Simple Tools to Mitigate the Human Weaknesses in
Shawn Scott, CISSP
President, Badger Infosec, LLC
In my last article on “Effects-Based Cyber Security,” I discussed the need to seek value when implementing defensive measures. There are many valid use cases for high-end tech solutions such as next-gen firewalls, software-based networking and rigorous network monitoring with SIEMs. But unfortunately, it is more often the failure to get the basics of “cyber hygiene” right that make attackers’ jobs easy. This article is the first in a series called “DO THIS NOW!” in which I will discuss how relatively simple solutions can dramatically improve cyber hygiene, both for organizations and individuals. A tip of the cap to my inspiration for this series, Brian Johnson of 7 Minute Security, who is a true evangelist for “getting the basics right.”
YOU ARE NOT RAIN MAN.
For the foreseeable future, usernames and passwords will continue to be the most widespread method of identification and authentication. While there are certainly much more secure methods, the real weakness in the username/password paradigm is in how we humans use them. We all know that we should be using long complex passwords, and we know that we should be using unique passwords for every account. But let’s face it – most of us aren’t Rain Man, and thus we choose poor password complexity and tend to re-use those poor passwords for multiple accounts. Password vaults, such as LastPass, Dashlane and Keeper help mitigate the inherent weaknesses in the username/password paradigm by making it easy to use long complex passwords and take away the incentive to re-use them on multiple accounts.
LENGTH AND COMPLEXITY MATTER
It’s worth taking a moment to review why password length/complexity are so important, and why password re-use is so very, very bad. When you create a username and password combination, the server responsible for performing the authentication stores your password in an encrypted format called a “hash.” When you authenticate, the application you use takes the password you enter and performs the same hashing operation, and then the server compares the two hashes. If the hashes match, you are granted access.
When attackers steal the credentials list from a server, they normally only obtain the hashes of passwords – not the passwords themselves. To “crack” a password, the attacker needs to determine what character string, when passed through the hashing algorithm, will produce the matching hash. The two primary methods to crack passwords are brute-force and dictionary attacks. In a brute-force attack, the cracking computer tries every combination of all letters, numbers and special characters. Each combination is put through the hashing algorithm and compared against the list of hashes. Even when using all character varieties, cracking a password of seven characters or less is trivial for modern desktop computers. But each additional character dramatically increases the number of possible combinations, especially if the password uses the full character set.
Dictionary attacks play upon our tendency to pick passwords that are combinations of words or variations thereof. The cracking machine simply tries combinations of all the words in a dictionary file, often “mangling” them to overcome common practices like substituting “@” for “a” and “!” for “I.”
So how much length and complexity is enough? Ideally, the answer is “as long and complex as the site will allow.” Advances in cloud computing have made it inexpensive for attackers to rent incredibly powerful hash-cracking beasts. A physical computer that would cost over $20,000 to purchase can be had for $7.20 an hour in Amazon’s EC2 cloud. So you create an incredible password for your bank account, something like “d8$k24Vs(&3i90q0i6%x7?jsq1wn^DP7Qe2.” You even manage to memorize this thing of beauty. But that was hard, and you are not Rain Man. So you re-use this password when you create your account at redneckbaitshop.com.
Bubba, the proprietor and chief worm farmer at redneckbaitshop.com, decided to build his own e-commerce site, and he stores all credentials without encryption. Not surprisingly, redneckbaitshop.com is hacked and attackers steal the credentials list. Within minutes, the attackers are trying every username and password combination on all the major banking sites – including yours. That beautiful password you created is now used against you to drain your life savings.
PASSWORD VAULTS FTW!
So what is a password vault, and how does it help? These services act as a secure repository for all your credentials. Generally, they operate as plug-in to your web browser or a separate application on your mobile device. You sign in to your vault using a single password – and this is the only password you must remember. When you navigate to a site requiring a login, the password vault can usually auto-fill your credentials. Most will recognize when you enter credentials that are not already stored in the vault – then offer to add them for future use with a single click. When creating a new password, most will generate a very complex and very long password for you and store it automatically. By making the generation and storage of strong passwords easy, these programs eliminate the human tendencies that incentivize weak passwords and password re-use.
As a general rule of thumb, sharing passwords is a bad idea because it makes attribution difficult. If more than one person is using the same credentials, how do we know who to blame if the account is used inappropriately? But in the real world, there are times when we need to share passwords both in our personal and professional lives. Family and Enterprise versions of password vaults enable you to easily share passwords. You can also designate an emergency contact, who can apply to receive access to all your credentials (shared and non-shared) in the event you are incapacitated. A few years ago, my father passed away and I was named the executor. I spent countless hours in that first hectic week simply gaining access to the accounts needed to make final arrangements. I sleep much more soundly at night knowing that when the inevitable happens, my loved ones will not have to endure the same experience.
Most of these applications can store much more than just usernames and passwords. Securely store family social security numbers, bank account numbers, home alarm safe words, or just about anything else. Some, such as LastPass, allow you to securely store documents such as birth and marriage certificates.
BUT ARE THEY SECURE?
Password vaults can make our lives convenient and give us comfort in our personal lives, but are they secure? Trusting a company with all your credentials can seem pretty scary - especially to those of us who understand that there is no such thing as a perfectly secure application. Yes, there is risk in using a password vault. Even some of the larger and more well-regarded password vaults have had security incidents. For me, it is about managing risk. I believe that for the vast majority of people, the risks in using a password vault are much less dangerous than the alternative.
You can also increase the security of this solution by applying some of the same, common-sense principles that you should be using elsewhere in your life. First, make sure that you choose a very long master passphrase (20+ characters) that has some complexity. It doesn’t need to look like “d8$k24Vs(&3i90q0i6%x7?jsq1wn^DP7Qe2.” Something like “n3v3reatradishn@ch0s1nbed” (never eat radish nachos in bed) provides a reasonable balance of length and complexity with the human need to remember it. Second, only choose a vault that supports two-factor authentication. In the event your master passphrase is compromised, this will at least make it more difficult for an attacker to login to your account. Ensure that you have screen lock timers set for all your devices, and lock your devices manually when leaving them unattended. As you add passwords to your password manager, use the opportunity to change them. Storing your passwords securely doesn’t mitigate the dangers of password re-use!
DO THIS NOW!
So which solution should you choose? I’m not going to endorse a single product, but you should choose an industry leader that has been strongly scrutinized by the security community. Your solution should perform all encryption and decryption on your device; unencrypted data should never be visible by the solution provider. The encryption algorithm should be strong, such as AES-256. LastPass, Dashlane and Keeper are but a few of the good choices available.
There are free options available, but you should expect to pay a few bucks a month for some premium features such as password sharing. Securely storing your passwords is one of the most important things you can do in your digital life, so consider it money well spent, and DO THIS NOW!
Shawn Scott is a veteran of both cyber and combat military operations. He currently leads Badger Infosec, where he specializes in assisting organizations adopt strategic and sustainable approaches to cyber security.