Luke Amory

• YOU are at risk and have a responsibility to keep your online identities secure.
• Use a password manager like Lastpass or 1Password.
• Use multi-factor authentication hardware keys like a YubiKey or a Google Titan Key. Check twofactorauth.org for supported services.

Introduction

Passwords– we all use them, we all loathe them, and they often fail us when we trust them to keep us secure. Everyday technology is becoming a more integral part of our lives but what largely hasn’t changed is the use of passwords as our primary method of securing our access to that technology. A password is a secret piece of information shared between a user and a computer or service that is used to identify whether a certain interaction is authentic. Because a password is just a piece of information, anyone who can obtain that piece of information is able to impersonate authentic interactions on the user’s behalf. This is often the greatest downfall of systems that rely exclusively on password protection. In 2018 alone there were more than an estimated 446 Million records exposed in data-breaches around the world (Identity Theft Resource Center (ITRC), 2018.) The data from these attacks often contains username and password credentials.

Thankfully, in the last decade most organizations now store passwords in a secure hash rather than storing the password itself. This means that even when a password data is exposed in a breach, an attacker needs to take a few more steps to reveal the user passwords. The secure hash used to store passwords is “non-reversible,” meaning you cannot undo the hash and derive the password. This means that the only way an attacker can learn your password is by repeatedly guessing inputs to the hash function until the output of the secure hash function matches that of the password contained in the data-breach.

Using modern computing technology, a well-equipped attacker can calculate these secure hash functions at a rate of approximately 100 Billion per second. As threats to our online security grow, it is imperative that we all take measures to secure our online accounts and Identities. What is a “great” password, though?

Each place we go to seems to have their own opinion and it feels like every time we create a password; we endure this process:

• Password: bohemian TOO WEAK: MUST CONTAIN MIXED CASE
• Password: Bohemian TOO WEAK: MUST CONTAIN TWO NUMBERS
• Password: Bohemian75 TOO WEAK: MUST BE GREATER THAN 10 CHARACTERS
• Password: BohemianRhapsody1975 ERROR: MUST BE LESS THAN 18 CHARACTERS
• Password: Boh3m1anRhapsody TOO WEAK: MUST CONTAIN A SYMBOL
• Password: Boh3m1@nRh@psody ERROR: WAIT! NOT THAT SYMBOL, TRY AGAIN
• Password: Boh3m1anRhap$ody ACCEPTED

At the end of this process, what are we left with? A password that is difficult to remember. So, what do we do? We write it on a sticky-note and stuff it under our keyboard and hope the IT person doesn’t come scold us. Or, we commit the password to memory and end up reusing it everywhere, exposing ourselves to more risk.

The worst part is that this password isn’t even very secure.

Threats to your Online Security

There are many ways to strengthen a password. The key is to find a balance between something that is secure and something that is easy to remember. To identify what strengthening techniques work best, we need to look at the threats to your password’s security. Attackers are very resourceful and can range in capabilities from an individual to a nation state with literal armies and virtually unlimited resources. The best defense tool anyone can have is to avoid being targeted all together.

The ratio of capable attackers and vulnerable individuals makes it generally unlikely that unless you are a public figure, CEO, political activist, or enjoy Facebook flame wars; you will never become the victim of a targeted attack. That being said, there is a good chance that you will be compromised by a more indiscriminate attack that compromises many accounts at once like a data breach detailed above. These attacks can be largely mitigated by taking a few steps to better secure your online identities.

The first step in increasing the security of any online account is increasing the length of your passwords. By increasing the length of your password, you are making it more difficult for an attacker to preform what is known as a “brute force attack.” A brute force attack is when an attacker will hash every possible combination of characters up to a certain length. This process becomes exponentially more difficult as the password length increases. For example, if you are using a simple password that is 8 characters long, a resourceful attacker can try every combination in about 3 seconds. If you just increase the length of that password to 12 characters it will take 2 weeks to crack. In the same way adding mixed case, numbers and symbols will also make brute forcing much more difficult. A simple password with only lower-case letters has a character set of only 26. A good complex password that includes mixed case, numbers, and standard keyboard symbols has a character set of 95. Using the same example above, if we instead use a complex password with a character set of 95 at a length of 8, the brute forcing process takes 19 Hours and a length of 12 takes 174 Thousand Years!

