Impact Assessment no. 006
Watch the episode on YouTube
Passwords are the worst. Trying to pick a “secure” one makes the whole thing worse. Every site and service has it’s own variation on the “rules” for making a strong password and it’s hard to remember what you’ve set your password to.
Are those rules really making our passwords stronger? Do we need so many different passwords? Is it even possible to keep track of all of these passwords?
How to cybercriminals attack your passwords? What do hackers do with the passwords they gain access to? What are cybersecurity defenders doing to help?
In this episode, we’ll try to tackle these questions and more. At the end, you’ll get some straight forward actionable advice that can help you make handling passwords a little bit easier while actually increasing your security.
- Intro [00:00]
- Authentication & Authorization [00:21]
- NordPass report [00:59]
- Old school thinking [02:47]
- How cybercriminals attack [04:57]
- New password recommendations [07:46]
- Biometrics? [10:45]
- Password managers [11:25]
- One thing for 2021 [13:01]
- Standardized guidelines on passwords from NIST via Security Boulevard
- An example of rainbow tables
- A discussion of the "show password" UX by LukeW
- XKCD's famous passphrase comic Wired on the 5 best password managers
[00:00:00] Passwords suck. There's no way around it. We all hate them, and whether you're just sick and tired of entering your password, mistyping it, or trying to remember it, there is nothing positive about passwords, except for that keeping you safe online bit. That, that one's handy. Passwords are horrible. They're also the best solution we have for a very tough problem, figuring out if you are who you say you are. In security, we use the term authentication to describe the process of figuring out who you are. Now, that's not to be confused with authorization, what you're allowed to do.
[00:00:43] Figuring out who you are, that authentication bit, is a critical part of any system. This is not an area where you wanna see any mistakes. But what if I told you that most of what you know about passwords actually leads to worse security and privacy? Recently, NordPass from the same people that bring you NordVPN, you know, that near ubiquitous YouTube sponsor, published a report about password usage that got some pickup with the media. Now, NordVPN regularly publishes their set of commonly used passwords, which is part of the reason that you see this type of story pop up time and time again.
[00:01:21] First things first, the general tone of the coverage was that people still choose bad passwords. Now, that's a very loaded term and it skews towards blaming the users. This isn't a healthy approach to security and the coverage fails to call out a critical missing data point, how important is that account for the user? If there's one thing the internet isn't short of, it's sites that require or push really, really hard for you to create an account. It's right behind cat memes as the most absolutely everywhere thing ever.
[00:01:57] But when I see a password like 123456, I immediately think, "This user's making a throwaway account," not, "This user's bad at picking passwords." That's why we continue to see a lot of patterns and easily guessable passwords at the top of these types of lists. Too many sites and services require users to create an account when the user actually views that interaction as a one-time transaction. That's one problem.
[00:02:28] The other more critical problem is that everything we've ever taught you about passwords over the years is wrong. Yes, wrong. So let's tale a view minutes to break through some password myths and help improve your cyber-security habits. It's a solid step to help ensure your digital privacy. So if I ask you what makes a good password, you're probably gonna tell me some variation of the following. A strong password is at least eight characters long and it contains at least one uppercase letter, one lowercase letter, a number and a symbol or a special character, and we should be rotating that password every 90 days. This has been the standard password for advice for well over a decade now.
[00:03:12] It's also wrong. The security community has known for a long time that password schemes like this lead users to pick weaker passwords. Does a password like this, password1!, look familiar to you? Well, I'm willing to bet that you've used a similar pattern, and when forced to change your password in 90 days, password2! was the next one. Don't worry, this is not your fault. A long time ago, at least in computing years, in the Microsoft Windows NT days, a decision was made about passwords, um, that was made for a multitude of technical reasons. The idea of a complex password was implemented in the service pack update to help protect important network accounts.
[00:03:56] And at first glance, these rules weren't bad. You see, a strong password is one that isn't predictable. Now, the ultimate expression of this lack of predictability or entropy is a completely random password. Something like this, I'm not even gonna try and pronounce it. That's not something that you're gonna be able to remember easily, and that's where passwords get tricky. Using passwords is a collection of trade offs. The goal is for the user to use something that's as unpredictable as possible, while still being rememberable. The goal of these rules was to force users to choose passwords that appeared to be more random. But this led to a memorization problem. It was hard enough to pick an unpredictable password that you could remember, let alone one every 90 days for a number of different systems, which means people started to create predictable password patterns as much as possible in order to reduce the chance that they forgot their password. Because resetting your password is and always has been a pain.
[00:04:57] But okay, why is all that bad? Well, pretending to be a valid user is one of the top techniques that cyber [inaudible 00:05:03] use to gain access to data and resources. In fact, usernames and passwords are regularly sold in the digital criminal underground. So when a cyber criminal attacks a system, they often try to guess your password and to gain access to stored passwords whenever possible. Now, this means users need to protect themselves, while people who create your favorite apps and websites need to protect the system as a whole. Making your passwords more difficult to predict is one part of that defense. Not reusing your password with different accounts is another.
[00:05:33] Now, you see, when cyber criminals get to know, um, that a username and password combination is valid, they'll try it on other sites, try to appear as a legitimate user. If you use the same username, which is often your email and password on site A as well as on Facebook or Gmail, well, once the attacker compromises site A, they're gonna try that known good password on Facebook and Gmail, and now they have access to other very important accounts of yours, and that is bad. Of course, the teams that are building the technology that you use employ a number of different techniques to defend against these known attacks. The specific of those techniques are not very important right now. It's just important to know that attackers generally want as many passwords as they can get their hands on.
