How Secure Is Your Password? A Friendly Advice from a Company That Breaks Passwords

February 1st, 2015 by Vladimir Katalov
Category: «Did you know that...?», «Passwords & Human Factor», «Tips & Tricks»

A Practical Guide for the Rest of Us

How many passwords does an average Joe or Jane has to remember? Obviously, it’s not just one or two. Security requirements vary among online services, accounts and applications, allowing (or disallowing) certain passwords. Seven years ago, Microsoft determined in a study that an average user  had 6.5 Web passwords, each of which is shared across about four different websites. They’ve also determined that, back then, each user had about 25 accounts that required passwords, and typed an average of 8 passwords per day.

If i got a penny every time i forgot my pwd, I'd be a millionaire

It didn’t change much in 2012. Another study determined that an average person has 26 online accounts, but uses only five passwords to keep them secure, typing about 10 passwords per day. CSID has a decent report on password usage among American consumers, discovering that as many as 54% consumers have five or less passwords, while another 28% reported using 6 to 10 passwords. Only 18% had more than 10 passwords. 61% of all questioned happily reuse their passwords over and over.

This obviously indicates a huge risk, making all these people susceptible to attacks on their passwords. Why do we have this situation, and what should one do to keep one’s life secure against hacker attacks? Let’s try to find out.

Passwords: Plagued with Problems

Passwords are the most common way of securing the many aspects of our lives. However, password-based protection is plagued with problems. Let’s have a look at why passwords are less than perfect when it comes to security.

Too Many Passwords: Too Much for Our Brain

With an average user having about 26 different accounts, how many of us are likely to remember 26 unique, long and cryptographically strong passwords? According to multiple studies, an average Joe or Jane can reliably memorize 5 or 6 significantly different passwords. With an average of 26 different accounts to use them on, some passwords will inevitably end up getting reused in their original or very slightly modified form.

A typical solution? Most of us will reuse the same password over and over. This practice is well known and advised  against, although it’s too tempting and too convenient for many to be used again and again. Apparently, security advisors have failed miserably trying to talk people into using the 26 different strong passwords, so can we possibly improve this situation without placing much strain onto one’s memory?

The issue is well known and covered in hundreds of articles including ElcomSoft’s own publication. However, they rarely go far beyond recommending a strategy for hitting the balance of password strength and memorability, teaching users on how to choose their passwords, what bits of information to include and what bits of their personal data to never use.

Best Practice: It’s difficult to recommend how many passwords exactly one should maintain. However, it’s best to ensure that you have unique passwords at least for the following: your main email and/or mobile account (Google, Microsoft or Apple); system login (non-Windows) and/or Windows login password (if not authenticating via Microsoft Account); popular social networks (Facebook, Twitter). Realistically, memorizing more passwords than that would be difficult. To secure yourself, use a password manager and/or single sign-on where possible.

Stuck Passwords

Let’s face it: most of us are inherently lazy. Even facing a real risk of a cyber-attack, we won’t bother changing our old-and-proven password until it’s too late. In a study, ElcomSoft determined that while most of its customers want stricter security policies, they won’t bother changing their default passwords unless the change is enforced. Only about 25% of all respondents indicated they change their passwords regularly. The rest will either change their passwords infrequently (24%), sporadically or almost never.

What does this mean in reality? The chance that your password leaks is pretty small. However, even a pretty small chance of a leak multiplicities as the time passes. As a result, even the most secure password, if used for many years without a change, becomes inherently less secure. Why does that happen?

Pwds are my world

Let me ask you a question. Have you heard about hacks occurring to even the largest companies? The recent SONY hack, for example, or the many cases where user account credentials were stolen? AOL, Apple, Battle.NET, Dropbox, eBay, Microsoft, Yahoo, and many other companies were hacked in the past with hundreds of thousands accounts leaked. There is no guarantee whatsoever they won’t be hacked again in the future. While some hacks go public, most of them don’t get any public attention. Your password may have leaked months or years ago from a place you’d never think could be hacked.

