In the latest video of our Security Culture series we talk about passwords and password managers. You can also listen in on our podcast.

Password Problems

The first thing to know is that weak passwords are often the easiest way to get access to information.

People:

  • Choose really simple passwords, like password or abcd1234
  • When special characters are required, tend to use something like P@ssword1
  • Use surprisingly easy to guess formats like CompanyYear!
  • Reuse passwords across different websites

When we do pen testing, guessing passwords is a surprisingly effective way to get access to a system!

We’ve worked with clients where we’ve seen an adversary running a botnet with 100,000 computers slowly but consistently testing passwords one by one gleaned from, for example, the billion user Yahoo! data breach. So this is very real.

What Matters About Passwords

The reason we need to choose complex passwords is that attackers typically guess large numbers of passwords to try to gain access. They may use a long list of commonly used passwords or in a more targeted attack, they may guess likely passwords for particular users. In general though, they may want to make a lot of guesses. We want to make it as time consuming and difficult as possible for them to correctly guess our password.

We also need to choose unique passwords for each site we use because attackers often use a dump of users and their passwords from one website (like Yahoo! or Adobe), to attack another website.

Password Managers

A password manager is a tool that helps you manage your passwords. Some common ones we see include: Dashlane, 1Password, LastPass and BitWarden. We’re even seeing Browsers (Safari, Chrome) integrate password managers. We’re not here to endorse a particular one.

Password managers do a couple of things to help safeguard passwords:

  1. They give users one password to unlock all of the others. That means that users don’t need to remember dozens of secrets, just one. That means that the one secret can be more complicated.
  2. They choose passwords for you, which means that your passwords are more likely to be appropriately random and complex.
  3. They protect the passwords by encrypting them so that they are not easily accessible.
  4. They make it easier to know passwords across devices.

Another advantage to using a password manager is that it also makes it easier to avoid phishing. Here’s why: Normally you visit a URL and the password manager completes the login form with your password. If you are sent to a lookalike URL via a phishing email, the password manager doesn’t know which credentials to apply, and it will prompt you. So as a user, you will be prompted for credentials when you wouldn’t expect to be. This gives you an opportunity to second guess the phishing email’s origin.

Other Countermeasures

Having a complex password and not reusing passwords is a great start. There are a couple of other countermeasures that can really help with security and which may make a password manager less important. I want to mention them here because they are important:

  1. SSO - Single Sign On - For example, by using your Google Apps or O365 identity to log in to a website, you get the controls that Google and Microsoft have implemented. Use MFA (below) on these accounts and it’s like you have MFA on all of your accounts.
  2. MFA - Multi-factor Authentication - The idea here is that you use a password and a second factor like biometrics, a code sent via SMS or an authentication app like Authy (which implements TOTP).
  3. Prevent reuse of compromised passwords - by using an API like haveibeenpwned, we can ensure that users aren’t using the exact same credentials that they were on a site that has been previously compromised.

These other countermeasures are important enough that we will have separate security culture posts about each of them in the coming weeks.

The Tech Deep End

The way systems work behind the scenes (should work at least) is that they don’t know your passwords either. They use a one way function called a “hashing function” (for the tech folks, we should use an adaptively slow hashing function like scrypt, bcrypt or PBKDF2). Additionally, these hashes should be salted. SSO is typically based on SAML or OAuth.

Feel free to reach out to discuss further - details around doing all of this correctly are beyond the scope of this blog post.

Conclusion

Sign up for haveibeenpwned.

Use a password manager.

Use pass phrases with 4 words (16 chars) where that is supported.

If you are a developer, support SSO and/or MFA, store passwords securely and give users feedback about the complexity of the password they are choosing. Check out the OWASP cheat sheet to help think through corner cases.

References

Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.

Want to stay up to date with the lastest from Jemurai?

Sign up for our monthly newsletter!