The first thing to know is that weak passwords are often the easiest way to get access to information.
When we do pen testing, guessing passwords is a surprisingly effective way to get access to a system!
We’ve worked with clients where we’ve seen an adversary running a botnet with 100,000 computers slowly but consistently testing passwords one by one gleaned from, for example, the billion user Yahoo! data breach. So this is very real.
The reason we need to choose complex passwords is that attackers typically guess large numbers of passwords to try to gain access. They may use a long list of commonly used passwords or in a more targeted attack, they may guess likely passwords for particular users. In general though, they may want to make a lot of guesses. We want to make it as time consuming and difficult as possible for them to correctly guess our password.
We also need to choose unique passwords for each site we use because attackers often use a dump of users and their passwords from one website (like Yahoo! or Adobe), to attack another website.
A password manager is a tool that helps you manage your passwords. Some common ones we see include: Dashlane, 1Password, LastPass and BitWarden. We’re even seeing Browsers (Safari, Chrome) integrate password managers. We’re not here to endorse a particular one.
Password managers do a couple of things to help safeguard passwords:
Another advantage to using a password manager is that it also makes it easier to avoid phishing. Here’s why: Normally you visit a URL and the password manager completes the login form with your password. If you are sent to a lookalike URL via a phishing email, the password manager doesn’t know which credentials to apply, and it will prompt you. So as a user, you will be prompted for credentials when you wouldn’t expect to be. This gives you an opportunity to second guess the phishing email’s origin.
Having a complex password and not reusing passwords is a great start. There are a couple of other countermeasures that can really help with security and which may make a password manager less important. I want to mention them here because they are important:
These other countermeasures are important enough that we will have separate security culture posts about each of them in the coming weeks.
The way systems work behind the scenes (should work at least) is that they don’t know your passwords either. They use a one way function called a “hashing function” (for the tech folks, we should use an adaptively slow hashing function like scrypt, bcrypt or PBKDF2). Additionally, these hashes should be salted. SSO is typically based on SAML or OAuth.
Feel free to reach out to discuss further - details around doing all of this correctly are beyond the scope of this blog post.
Sign up for haveibeenpwned.
Use a password manager.
Use pass phrases with 4 words (16 chars) where that is supported.
If you are a developer, support SSO and/or MFA, store passwords securely and give users feedback about the complexity of the password they are choosing. Check out the OWASP cheat sheet to help think through corner cases.