So, your password could be phished from you, hacked or stolen from a third party without you even knowing. However, if such a thing happens, hackers most probably won’t make use of your password immediately. They have gigabytes of data to process, and they have hundreds of thousands accounts at their disposal. They may reach your account in a month, or in a year. In all such cases, simply changing your password helps a lot. If you were a victim of a mass phishing attack, or if your email provider was hacked, hackers generally take time to go through all the data they’ve stolen. If you have a habit of changing your regularly, you are greatly increasing the chance that the stolen password is no longer valid by the time the hackers get to your account information.

Of course, maintaining dozens unique passwords, changing them regularly and memorizing the changes is a hard job. Seriously. This is why most users won’t even bother changing their password, and this is why changing your password per se is not the best method of delivering security. Most online service providers know that. While they do recommend changing your password regularly, they’ll usually not enforce it, and will provide  alternative means of delivering security.

Best Practice: Regularly changing passwords is a good habit, but don’t lose your sleep over it. Organizations should enforce periodic password changes via security policies. For most personal users, a habit of regular password changes is wishful thinking. Other methods (such as two-factor authentication) exist, allowing to compensate for lack of regular password changes.

Use a Password Manager

In reality, the practical solution is fairly obvious: one can simply use a password manager. Just googling for “password manager” or firing up a search in any of the big three mobile stores will return hundreds of different password managers. Obviously, memorizing one long and complex password is easier than trying to memorize 26 of them. So the password manager will keep the many different passwords encrypted with a single master password.

Tp break pwds you must first master them

Can you smell a problem? It’s the very concept of a single master password. Lose your master password, and you’ll lose all of your other passwords immediately. Leaked master password will also instantly expose all of your other passwords. Finally, the password manager itself may be more or less secure, and one has no real way to verify the developers’ claims. By analyzing some 17 mobile password management apps, ElcomSoft concluded that most of them were inherently insecure. In fact, the majority of third-party password management apps could be hacked “just for fun” in a matter of hours, not days, exposing your highly sensitive data to the attacker. Of course, there are better solutions on the market, so one has to be careful while choosing a password management system.

Best Practice: On a balance, using a password manager adds more convenience than security. If you maintain unique passwords for all major services, choose a secure password manager (e.g. RoboForm, but many other options exist) and protect your stored credentials with a strong, secure and regularly changed master password, you may gain more convenience than you lose security. Generally, password managers are not allowed by most corporate security policies.

Make a Common System

In order to make your passwords unique yet easy to memorize, you can make a certain system when creating a new password. The use of a common system allows to easily re-create the password when you are asked for it. As an example, I can easily memorize passwords such as “WebEbayPq$557”, where “Web” would indicate it’s a password for a Web site, “Ebay” would note which Web site it is, and “Pq$557” would be common across resources. While extremely simplistic, this scheme still offers greater security compared to re-using a single password across all resources.

Can you spot a problem with my system? If someone steals not one but two passwords of mine, they’ll figure out my system easily. If you use a different (and more complex) system, they may need more passwords to figure out your system, too.

Wise men think alike and choose pwd1

There are other downsides to this approach. If you use a very complex system, you may get lost in it, forgetting not one but ALL of your passwords at once. This can easily happen, for example, after an extended vacation. These systems are easy to invent but can be difficult to memorize and to follow, and are too easy to forget.

Best Practice: Let’s be straightforward: using a common system weakens password security. However, a reasonably complex system may serve you better than reusing a single password. Make sure your system is complex enough so a 5-year-old can’t guess your other passwords by looking at one or two of your passwords. If you follow these simple rules, and if you are not using a password manager, a common system may serve you well (at least until three or more passwords have leaked).

Using Complex Passwords

Now, here, you’ve got it: I use a number of unique, long and complex passwords on all the different Web sites! Are you happy?

Well, not really. If you are using passwords that are too complex, they will be difficult to memorize but all too easy to forget (see Ch. 1 of this paper). The use of long and complex passwords creates a false sense of security. Granted, they can’t be broken easily with brute force or a dictionary attack. However, there are plenty of other risks you should never forget about.

Finally, if you are like most of us, sooner or later you’ll saturate your brain and will need an external aid to memorize your passwords. Be it a piece of paper, a sticky note or an encrypted file, message or document, you’ll be delegating all your secure passwords to a less secure medium. If this is the case, it’s better to use a password manager after all.

Best Practice: We won’t insist on using long, random-character passwords. You can make up a great password by following one of the many guides available on the Internet. Choose a password that you’ll have no problem memorizing while others will have a problem guessing (or breaking). Be aware of dictionary attacks, and don’t use things the attacker may know or may get to know about you (names of your family members or pets, dates of birth etc.)

Using Biometric Identification

There is an option to use biometric identification (such as a fingerprint reader) instead of a password. We won’t be covering the use of fingerprint readers on mobile devices; however, there are strong security implications if you use a fingerprint reader with your Windows PC to speed up Windows logins and/or to manage other passwords with your fingerprint.

The thing with Windows-based fingerprint readers is they have to store the original Windows or Web site password in order to log you in. If the fingerprint reader has a flaw in its security implementation (such as the vastly popular UPEK readers), the attacker will be able to retrieve all your passwords without a sweat.

Best Practice: Sometimes, biometric identification is just too convenient. Using a fingerprint scanner in correspondingly equipped Apple devices, for example, is both convenient and secure. However, some fingerprint scanners (e.g. UPEK, most USB scanners attached to personal computers etc.) are too much of a compromise, offering some convenience in exchange for a total lack of security. If the choice is up to you, do not accept this type of a compromise. Note that this advice only covers consumer fingerprint scanners. Security systems installed in commercial environments may differ significantly in costs, performance and the level of security they provide.

Why a Strong Password Is Not Enough

Imagine you have a very strong, unique and secure password protecting one of your accounts. Can you assume you’re secure? Unfortunately, the answer is a firm NO.

Strong pwds make the man angry

Starting The Chain Reaction: The Weakest Link Attacked First

When someone wants to break in, they’ll always identify and attack the weakest link. It is common to attack one’s principal email account, discover all accounts linked to that email address, reset passwords in those accounts, and use them to access other (linked) accounts. As an example, breaking into someone’s Hotmail account would enable the attacker to reset that person’s Facebook passwords. By logging in to their Facebook account, the attacker will gain access to all Web sites and resources authorized with a Facebook login. As a result, even if you have secure passwords all around, they won’t do much protecting you if there is a weak link in the chain.

This sequence of attacks is often referred as a chain reaction. You can read an example of how this worked in real life: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/

Best Practice: Preventing the chain reaction can be difficult. This attack works regardless of how long and secure your passwords are. However, if you enable a reasonably secure two-factor authentication scheme for all accounts supporting it, the hacker may be unable to reset your passwords or even log in with a known password. When configuring two-factor authentication, make sure you don’t assign your email account as a secondary authentication factor. If you do, the hacker may be able to receive the authentication email and use it to reset your password.

Can Your Trust The System?

Let’s say you’ve chosen a very strong, long and secure password. Are you sure that the system you’re securing with that password has comparable level of protection all around? Apparently, you can’t assume anything like that as you can see from this story: Schwab password policies and two factor authentication: a comedy of errors.

In this story, the customer describes his experience with security policies of one Schwab Corporation.  For a moment here, Schwab is an international investment and banking corporation serving more than 8 million customers with $1.65 trillion in assets (as of September 2011), and has over 300 offices in the U.S. alone.

According to the article, this company is still in 1980’s when it comes to security. First, they don’t hash your password; instead, they keep it in a database. But, for “legacy” reasons, the database limits the password to the first 8 symbols (no special characters allowed). Their implementation of two-factor authentication is a bad joke, and the company does not seem to be interested in stronger security.

All good things come to those who brute-force

Now, do you still trust ALL of the Web sites you deal with to maintain security across all levels? Even if the company you deal with does indeed hash your password instead of storing its plain-text version, it can still be tempted to “improve” the industry standard and use, for example, a homegrown hashing/encryption algorithm, or pick up a flawed implementation of a good one (e.g. using a weak generator of random numbers), or simply fail to implement the entire system correctly. With many US banks using your SSN as a login until very recently, I would not be surprised to see anything like that, or worse.