Generally, rather than trying every combination of every letter number and symbol, an attacker will perform what is called a “dictionary attack.” A dictionary attack will leverage a combination of previously exposed passwords and common words against the secure hashes. Just as increasing the length and character size exponentially increased the search space; using a dictionary exponentially reduces the search space and therefore the time it takes to crack a hash. Once the available dictionary elements have been exhausted, attackers will start permutating the dictionary with rulesets. These rulesets contain everything from simple substitutions like replacing ‘e’ with ‘3’ and more advanced rules for appending important dates, sports terms, and other regional vernacular to greater increase the likelihood of a successful crack. A resourceful attacker with a good dictionary and ruleset can crack around 70% of real-world passwords in a little under 15 seconds. The reason for this speed is that we all seem to use similar features in our passwords. Many seemingly secure passwords cracked with this method look something like: ‘Yellowstone987!’ and even though an attacker would be still calculating brute force hashes against this password until long after the heat-death of the sun; this password is still extremely vulnerable to dictionary attacks.

This seems to draw from the way we make our passwords. We start out with the intent of using ‘Yellowstone’ as our password and once a website or service presents us with rules for our password; we generally append some numbers and a symbol. Attackers are so successful because they tune their dictionaries and rulesets to account for this common behavior. For this reason, a new recommendation for creating ‘Great’ passwords needs to be inherently crack-resistant otherwise attackers can adjust their dictionaries and rulesets to combat the new method. An even more successful strategy that attacker uses is what is known as Phishing.

At one point or another we have all received an email with questionable intent, coaxing us into opening a file or click some embedded link. Attackers will craft these messages to either contain a webform disguised as your email provider’s login page or a file with a hidden program designed to exploit an unpatched vulnerability in your computer. Sometimes attackers can gather enough information about a single target that they are able to tailor the content of these messages to increase the likelihood of a successful attack. Some strategies can include impersonating a superior in your organization with an urgent request or masquerading as a vendor looking for immediate payment on their latest delivery. Targeted attacks such as these are known as Spear Phishing. In the event that an attacker is able to compromise your email account they gain foothold into your network of email correspondents and they can immediately launch many more spear phishing campaigns against your colleagues, customers, and vendors.

The main takeaway from this is that no matter how “great” your password is you will always be vulnerable to attacks like these unless you use other methods of authentication in conjunction with your “great” password. Once an attacker gets a hold of your password via brute-force, dictionary, or phishing attack, they will immediately begin what is called a Credential Stuffing Attack. More likely than not most of us reuse the same password in many places. Attackers know this and if they are able to get a hold of something like the login for your car insurance account they will attempt to use or “Stuff” that same username and password anywhere they can think of. I.e. Facebook, Email Accounts, Banking Accounts. Unfortunately, these attacks are another extremely successful way for attackers to compromise your accounts. It is for this reason that it is so important to use unique passwords for every account you have.

Recommendations

Now that we know what the threats are, how can we defend ourselves? To start let’s review the guidelines that help defend against the attacks detailed above. Use a Long Password Long Passwords increase the time it takes for an attacker to brute force or dictionary attack your password by exponentially increasing the number of possible combinations an attacker needs to guess before correctly guessing your password. Use a Complex Password with Numbers and Special Characters Complex Passwords with large character sets further increase the search space an attacker needs to guess through before they can guess your password; making it less vulnerable to dictionary. Avoid Passwords with Predictable Patterns Patterns like appending numbers and characters to the end of your passwords or replacing ‘I’ with ‘1’ do not add much security to your password and make it easy for an attacker to permutate these types of suffixes and substitutions. With these above rules in mind a great memorable password strategy is to string four common words together. XKCD, a STEM oriented comic explains it well:

To improve on this strategy, try to use uncommon words or words from other languages to increase the difficulty of a literal dictionary attack against your password. When adding numbers and symbols to a password like this avoid the space between words and rather insert in the middle of words without substituting an existing character. This password strategy is great, but it doesn’t help with these other guidelines that improve your security:

• Change Your Password Frequently (Every 12 Months) Because data breaches often go undetected, changing your password on a regular basis reduces the likelihood that your password has been exposed by decreasing the amount of time an attacker can spend guessing your password.
• Use Multiple Factors of Authentication Adding a second or multiple factors of authentication significantly reduces the effectiveness of phishing campaigns and drastically improves your security overall.
• Use a Unique Password for Every Account By using unique passwords in many places, you will be protected from a compromise of one account permeating to the rest of your online identities.

It is easy to know these guidelines; it is another challenge to implement them in your online life. These rules do not scale well and as soon as you accumulate more than a few accounts, changing and storing many long and complex passwords pushes the limits of the human memory and discipline. These rules are just not practical. Without augmentation, even the most devoted individuals will have problems with these guidelines.

Thankfully, there are many tools that have been developed to help users manage their passwords. These password managers allow you to save all your account usernames and passwords in a single location that can be securely accessed on your computer or mobile device. In addition to saving your passwords, credit cards, and other sensitive notes, password managers can run as an extension to your web browser. This extension can automatically populate usernames and passwords fields with either your own passwords or passwords that are generated with a random series of letters numbers and symbols that make it impossible for a successful dictionary attack.

Overall these password managers mitigate all the attacks detailed above and drastically improve your online security. Lastpass & 1Password are both very full featured password managers that are well integrated with many mobile and desktop operating systems. Though a password manager greatly improves your defense against phishing attacks, it does not outright prevent them. Multi-Factor Authentication solves largely solves this by requiring users to provide more than one piece of information to assert their identity.

Traditionally, services will only require one factor of authentication, typically a password. A password would fall into the category of “something you know” which, as detailed above, can be a flawed system if used improperly. Other categories can include “Something you are” which covers biometrics like your fingerprint and iris. “Somewhere you are” is the process of observing locations of users to identify abnormalities. “Something you do” consists of monitoring your behavior and actions in comparison to previous interactions to identify impersonation. “Something you have” relies on your existing access to a device or service that can assert your identity such as an ID card, a cellphone with a rolling security key, or a physical hardware security key such as a YubiKey or a Google Titan Key. Not all sites support Multiple factors of Authentication. To check which services support Multi-Factor Authentication go to twofactorauth.org Google has produced some research on securing accounts with different types of Multi-Factor authentication.

As shown above hardware security keys and mobile push notifications are by far the most effective method for preventing account takeovers. These methods are largely immune to compromise from a remote attacker. Mobile Push notifications and hardware security keys can be simple and effective, but they are largely absent from many services portfolios as they are complicated for each service to implement correctly. There are other solutions such as storing rolling security keys in an app like Google Authenticator or Authy but this process is clunky and these are much more vulnerable to phishing attacks. SMS notifications are good enough for most people but can be vulnerable to targeted attacks that allow for SIM card spoofing and SMS network compromise. In summary, securing ourselves online is a responsibility that we all share. Making yourself more secure can be easy if you use a password manager and, when you can’t, use a more informed strategy for creating passwords like the one detailed above. For sensitive accounts like your email and financial services, implement some form of Multi-Factor authentication. If you feel that you may become the victim of a targeted attack, consider consulting a personal security professional.

References
Identity Theft Resource Center (ITRC). (2018). 2018 End of Year Data Breach Report. San Diego, CA: Identity Theft Resource Center (ITRC). Retrieved from https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_2018-End-of-Year-Aftermath_FINAL_V2_combinedWEB.pdf
Kurt, T., & Angelika, M. (2019). New research: How effective is basic account hygiene at preventing hijacking. Mountain View, CA: Google Security Blog.
Randall, M. (2019). Password Strength. Retrieved from XKCD: https://xkcd.com/936/