How to take the pain out of passwords
Gavin Johnson-Lynn, Senior Offensive Security Specialist, Sage
Passwords are a painful part of security on the internet. How do we fix that?
Security on the internet is constantly being improved to try to keep up with hackers. Passwords, however, are lagging. They haven’t really changed much since the internet started. If anything, the situation has got worse, because we have to remember increasingly long and complex passwords. It feels like every site we go to has different rules about what our password should look like.
This complexity leads our human brains to simplify it, which often means we either use the same password for lots of websites, or we have slight variations on a single password for each website. That seems like a reasonable way to do it, after all, who is going to find out my password?
At the time of writing, HaveIBeenPwned.com, a service that aggregates breached passwords (and helps to highlight problems with passwords), showed 572,611,621 passwords had been breached from hundreds of services across the internet.
That’s over half a billion passwords that belong to everyday people like you and me.
How does this happen? If a hacker finds a vulnerability in a website or service, then they may be able to gain access to the database that it uses to store passwords. This is classed as a breach. If the service doesn’t pay enough attention to its security then your password and email address are in there. This happens far too often… and to high profile businesses.
What happens then? Armed with hundreds or even millions of email addresses and passwords, the hacker assumes a lot of them will be from people using the same password for lots of services. They then try to use them to log in to lots of services. They target the common ones like social media sites and email accounts, but maybe your Sage accounts too! This is known as credential stuffing. With automated tools, they can rapidly try all of their username and password list on those sites and see which of them work. If you used the same password on several websites then the hacker now controls your accounts and can use them to do bad things; send spam to your contacts, or find other ways to make use of them.
Is there a universal solution to an issue that impacts us all?
Let’s understand passwords a little better….
Complexity is something we get drummed into us; the password must be complex to reduce the chance of it being figured out. This helps us most if someone is trying to brute force our password i.e. make lots of guesses, potentially using tools to do it rapidly.
That’s important, but it doesn’t help at all with credential stuffing. If we have an incredibly complex password and we use that same password on every website then when a hacker gets a copy of it in a breach, they can still try it on your social media accounts.
What we really want is a password that’s complex and for our login details to be unique for every service that we use. Then if a hacker gets our login details from one website, that won’t allow them to log in to another website.
This gets us right back to having lots of incredibly complex passwords that are impossible to remember.
We need something to remember those passwords for us.
Password managers are a good solution and if you’ve never tried one, then I recommend it.
There are a variety of password managers available. Some are part of browsers and they pop up asking if you want them to remember a password for you. They might even suggest a nice complex password for you to use. They’ll store that complex password so you never need to remember it.
Other password managers come as browser extensions (LastPass, 1Password, Keeper). You have a username and password that lets you log in to the extension and that’s the only password you need to remember. They generate and keep a record of all of the complex passwords you need. You can even log in to password managers on multiple devices, so you could access them on your laptop and your mobile phone too.
When you get to a login page that you’ve got a password for, the password manager can put the password into the field for you, so you never have to type anything.
An added benefit of password managers is that they only offer to fill in your password if you’re on the correct website. Phishing emails often pretend to be from a company so you’ll click on a link. The website they take you to looks just like the real company’s website, but when you enter your username and password you’re giving them to the hackers. The password manager knows you’re not on the correct website, so won’t put your password into the field.
On mine, I’ve currently got 192 passwords. That does mean that I’ve got all of my passwords in one place, but I’ve got a lot more trust in my password manager than in the 192 sites that I’ve given passwords to!
In security, we don’t like to have just one thing keeping us safe (like a password manager). It’s best to have layers of defense and that’s where multi-factor authentication, or MFA comes in. We’re not just relying on a password to keep us safe, we’re also using a second factor. Six-digit numbers sent via text message or from a mobile application are common second factors to use. This extra layer of defense makes breaking into your accounts much harder. That six-digit number might change every thirty seconds, meaning guessing it correctly is almost impossible to do. Credential stuffing attacks can be easy for hackers and we want to make that difficult.
Use password managers and MFA where available and your accounts will be much safer!
Using a password manager or MFA isn’t perfect, but it negates the need to let our human brain figure out this complex problem — and means you aren’t one of the millions of people putting themselves at risk with easy to guess or duplicate passwords.