Best Practice: It is easy to advise for due diligence; however, knowing for sure that your service provider has a joke of security doesn’t help much if you must use it anyway. One thing you can do about it is assigning the “weak link” status to that particular provider and ensuring that even if it gets hacked none of your other accounts will be affected. If you are using a service provider with dubious security, make sure to have a unique password specific to that provider, and make sure that this password is in no way similar to your other passwords. If two-factor authentication is available, go ahead and activate it (and make sure it’s actually working).

Your Password May Not Be The Weakest Link

As you can see, your password may very well not be the weakest link after all. Sometimes, the attacker can simply reset the password without breaking one. This, for example, works with Windows account logins; ElcomSoft has a tool for doing just that: Elcomsoft System Recovery. Similarly, many passwords (e.g. those restricting Microsoft Word or Adobe PDF from being printed or saved, but allowing them to open without a password) can be simply removed or reset to lift the restriction. Finally, if you are under a “chain reaction” type of attack, security of every password after the first one has very little significance.

Attacking the Key

Do you remember the times where 40-bit, and then 56-bit encryption were de-facto standard? Well, 40-bit encryption can be brute forced in no time, while 56-bit encryption can be attacked via Rainbow Tables or Thunder Tables for near instant recovery. If this is the case, the attack will not be dealing with your password at all, but will be targeted at the underlying layer of security: the value of the hash file. In certain algorithms, or if the length of the password hash is too small, there could be other (different) passwords that would unlock access to your account without matching your original password. This is called “password collision”.

Best Practice: It’s fairly obvious: if given a choice, don’t use weak protection methods. Avoid 40-bit and 56-bit encryption options. If there are no other choices available, assign that service or document the “weak link” status and ensure that breaking in will not affect your other accounts. In other words, make sure to use a truly unique password which, if broken, will not fit to other documents or accounts of yours having a stronger level of protection. Needless to say, don’t keep anything you want to secure under weak protection, as it gives a false sense of security without delivering a reasonable level of protection.

False Assumptions

When choosing a long, cryptographically strong password it’s easy to get an assumption your password will be used to encrypt the actual data. It’s plain wrong. In most systems, the password is only used to protect against unauthorized logins. And even if (and that’s a big “if”) the system does encrypt data, there is no assurance that it encrypts everything.

My pwd is longer than yours

Just one example. Apple has a really great, tight and well thought of security system in iOS 8. If you set a passcode, pretty much everything on your phone will be securely encrypted. Apple goes as far as claiming even them cannot decrypt anything from the device if it’s protected with a passcode. In reality, some data is NOT encrypted with a passcode even in iOS 8. This is done on purpose in order to enable some applications work under lock screen. For example, this includes call history (but not the address book! The address book is encrypted), system logs, SMS/text message database, and a few bits and pieces throughout the system. Remember, we’re now talking about one of the best security systems around. Most other systems are less good or not good at all when it comes to encryption. As a result, how easy or how difficult it will be to recover some (or all) of your data may have nothing to do with the length of your password.

Best Practice: Don’t assume. Unless you have reasonable grounds to trust the system (and remember, most major companies had been hacked in the past), take measures to ensure that hacking a single account won’t affect your other accounts.

Lack of Physical Security

With so many different passwords, one can hardly memorize half of them. The infamous yellow stickers with passwords written on them were – and still are – popular across organizations. Needless to say, these yellow stickers are a clear invitation for anyone interested.

Even if you have a very secure password, typing it every time you’re about to use your computer, application, document or Web site can be tiresome. As a result, many resources (including Apple iCloud) will cache your authorized sessions by storing a token on your computer. If someone gains access to your computer, they could extract authorization tokens and gain access to all your information without having to know your password. This comes from a company who developed a tool (Elcomsoft Phone Breaker) doing exactly that to Apple iCloud.

This sticker hides my pwd

Finally, you may have a long password securing your computer, and store all your files on encrypted volumes. However, if you leave your PC unattended without locking it first, it’s very easy to bypass all security by simply dumping the content of your computer’s memory. After that, the attacker can gain access to all information stored in your encrypted containers without knowing the password. This again comes from a company who did it – this time with Elcomsoft Forensic Disk Decryptor.

Best Practice: Even if you are utilizing NTFS encryption or are using encrypted containers, the protection will ONLY activate once you lock your computer. If you care about security, or if you’re working at an office, make it a habit to lock your PC even if you leave your workplace unattended for just a minute. In Windows, locking the PC is as easy as using the Win+L combination. Make it a habit of logging out explicitly every time you’re done. If you write down your passwords or recovery keys, make sure to treat those pieces of paper as you treat cash or your travel documents.

It’s “Something you know”

Password-based security is based on something you know and the others don’t. Invent a password, choose a secret passphrase, create a passcode or set a PIN, and you’ll lock the others out of your account because they don’t know your secret word, number or phrase.

But what if they do know? Passwords are used for securing things for a long time, and a number of methods were invented to let others know your secret.

Passwords can be guessed. The guessing process can be automated with powerful software running on fast computers, allowing an attacker to try millions combinations per second. Passwords can be broken with brute force (by trying all possible combinations; for example, a 4-digit PIN has only 10,000 possible combinations) or recovered via a dictionary attack. There are so many different types of attacks we won’t even mention them here.

Passwords can be hijacked. A plethora of software and hardware keyloggers, countless Trojans, spyware and viruses are after your password.

You can be tricked to give your password away. Countless spam messages, fake Web sites or hacked login pages are out in the wild to make you believe you’re providing your password to a legitimate entity – while in fact you’re not.

There are countless other methods the others can get to know something they were never intended to. Is the whole password idea compromised, and are there alternatives? Let’s have a look.

Best Practice: Familiarize yourself with what phishing is and how it works. Phishing emails may appear indistinguishable of messages sent to you by your bank. If you are asked to log in to your account, don’t click a link from an email message; you may be taken to a phishing site. Instead, always visit the Web site in question directly by typing its address in the Web browser. When prompted for a password, ALWAYS check the URL in your Web browser. If it does not look genuine, just leave.

“Something you are” vs. “Something you know”

We already mentioned biometric identification as an alternative to passwords. Unfortunately, biometric identification technology is not ‘snake oil’, and it’s plagued by problems of its own.

Unlike passwords, biometric identification is never 100% definite. False positives and false negatives, however few there could be in recent implementations, are still there. With some readers, fingerprints can be faked with a print. Finally, many readers are simply not secure at all (see our article on UPEK readers), providing less security than even the simplest password. As a result, biometric identification is great as a secondary authentication factor, but maybe not-so-great if used as a replacement for a password.

“Something you know” vs. “Something you have”

As we figured, biometric authentication is always a guess, has a possibility of false positive and false negative detections, and can be easily faked with certain devices. How about replacing the human factor with something you have?

Your pwd is not long enough

Physical Authentication

In fact, physical authentication is nothing new. SIM cards are used for authentication in most network-connected mobile devices. Credit cards have chips and PIN’s, and many European banks used to provide their customers with physical dongles to facilitate logins.

While physical authentication can be more secure compared to a single password, these are not without their share of problems. Authentication dongles can be easily lost (and you’ll be locked out of all accounts depending on that dongle). Some physical authentication chips can be replicated or faked, meaning even less security compared to a long password.

Best Practice: The choice of using physical keys or fobs is rarely yours. If you are given a fob, a chip card or an electronic key, treat it like you treat keys from your home. If you are considering replacing password-based logins with a single physical key, think again.

Keys and Tokens

Some applications require the use of binary tokens or cryptographic keys instead of (or in addition to) passwords. These keys are usually long, cryptographically long chunks of data. Unlike physical tokens, cryptographic keys can be stored in binary files or as a string of text characters that can be copied and pasted into an authentication window. A key may be additionally protected with a password for even greater security. It’s usually impossible to brute-force, re-create or otherwise recover a key. As a result, compared to passwords, keys provide really secure authentication.

The risks of using the keys are similar to those of using physical authentication tokens. If stored on your computer, the keys can be stolen just like any other piece of information. If stored on an external media, the keys can be lost or stolen together with that media. And if you lose your keys, you may be locked out of your information (or account) forever.

One famous example of keys used for authentication purpose is Apple Recovery Key. This key serves as the ultimate unlock for your Apple account if you are locked out of your Apple ID. If you lose your Recovery Key, you will be unable to access your Apple account if something bad happens and you are locked out. “The dark side of Apple’s two-factor authentication” by Owen Williams describes what can happen if you lose your Recovery Key.

Best Practice: Those keys and tokens can deliver higher security than passwords. Your major challenges will include securing the actual key or token as well as ensuring you’ll have access to one when you need it. Be aware that keys/tokens are generally less portable compared to passwords. As a result, you may not have a key at your disposal precisely when you need it most. There is also another consideration. If a key/token is stolen or compromised, it may expose your data to the intruder while bypassing all additional layers of security (particularly, Apple’s two-factor authentication is bypassed if a Recovery Key is used as the Key itself is considered to be the second authentication factor). So once again: treat your keys securely; if they are stored on a physical media, make sure that media is both secure and accessible.

Improving Password-Based Security

As we could see, passwords alone may not provide an adequate level of protection, while other authentication methods have their own share of problems. Can we do something to make password-based authentication more secure? In fact, we can do a lot.

Two-Factor Authentication

Two-factor authentication is all over the place. It’s touted as a must-have by many popular online services, banks and financial organizations. While not being a panacea, two-factor authentication has potential to greatly improve security, especially resistance against brute-force attacks.

Two-factor authentication is a response to the increasingly strong pressure for extra security. If implemented correctly, two-factor authentication can effectively ban attackers who a) are trying to guess the password, and b) don’t have access to the second authentication factor.

Two-factor authentication was – and still is! – absolutely mandatory for securing transactions such as online payments and money transfers in many European banks. In the early days of two-factor authentication, banks used to issue their customers lists of single-use Transaction Authorization Numbers (TANs) printed on a sheet of paper. These numbers would have to be used in random order to authorize transactions. Today, most banks moved away from paper lists to sending text messages to an authorized mobile number or using dongles for interactive authorization. Finally, some banks provide downloadable software that can be installed on the customer’s mobile phone, authorized with the bank and then used to confirm transactions. (These can be de-authorized if the phone gets lost or stolen). The system seems to be working well so far, with no major flaws or break-ins.

The idea behind two-factor authentication is right, but implementations may vary. The article “Schwab password policies and two factor authentication: a comedy of errors”, for example, describes how two-factor authentication can be slapped on top of a poor security system to turn the whole thing a joke. Please note that some secondary authentication factors such as additional questions (“What’s your mother’s maiden name?” or “What city were you born?”) add very little security, while some other factors may actually add too mush security, often enough to lock you out completely should an unexpected event happen.

Yes, there is the dark side of two-factor authentication. As an example, see “The dark side of Apple’s two-factor authentication” by Owen Williams who nearly lost access to his Apple account after someone locking him out trying to guess his password. “What’s perplexing is it wasn’t even technically my fault. Someone tried to guess their way into my account and it was locked as a result; I didn’t do anything wrong, yet I was entirely locked out because I couldn’t find the key.”

All things considered, we strongly believe that carefully considered and properly implemented two-factor authentication can be the best approach to secure your accounts without adding too much inconvenience.

I like food spicy and hashes salty

Best Practice: Two-factor authentication is one of the best things that happened to security. However little control you may have over a particular implementation of two-factor authentication, you may still be given the choice of various authentication options. Generally, a trusted device (for online banking sessions, Apple account operations, new device activations) or a text message delivered to your mobile (online banking and credit card payment authorizations) offer the most convenience while effectively detracting hackers. However, even the simplest form of two-factor authentication (such as a paper-based list of codes) or an email sent to an alternative address can effectively prevent many hacking attempts.

Single Sign-On

Single sign-on was developed just a few years ago. This technology allows users authenticate themselves on a new resource via a third-party login service. For example, you can open a Feedley, Pocket, Instapaper or Disqus account by logging in with your Facebook, Google+ or Windows Live credentials without having to create (and memorize) a new password. When you change your Facebook (Google+, Windows Live etc.) password, you will automatically use your updated credentials to access all linked services.

While this idea is great, adding a lot of convenience and reducing the risk of being locked out after losing your password, single sign-on makes you even more susceptible to the “chain reaction” types of attacks. If someone breaks into your Google+, Facebook, Windows Live account, they will automatically gain access to all other accounts linked to your main account via single sign-on.

A possible – and recommended – solution is taking all possible steps to secure your main accounts. Create a really strong, secure and unique password for each of your major accounts. Enable two-factor authentication in each of those accounts, carefully considering your secondary authentication options. If you secure your main accounts, single sign-on links will remain just as secure as your main account is.

Best Practice: While single sign-on has its share of risks, in our opinion the added convenience as well as the ability to secure your login with one of the proven authentication providers may be worth the tradeoff. Keep in mind that, if using single sign-on, your other accounts become just as vulnerable as your main authentication provider. Take steps to seriously secure all the major accounts (Google, Facebook, Microsoft and Apple accounts at very least) with strong, unique passwords and two-factor authentication.

Securing Access to Online Services and Resources

While we covered password-based security in general, let’s talk a little about a specific aspect: access to online services and resources. While everything we said in previous chapters applies equally to online resources, there can be additional issues to consider when using a remote service.

Out Of Your Control

The main issue with online resources is that their security is completely beyond your control. There is no way you can audit their security; you just have to take their word on it. You don’t know if their servers are physically secure. You don’t know whether they hash or encrypt your passwords.

I know your pwd

Remote service providers are using software provided by dozens or hundreds third-party vendors. You don’t know which brands and versions of security software they are using (for example, you can’t control whether their SSL software is susceptible to the recently discovered SSL Heartbleed bug). Online service providers may or may not have protection against brute force, and may or may not be susceptible to simple social engineering (“Hey, I lost my password! Can you help me reset it over the phone?”).

Best Practice: It’s a scary world outside. Really, you cannot do much more to secure your online accounts other than following best practices we described earlier.

Inherent Issues

Regardless of how good your online service provider is, all of them are susceptible to certain types of attacks.

Reverse Brute Force Attack

A very common attack works around brute-force protection set by most service providers. Brute-force protection is typically configured to prevent multiple login attempts where the intruder tries different passwords for a certain account. After a certain number of unsuccessful login attempts, the account being attacked gets locked, or each subsequent login attempt is deliberately delayed for a certain number of seconds or minutes.

The workaround is simple. Instead of targeting a single account, the intruder uses the list of common passwords, trying to log in under different accounts while using the same password. As only a single login attempt is made for each account, brute-force protection is not triggered.

Best Practice: A reasonably complex, unique password greatly reduces the chance of success for this type of attacks. Using two-factor authentication reduces it to close to zero. You can view the list of 25 most commonly used passwords from here, or download the list of 10,000 common passwords from here. Make sure to avoid them because, according to the second source, about 30% of all respondents do indeed have a password from the top 10,000 list (which means that every third account out there can be eventually hacked).

Locking Your Account

If you followed the previous chapter, you may have spotted one thing. An online service provider may lock an account after a certain number of unsuccessful login attempts. This means that anyone knowing just your login name (account ID, username or email address) can lock your account by supplying random passwords several times. This is exactly what happened to Owen Williams when someone locked him out of his Apple account. You can access the full article here: “The dark side of Apple’s two-factor authentication”.

Best Practice: Be aware that you may get locked out of your account. Ensure you have everything needed to reinstate access. In the case of Apple, that would be your Recovery Key. Make sure you have it handy yet stored securely. For other accounts, make sure you know what to do if you cannot login. If your online service provider resets passwords via an email account, make sure your email address is up to date with all your accounts. When reinstating access, you may be asked for your personal information such as your date of birth. If you haven’t supplied that when opening the account, or simply used “1.1.1970”, you may get in trouble. While there should be a balance between how much information about yourself you are prepared to give up, consider whether you are comfortable with each service’s privacy policies. If it’s asking for too much information for no apparent reason and you do not feel comfortable about it, you may want to reconsider the use of such a service.

Resetting Your Password

This issue is linked closely to the previous chapter. Do you know the process of resetting lost passwords? Does your online service provider as personal questions (the answers to which can be guessed or obtained from other sources), or does it send a new password to your registered email account (which could be hacked)?

Best Practice: Familiarize yourself with the password recovery procedure of your main service providers. If they ask for security questions and you have the choice of which questions these are, use something less obvious than your mother’s maiden name. If they are using your email address to send a new password, take steps to secure your email account (e.g. with two-step authentication) and make sure your email address is up to date.

Your pwd was weak so I changed it

Backdoors

Most online service providers have backdoors available to their employees and/or government authorities. These can serve a good purpose when helping legitimate users access their data if, for example, they lost their password and were surprised to learn they no longer have the email address they’ve used to open an account. However, these backdoors are huge security compromises, and they can be exploited by intruders via e.g. social engineering. Read how ElcomSoft discovered a backdoor in Quicken and exploited it for instant password recovery.

Best Practice: Backdoors are a fact of life. There is nothing you can do about them. However, if the service allows setting one or more security verification questions, it’s advisable to do so.

A Word on Password Policies

There are several millions companies, many having their very own security policies. These security policies may have more or less adequate password requirements. Typically, these policies are out of your control; you can only familiarize yourself with any policies that apply to you, and understand their corresponding security implications.

Below we’ll list some of the most common mistakes made in security policies.

  • Too strict password requirements. The password must be no less than N characters long; must not contain your login name or any common words; must have at least X small characters, Y capitals, Z numbers and F special characters… and so on, and so forth. Such policies are in fact counter-productive, forcing employees to write down passwords on yellow stickers or other insecure or poorly secured physical media.
  • Same as p.1 combined with the requirement to change passwords regularly. This requirement is absurd in most organizations except for military, intelligence and a few other areas. If enforced in an ordinary office, such requirements usually ends up in one of the two scenarios. Most users will simply increment the last digit of their old password. The rest will use a new yellow sticker.
  • Same as p.2, but the new password is automatically assigned (generated) periodically. At this time it comes to the point where I would use a yellow sticker myself.
  • Same as p.2, but the new password must not match any passwords used in the past. This requirement in fact reduces security because old passwords (or their hash values) must be kept somewhere, and it is not a given they’re stored securely.

Regardless of how secure a password policy is, it won’t protect against social engineering (see Kevin Mitnick).

Conclusion

Passwords are still remaining the most common authentication method. Passwords hit the right balance between convenience and security, delivering reasonable security if the user follows certain rules.

As a rule, if you care about your security at all, you must at very least get accustomed to basic security rules, do’s and don’ts. Without understanding the basics, one can become an easy target and a victim of a hacker attack.

Hacker attacks aren’t myths. Break-ins and intrusions occur on daily basis. Only major hacks make their way to newspapers. Remember, many major companies had been hacked in the past, with SONY being the latest example..

Absolute security is not practically possible even if you become extremely paranoid and observe all the rules. This is especially so if you become a target of a dedicated attack. Don’t lose your sleep over it.

Oops, pacman ate your pwd

Addendum

We gave detailed practical advice on securing your information in “Best Practice” notes throughout the text. In conclusion, we’d like to re-iterate some of the basic principles of securing your digital identity.

  • Ensure physical security of your computer, smartphone, or yellow stickers. Lock your computer when you leave. Log out of online sessions after you’re done with them.
  • Classify information and online accounts. Apply strongest security to most important stuff. Secure your main accounts (Google, Apple, Microsoft, Facebook, major email address) with strong password and two-factor authentication.
  • Have a disaster recovery plan. Familiarize yourself with your actions in case you are hacked (your data leaks) or locked out of an important account (you can’t access what’s yours).
  • Maintain fresh backups to at least two different locations. Cloud backups such as Dropbox, iCloud, Google Drive or OneDrive count as one. If backing up to portable media, ensure its physical security (see p.1) and encrypt your data (set backup password or use a crypto container).
  • Do your due diligence. Don’t fall into common phishing or social engineering traps.
  • Don’t take vendors word for a given. Always assume everything can be hacked.
  • Be alert, but don’t lose your sleep over it.

KeepCalm