Worthless Security Practices

December 1st, 2021 by Oleg Afonin
Category: «General»

Many security practices still widely accepted today are things of the past. Many of them made sense at the time of short passwords and unrestricted access to workplaces, while some were learned from TV shows with “Russian hackers” breaking Pentagon. In this article we’ll sort it out.

Change your password. Do it on a monthly basis.

The necessity of changing one’s password to keep accounts secure is an ancient myth. The requirement to change passwords periodically is counterproductive. According to a recent study, Most People Have 70-80 Passwords. Changing this number of passwords monthly would quickly turn things into a mess, while changing only one or two passwords (and keeping the rest unchanged) would make zero sense. We can observe the practical result of such policies in sequential or very similar passwords that are humanly possible to remember. Password2019, Password2020, Password2021 are just examples, but they are close to what we’ve seen.

What if your system administrator sets a strong, random password instead of letting you pick your own one? Such passwords are the first candidates for the infamous yellow sticker, which brings us to the next myth.

Don’t write it down!

The “yellow sticker” has become a synonym for unsafe passwords that are insecurely stored alongside with protected device or media or are directly exposed to everyone.

Don’t keep your passwords in a place where they can be seen by someone who is not supposed to see them. Don’t store your passwords alongside with protected devices or media.

However, there’s nothing inherently wrong in writing your password down on a piece of paper provided that you store that piece of paper in a safe place. The definition of a ‘safe place’ varies. In your office, that might be the safe or even a locker. At home, it could be a simple drawer. The point is, a random passer by should not be able to see or easily access the password. In any case, do not attach that piece of paper to the device or media you are protecting.

Paper-based security might be fine for your purpose, but password managers could be a better solution.

Let’s use a password manager!

While there is nothing wrong in using a password manager per se, do your due diligence first. As an example, common Web browsers such as Google Chrome or Microsoft Edge have an option to store and synchronize your passwords through their respective cloud services. However, the passwords are not additionally encrypted, and anyone with access to your unlocked Windows PC can view your passwords in a few clicks with a simple app. In addition, anyone who knows your login and password (and can pass two-factor authentication if you’re using that) can retrieve your passwords from the cloud.

This is not exactly the case with other types of passwords. For example, the popular open-source password manager BitWarden has an option to automatically lock your password vault after a certain inactivity period, after which an attacker will need to enter your master password to decrypt the vault.

Password managers are a great option to store a number of strong, unique passwords no sane person would ever remember. Just do your due dilligense when choosing, and set a strong and unique master password if one is supported.

My data is secure because it’s encrypted with AES-256

Nope! AES-256 is a great encryption algorithm to protect data at rest. However, the cipher itself is only a part of the equation. Consider the cipher being the gate. As secure as the gate is, there are also the lock, and the key, and the fence. No one in their sane mind will ever attack the 256-bit encryption key. An attacker will try to pick the lock (by attempting to guess your password), or steal the key (by obtaining your password from wherever it’s stored), or jump over the fence (by extracting the key from your computer’s RAM), or… There are many effective attacks out there, but not a single one targeting the encryption algorithm itself.

A good example of strong encryption done wrong is covered in Synology NAS Encryption: Forensic Analysis of Synology NAS Devices. Should the user decide to automatically unlock encrypted volumes on boot, the system stores the encryption key alongside with the encrypted data, protecting the key with a fixed, known default passphrase “$1$5YN01o9y”. There are numerous other issues with this implementation such as the inability to change or passwords or revoke compromised keys, making this AES-256 based encryption significantly less secure than one might think.

Let’s not use AES-256 then! We need custom encryption

Not again… AES-256 is perfectly fine as an encryption algorithm. In Breaking VeraCrypt containers we tested the strength of the different encryption algorithms, and discovered that there is literally no difference in attacking AES-encrypted and Serpent-encrypted VeraCrypt containers. Granted, there are some 15 encryption options the user can choose from. The thing is, the choice of an encryption algorithm has almost no effect on the speed of the password recovery attack. The attack is affected by the choice of a hash function and the number of hash iterations, which most users have no idea about. The choice of any encryption option other than AES slows down the read/write speed of the encrypted container, but hardly affects its security.

There is no need to substitute AES with a different encryption algorithm to secure your data. You can read more about it in It’s Hashed, Not Encrypted.

Standard solutions are easy to break. Let’s make our own!

It’s a very sad situation for everyone involved when your IT security specialist wants to make everything from scratch. A recent example is covered in Tally ERP 9 Vault: How to Not Implement Password Protection. The developers decided that AES encryption and standard PBKDF were not secure enough to protect the data in their accounting product, and invented their own hash and encryption functions. The result was a total disaster. I invite you to read the article linked above to realize that “custom” solutions can become your worst enemy.

SMS is insecure, so I’ll skip two-factor authentication

Any two-factor authentication is better than no two-factor authentication. Granted, there are multiple ongoing issues with cellular networks such as described in Easy SMS Hijacking – Schneier on Security. The error here is in causation. The SMS is a poor choice of two-factor authentication. However, any 2FA is better and infinitely more secure than no 2FA. If you have an option to use a different 2FA method, by all means use it. If not, and the SMS is the only way of doing 2FA, then use SMS as a “much better than nothing” option.

All we need is a secure password

While your password should be reasonably complex and reasonably secure, there are much more important qualities of a good password than just its length and entropy (“randomness”). If you use the same strong and complex password to protect several different accounts, don’t be surprised if multiple accounts of yours are hacked in quick succession. Don’t be obvious either; in How to Break 30 Per Cent of Passwords in Seconds and How to Break 70% of Passwords in Minutes we listed the commonly used attacks that can be and will be performed on your passwords.

A single strong password is not enough. All of your passwords must be unique and not following an obvious pattern. They must be reasonably strong (with emphasis on “reasonably”), and they shouldn’t be found in the Top-10,000 Passwords list.