[00:06:20] But if I pick a random password, I'm stopping cyber criminals, right? No. To truly understand how to protect your passwords, you have to understand how they're attacked. Now, long gone are the days where they would simply type in educated guesses, despite what you see in the movies. A lot happens after you type in your password, and the very short version of that is that all passwords are usually converted into a different value called a hash, and then they're stored that way. Now, a hash is a one way mathematical function. Give it a value, your password, and it will always generate the same output. However, the way the function is designed, it's really, really hard to figure out the original input, your password, given the output, thus a one way function.
[00:07:04] But these hash functions are standardized. They need to be in order to be vetted for their security and to validate the math. Now, cyber criminals know this, and they use a pre-calculated table of hash values called a rainbow table in order to crack your password. So instead of typing it in, they just look it up in the database. Now, there are simple ways for people making systems to protect against this attack. But the reason I bring it up here is to illustrate the constant back and forth between attackers and defenders. It's a constant war with either side only making progress for a short time.
[00:07:36] Now, the original password rules were a good idea at the time, but given how, given how fast things change in the world of cybersecurity, they're actually causing more harm than good. Now, thankfully, the 25 year old recommendations were updated three years ago in 2017. Now, NIST, the National Institute of Standards and Technology, uh, provided new guidelines, uh, to developers around passwords. They were long overdue, but they're very, very welcome. That new guidance shone a light on what we in the security community already knew. The old rules weren't effective.
[00:08:08] Now, the new recommendations are very straightforward. Systems should allow users to enter longer passwords, and those passwords should be checked against the database of commonly used passwords and rejected if they're found there. This reduces the chances that a cyber criminal will use a pre-checked list of values to crack your password. Now, they al- The new recommendations also state that you should only change your password when you believe it's been compromised or once every year. The challenge is that authentication systems out in the wild are remarkably complex, and they're not easily changed. It's gonna take a few more years before this guidance is implemented across the board.
[00:08:47] Now, as a semi-side note, if you've ever wondered why most sites don't actually show you your password when you enter it, that's to prevent someone looking over your shoulder while you type. But that also results in a ton of typos and user frustration, which leads people to pick weaker passwords. It's not a good situation. Now, thankfully, more and more sites are offering a show password toggle, uh, so that you can see what you're typing. You should use this when you know there isn't anyone over your shoulder, um, or there's not a camera there looking at what you type.
[00:09:15] Now, related to this, all sites and apps should allow you to paste into the password field. Not copy, that's crazy, but paste. That's gonna be critical, uh, in our next topic. But all this history and info on how criminals attack passwords and how we implement them leads back to one key question. How do I manage my passwords? Well, it turns out, the best advice is pretty straightforward. Any password that you choose should be as long as possible. In order to get this length, you use a passphrase. There's a famous comic here from XKCD that provides a great example, correct horse battery staple. That's an easy to remember password that's actually the same strength as a 10 character random password like this one.
[00:09:59] Which one would you rather enter a few times a day? Well, my recommendation is to use a tool to randomly pick six to 10 words and use that as your passphrase. The math holds up. Those passwords are gonna take years and years and years to crack for anyone that's not a nation state. And, and as usual, if you're worried about nation states attacking you as an individual, you've got a completely different risk model than we're addressing here.
[00:10:24] Now, for the practical and somewhat sad part. A lot of systems won't let you use passwords like this yet. Ironically, the passwords are too long. Now, remember when I said that authentication systems are really complex? Sadly, that hasn't changed in the few minutes that you've been watching this video. So we're faced with this really messy transition. Now, you may be wondering how we've made it this far into a video about passwords and we haven't even talked about biometrics yet. Or you may be wondering, "What are biometrics?" Well, things like fingerprint scanners or facial recognition. They're now really common on smartphones, uh, and they're really interesting authentication techniques. But right now, those methods are essentially used to enter your password in the background, and when they fail, they all fall back to that all important mighty password.
[00:11:12] So there's a lot of potential and interesting security, obviously, technology associated with biometrics. But that's a story for a different video. Hit that like vid- uh, button or comment below if you'd like to see that video, and I'll move it up in the queue and get it done faster. So we're stuck with the password. How do we make it a bit more manageable? Well, the answer is actually in that question. We use a password manager. A password manager is an app or a service that keeps track of all your passwords for you. You can get a paid version or open source password managers.
[00:11:44] Regardless of the choice, the concept remains the same, and that's what's important here. Using a long, strong passphrase, you access your password manager and only your password manager with that passphrase. You let it create and enter all the crazy random passwords for all the
[00:12:00] apps and websites that you use. It's a weird situation, but a really secure one. So off the top of my head, I can't tell you what my email, my YouTube, Twitter, or any of my other passwords are. I have to go out of my way to learn what they are because my password manager takes care of all that for me. I just remember that one password.
[00:12:20] Now, these tools often have browser plugins for Windows and Mac OS, and deep integration with Android and iOS. This means the worst case scenario is that you may have to copy and paste your password from the manager. But more often than not, it'll be automatically entered for you, um, by the password manager. This makes for a reasonably seamless experience. Now, on the rare occasion, you'll find a system that doesn't allow anything to be pasted into the password field. Again, that's driven from a place of poor security advice, and that's on us. But in these cases, you'll have to manually type out the complicated password. But again, that's a very, very rare case.
[00:12:55] Yes, this all could be better. But we can't control how all these websites and apps handle their passwords. The password manager approach lets us maximize the security of each of those sites by creating a truly random password that the ma- uh, the maximum site that that site allows. Now, it can be truly random because we, the previous weak link in the entire system no longer have to actually remember it or type it. Now, there's a lot more to discuss around the subject of authentication from biometrics to passwordless logins to security keys. If you wanna see videos on those topics, let me know in the comments below. But for now, remember, if there's one thing that you're gonna do to increase your security online heading into 2021, get a password manager and use it.