to make sure you store this on an encrypted disk on your laptop, an encrypted smartphone and in particular on an encrypted NAS drive/Cloud storage. This is all getting very complicated.

Password mangers do seem to be the most frictionless way to secure your authentication details at the moment, until someone comes up with a better way.

What about 2-Factor Authentication?

This is where you provide a standard login username/email address and password, and then you provide a random one-time passcode that is generated separately. These can be provided by SMS to your phone (not the best way but is often used by services), an authenticator app (e.g. those provided by Microsoft and Google) or through some kind of RSID key fob device. When you login, you provide your username and password and then you are requested to enter a 6 digit code either from your app, SMS or the key fob. These codes are onetime use, time limited (typically 30s for an authenticator app) and unless a hacker has direct access to that device they won’t get the second factor on login. All major services you use should have 2 factor authentication (e.g. your bank, Amazon, PayPal, Email Accounts).

2-Factor authenticate is not perfect and can be cracked, especially if you have malware on your device that is monitoring your key strokes. SMS is not secure as it is transmitted in plain, unencrypted text and it has been shown to be very insecure. However, so many services still insist on using SMS.

There are other forms of authentication in development that will need to be adopted

What about Face Id and Finger Print Id?

When Microsoft released Windows 10 they included a service called ‘Windows Hello’ that used a specially configured webcam to take a photo of your face and use that to log you in on that device alone. Other implementations of facial recognition have been developed with varying degrees of success and security. With Windows Hello, you can’t just show the camera a photo, as it is also sensing depth and heat/infra red signatures. A lot of other implementations just rely on the image.

Finger print id is largely implemented on smart phones these days, and all high end devices will have this installed. Again, this should be processed locally and only the markers of your fingerprint should be stored.

This is all what is called ‘Biometric’ authentication since it needs something that is totally unique you (e.g. your finger print, iris, face). Iris scanning is also another method.

These methods make your device more secure on the assumption you are not present when the device is accessed. If you are, you can be coerced into providing that authentication. The San Bernardino case involving a suspected terrorists iPhone, and Apple’s reluctance to provide a means to crack the PIN on the phone is well documented. If the suspect had used a fingerprint id would the FBI have just been able to use his thumb to access the device? Good question I hear you ask!

I personally am not a big fan of using biometrics as a security mechanism. I prefer to use a unique PIN which means anyone trying to get into my phone will have 3 attempts before the phone gets locked, and probably 6 before the phone is totally bricked and cannot be restored without wiping the device in a factory setting. However, fingerprint Id is very popular and I suspect isn’t going away any time soon.

I personally am not a big fan of using biometrics as a security mechanism. I prefer to use a unique PIN which means anyone trying to get into my phone will have 3 attempts before the phone gets locked, and probably 6 before the phone is totally bricked and cannot be restored without wiping the device in a factory setting. However, fingerprint Id is very popular and I suspect isn’t going away any time soon.

Pasting Passwords (update)

In recent months, a number of articles have been published on the web around whether or not you should be allowed to copy/paste passwords. Now, this does assume that you have the full password written down somewhere electronic, which is not a good idea if you don’t use 2-factor authentication, or you are using a password maanger. However, this also has an implication on scheduled retirement of passwords and the continuous regeneration of passwords.

It goes a bit like this.

If you are required to change your password every 3 months, you will fall into one of the many predictable patterns. For example, the first time you generate a password it will in all likelihood be a good one, and meet the complexity criteria. When the three months are up, you have to change it, and all you then do is add a number to it starting at 1, which is then incremented for every change.

If a hacker can get your root password, he can use what is called ‘Credential Stuffing’ to just add 1 to the end and eventually he will be in. This will in all likelihood be automated.

If you generate a truly complex password, and then keep it until it is critical to change it, for example due to a data breach, then you won’t be inclined to fall into this trap. If you also use 2-factor methods and possibly biometrics as well, this may well turn out to be more secure.

A bit more information can be found on this topic at the NCSC UK website.

Conclusion

So, what are you to do? You need to:

  • Maintain a degree of uniqueness and complexity around your passwords and logins
  • Try not to re-use passwords on multiple sites
  • Ideally you should not write down passwords anywhere
  • If you are OK with the risks, then a Password Manager might be a good idea
  • Use 2-factor authentication on all your sensitive accounts, particularly anything where there is a financial impact.

There is also a very good service at https://haveibeenpwned.com/ that records a large number of email addresses and passwords that have been subject to a data breach at some time. I suggest you put your email address/password into this site and see what comes back. I have two Hotmail accounts that have been breached, and came up in a search on this site. This is the reason I receive so much spam on these accounts. I have since removed these email addresses from any services I use and replaced them with alternate aliases. I suggest you do the same if they appear.

If you want to know how long it will take to crack your password, I suggest you visit this site https://www.grc.com/haystack.htm  and enter your password into this site to see how long it will take to do a brute force attack.

The examples I gave above (Fr@nc1sL0nd0nUniq9ue) will take a maximum of approximately ‘11.52 thousand trillion centuries’ using the most powerful computers to crack by trying every combination of every letter, number and symbol. Now, the hacker may get lucky and get it within the first few million attempts, so this prediction isn’t all its cracked up to be, but you get the idea that making passwords highly complex gives you the best possible protection to your online identity.

Also take a look at my blog post of Credential Stuffing.

I hope you have found this blog posting interesting and will return to this site for more interesting topics as I finalise the research. Keep an eye on my Twitter account (@JMBusSec) for news on new blog posts as well as issues of the day.


Headline image provided by ShutterStock

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: