davidnoren.com


Hi there. All you will find here are a few musings about information security and other topics I find personally interesting. If you want to know what I'm working on, find me on GitHub.


Password Security

One of the most frequent questions I get from people who know about what I do for a living is, “Is it bad that I use the same password everywhere?” I always answer in the affirmative, but I know that is not the answer people want. Password security is a complex topic. With so many websites requiring usernames and passwords yet many websites and organizations not caring as much about password security, and security in general, what can you do? At a quick glance, I have approximately 250 websites that I have user accounts with. I may not need all of them, and my accounts on all might not be active, but that is an incredibly high number of sites to keep track of.

Note: This post was originally written on a WordPress-powered blog, and has been exported and imported to this blog platform. As a result, unfortunately, not all markdown, code, and output looks as pretty as it once did.

I will admit I tend to be a little paranoid when it comes to password security and online security in general, simply because it is my job to do so. If we want to play the statistics game, you are probably not likely to be targeted in some bank account theft ring where people are finding your password. They most likely will not log in to your online banking account and drain your life savings. With however many other millions of people out there using online banking, you probably won’t be affected. Just like you probably won’t be in a commercial plane crash, but keep in mind they still have evacuation slides and life jackets. So, maybe you should take what I write with a grain of salt. On the other hand, I would say that if you do what I suggest at the end of this post, you will find it easy to protect yourself once you are used to the new routine.


(NOTE: this is a long post. The major sections have headers. If you’re already worried about using the same passwords everywhere, scroll down to the end. If you think I’m crazy to say that you shouldn’t use the same passwords, then read all of this.)

January 2015 Update:These guys have an excellent book available on Amazon that goes into more detail on password security. Well worth the read if you have Kindle Unlimited on Amazon, and still worth the read for the few bucks they sell it for.


First off, enforcing good password security hygiene may require a behavior change on your part. I know, that is not what you wanted to hear – just like everybody who I have ever told it is bad to use the same password. There are tools to help you manage your passwords, but it will require a behavior change, and from time-to-time may be a pain.

Just like everything in life, you have to determine weigh the risk and behavior change. Is the risk and impact should something bad happen is more painful than the minor changes that you will eventually get used to? In the world of enterprise information risk management, there are a number of tools and frameworks we use to calculate that risk. One good example is ISO 27001. While that is overkill for personal use to determine whether proper password management is worthwhile or not, it is beneficial to think along the principles outlined in these frameworks. The matrix below is an example of one of the many tools used in the enterprise world.

[]()Is password security really a problem?

Maybe you understand that it is a bad idea to use the same password everywhere, but are asking if it really is a big deal? What if somebody finds my password? Can’t I just change my password and then it will not be a big deal? Besides, don’t websites do things to make it impossible for people to get my password anyway? All of these are valid questions; let’s take a look at a few of the common ones.

“Don’t websites do things that make it impossible for people to get my password?”

Many people assume that websites “encrypt” your password. Further, they assume that those passwords are hard for hackers to find on the website, but even if they did find the passwords, they would be useless. Well, not quite. Not all websites enforce password security measures as proficiently as they should, as exemplified by many recent website breaches. Websites should take the user’s password, add something called a “salt” to the password, “hash” the password, and then store it in the database. For example, if your password is “password”, it would be stored in the database as something like: “ec1a43450b1c8b874c64cd5eb1f570b5485989b7”. The “salt” is just an additional string that the website adds to your password, that is ideally unique for each person’s password. The “hash” is the result of a one-way mathematical function performed on the password. Some common examples are MD5 and SHA1, if you want to read up on them more. These mathematical functions are supposedly impossible to undo – but the details on that is another story entirely.

So, if the above steps are followed, maybe your password is reasonably safe. The first problem is, many sites simply don’t follow those best-practices for password storage. A prime example is LinkedIn, who simply hashed the passwords without a salt. That means that the SHA1 hash of “password” would be “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8”, on LinkedIn and on every single other site that simply hashes passwords without salting them. Why is that a problem? Well, as an example, sitting three feet away from me are several two terabyte hard drives that contain pre-computed SHA1 and MD5 hashes of practically any possible password from 1 – 12 characters in length. These are called rainbow tables, and they let me take a LinkedIn password hash (or any other hash, for that matter) from the disclosed password list, look it up in my rainbow tables, and then find the associated plaintext password that made that hash. For example, I know that the hash “82fa20eb148ff2a8fa25c3ee00bf366085c692f0” corresponds to “hellokitty18” and the hash “a761ce3a45d97e41840a788495e85a70d1bb3815” corresponds to “supersecret”.

Even when a password is properly salted and hashed, that does not mean people cannot find out what the password is. There are free tools that, when run on a standard computer with one or two high-end graphics processing units (a.k.a. video cards), can calculate the hashes at the rate of 500 million per second. If the plaintext salt was compromised along with the password hashes, it might be only a matter of minutes or hours to figure out your password.

“Ok, but if a website knows my account has been hacked, don’t they force me to change my password? So, I’m ok then, right?”

Ironically enough, you might actually be ‘ok’ on that website – so long as they don’t just ask for your old password before they ask you to enter a new password (remember, the bad guys might already know your password if they have the hash). Keep in mind that if you use that same password on other sites as well, it is trivial to make the connection between your username on the hacked site and your username on other sites (let me guess – it is the same username, same email, or a minor variation, likely involving your name?) So the biggest problem is other websites where you use the same password – and no, you’re not “ok” on those sites.

“The only way somebody can find my password is if they hack a site or I tell them my password, right?”

Wrong. Do you use your computer or your smartphone on wifi at places other than your home? Do you always check to see if your browser says “https://” in the URL bar when you login to a website? Do you ever see a certificate error warning from your web browser, but don’t know what it is saying so you just ignore it? Are you sure you don’t have a virus on your computer capturing everything you type and sending it to me (err, I mean, bad criminals in Russia)?

If you use public wifi, don’t secure your home wifi properly, or could fall victim to the things I listed above, somebody could easily pull your password out of thin air, literally, when you login to a website. Chances are, they won’t be able to do that when you login to Bank of America to see where all your money disappeared to. What probably would happen is they capture your password when you log in to a blog site to post a comment. They then used that same password on Bank of America’s site to steal your money – which is why you’re now logging in to Bank of America, to see what happened to all of your money.

[]()What could happen to me if I don’t care about password security?

Maybe I convinced you that we can’t trust websites out there to keep your password safe. Or, maybe I didn’t, or it went too deep over your head once I started talking about salting and hashing but wasn’t talking about cooking potatoes. What could somebody actually do to you?

Let’s say you’re browsing a site that you visit with some regularity. You’re on a Delta flight browsing on the in-flight wifi, or you’re at Starbucks, or you’re at my house (ok, I’m only mostly kidding with the last one). Since that site has no sensitive content like your credit card info or similar, the site owners didn’t bother using SSL which encrypts the connection. When you log in to make a comment on the site, you enter your username and password and click “login”. Your computer spits the request out to the website to log you in, sending everything over the wireless connection, which is un-encrypted if you’re in Starbucks, so anybody can grab it out of thin air with free software. Or, the wireless is encrypted if you’re at my house, but I’m saving all the traffic that passes through my network. Same with your office – your IT department has full visibility with what you’re doing. Well, I now have the password to that site.

Another method that works well is for the attacker to go to a website and say “I forgot my password”. They then enter your username or email address. The site asks for a few pieces of information to verify that the user asking for the password is actually you. On several sites I looked at in the last hour, all that is asked for is your ZIP code (approximately 45,000 possibilities; try 1,000 an hour for 45 hours from public wifi and the site owners might not even notice what is going on, but the attacker will guess right eventually) or your mother’s maiden name (simple to find out). Once you provide that information, the site will give you the user’s password right there on the screen.

Or, ignore all of that, because you had an account at one of the hundreds of previously hacked sites which have the user information published for all to see on the internet (Gawker, LinkedIn, Sony Pictures, Yahoo, and more). Seriously, there’s a number of ways for an attacker to get a plaintext password or a password hash which they can turn in to a plaintext password using the methods I mentioned above.

Alright, so now I have a password that you use on one site. Chances are pretty high that you use that same password for your email account (47%, to be exact, is the percentage of people who re-use usernames and passwords between financial and non-financial accounts; 33% of users admit to using the exact same password on every single website). As long as I know your email address (which you logged in with on the site above, was disclosed with the hacked site passwords, or I guessed properly when trying to reset your password on another site, or I found by looking you up on LinkedIn or Facebook, or… you get the point), I can now login to your email. I can probably login to a fair number of other sites as you as well.

If I come across sites that the password does not work on, but I know you have an account on the site, I can say I forgot my (your) password. What do most sites do? They will email you a password reset link. Well, since I have your email address password, I can click that link in your email and set a new password for the site.

What about online banking sites? They require a little more information to reset your password. For example, Wells Fargo requires you to enter your current username or your social security number, your ATM PIN, credit card info, or ZIP code to reset your password. Well, I can find your username a few different ways but I probably cannot find your social security number (unless we’re talking far-fetched here; in that case, it is possible to guess social security numbers with 8.5% accuracy after 1,000 guesses – but that isn’t practical and likely won’t happen to you). For the username, you probably re-used the username that you tend to use on other sites. Or I can find welcome emails from various websites where they welcome you by your chosen username and try those usernames. Or I could see if you have the original welcome email from Wells Fargo when you signed up for online banking, which may state your username. Or I could see if sites like Mint.com have your username stored (Mint doesn’t do that, fortunately). There are a number of ways to find your username once I have access to your email.

So, I have your username now, whether by guessing or finding it elsewhere – or just by you using the same username everywhere. All I need to enter now is one of your bank account numbers and your ZIP code.

Fortunately for you, bank account numbers, on most major sites, are not ever displayed back to you. For example, PayPal won’t show your bank info back to you if you have a checking account linked – if you need to change it, you have to re-enter it. Unfortunately for you, smaller sites, such as rent payment sites, utility payment sites, or similar, will often show your account back to you if they have one on file. I just checked two sites fitting that “smaller” category; both don’t show you the bank info on the main account details page, but if you click “edit” to change your bank account number, it will show you the current information. I could check more, but the first two I checked gave me what I wanted right off the bat. Remember, I can access these because yet again, you’re using the same password, or the site emailed you the password when you signed up and I found it in your email.

Ok, so now all I need is your ZIP code. That’s easy enough – your email account has that on file. So does the site I took the screen capture above from. So does Amazon. So does any shipping confirmation email sitting in your inbox.

Alright, so now I enter all that information on Wells Fargo, and I have full control over your account and changed your password. As you can see, you are still at risk even if you have different passwords for your banking accounts versus your email password. Once I have access to your email account, I can likely find a way to access other accounts as well.

Many sites protect information to make it hard to reset passwords if you only have access to the information from that site; but add in 250 websites giving out various pieces of information on you, and it becomes trivial for somebody to collect the information they need. Each site gives out something slightly different, adding in another piece to the large puzzle of all of your information spread across websites. Want proof? Read this: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Yes, there are a number of variables that are in play in these attack scenarios. This won’t be possible for every single person who’s password on one site was released to the public – but studies have shown it is scarily effective.

[]()Ok, I’m paranoid now. What should I NOT do?

I’m glad you asked, but I’m sorry you’re paranoid. Here’s a few things you should *not* do (don’t worry, I’ll tell you what to do):

Do not use the same password on ALL sites

Duh. I just told you why not – but I figured I better say it anyway. (See below where I suggest using the same password for “throw away” sites is probably ok.)

Do not write all of your passwords down

Don’t store all of your passwords in a Word document on your computer. If you do (I know some of you will), especially do not name it “passwords.docx” and leave it on your desktop. Why? Well, you’ll forget your laptop at Starbucks someday; or you will leave it in your car the day your car is broken in to; or you will let somebody else use your computer who then sees the file; or you will print it out and leave the paper copy somewhere; or you will get rid of your computer someday, sell it on ebay, and assume deleting the file is enough; or you will sell your computer and reformat your hard drive thinking that is enough; or worse yet you will donate your computer without doing anything to it; or you will get infected with a virus that simply looks for “passwords.docx” or similar variations on your computer and sends them to the owner of the virus for them to sell to others; or, I could keep on going. If you ignore all of the above, do yourself a favor and find a way to encrypt the file (which at this point, you’re essentially making your own password manager. So scroll down and use the one below where some really smart people have hundreds of thousands of dollars worth of equipment doing it far better than you could.)

Don’t use the built-in password manager on your web browser

You know how every time you login to a website, FireFox or other browsers will prompt you to allow it to save your password? Don’t do it. With some exceptions, these password managers make it incredibly trivial for somebody (computer thief, somebody borrowing your computer, or a computer virus) to find all of your saved passwords. It is the same as writing your passwords down in a Word document.

Don’t solely blame the websites

Yes, many sites out there are terrible when it comes to security – some notable cases allowed people to download plaintext passwords directly from the site, no “hacking” involved. Others, such as the ones showing your checking account number, cause problems as well. That said, the root of the problem here is that we are relying on rudimentary security (username and password) to protect our lives. You are partly to blame by re-using the same username and password 100’s of times, but the world is to blame as well for assuming we can use such silly measures to protect so much. The industry needs to come up with better options.

[]()So, what should I do?

Good question. You can ask three people and get at least five different ideas. Here are a few suggestions on what you can do that are most likely an improvement of what you’re doing now. These aren’t perfect (and nothing will be perfect so long as we’re using passwords as the primary authentication mechanism for websites), but hopefully manageable for you.

Use different passwords on each website

I hope you figured this out already, since this is the core message of this post.

It is probably ok to use the same password on sites you don’t care about

We all have some accounts at a few sites that, frankly, we could care less about. For example, I enjoy commenting on CNN.com or various tech blogs from time to time. Those accounts simply require a username and password and have no relation to any other accounts I have on the internet. For these types of accounts, it is probably safe to use the same password. Steer away from “password” as your password, but something reasonable is probably ok. If you don’t care that somebody else is posting under that account on the internet, then it is not a big deal.

Use a password manager

If you use a different password on each site, there is no way you will remember them all – so you need something to do that for you. No, don’t use the built-in password manager on FireFox – use a real one. Need a recommendation on a password manager? Here’s what I use:

[]()LastPass

The password manager I use is LastPass – and it took me a while to decide to use LastPass versus other major password managers out there (see this LifeHacker post from 2010 to see what other ones exist). It has a few downsides, which I want to highlight first:

Downsides

  • LastPass stores all of your passwords in “the cloud”. Yes, that means that theoretically, they might know all of your passwords. There’s a certain amount of trust I’m willing to grant them after spending several hours looking at what they do to protect their customer data. They claim they cannot access your passwords, and any password decrypting (in this case it is true encryption/decryption, not hashing I mentioned above) is only done in your web browser – all LastPass ever sees is a bunch of gibberish. Further, to access your account, you have to have your password – there is no password reset function, which means they don’t seem to have a way to bypass the security they have built in.
  • If you forget your LastPass password, you’re toast. There are a few things you can do to help make sure that doesn’t happen (backup passwords locally, allow your browser to cache the password database, etc), but in general, you’re toast. On the bright side, you only have to remember one password now. If you have to write it down, put it somewhere where it is not identified as a password, split it between a few locations, stick it in a bank deposit box, or something of the sort. Better yet, make it memorable, don’t write it down, and assume if you wake up with amnesia you will have bigger problems to deal with than remembering your email password.
  • If LastPass goes down, you pretty much can’t use the internet until they’re back online. Unless you tell your email provider and other commonly used sites to “Remember Me” so you don’t login every time you visit, if you can’t get your passwords from LastPass, you’ll be stuck wandering aimlessly around.

Benefits

  • LastPass seems to have robust security. See this and this for examples. I would advise against taking vendors for their word on their security practices, so also look around on the internet if you need to.
  • LastPass is available from just about every device you need to enter a password in. Laptop, desktop, smartphone, etc.
  • LastPass will generate passwords for you automatically, and store them automatically.
  • LastPass will auto-fill password fields with your password. If it sees you’re on a phishing site (for example, the site is pretending to be Facebook but really isn’t), LastPass won’t auto-fill the field. It is smarter than you in this regard, because phishing attacks are surprisingly effective. From http://www.allspammedup.com/2012/09/phishing-a-look-inside-the-statistics/:

“As for the number people who fall victim to a phishing scam; mass phishing generally produces about 8 victims for every 100,000 targeted users. Spearphishing attacks generally yield 2 victims for every 1,000 targeted users. Overall, the attacker can expect a 150,000 dollar profit from a spearphising attack as opposed to netting 14,000 dollars for a mass phishing campaing.”

  • LastPass can give you helpful tips on whether the passwords you are storing are safe/secure or not.
  • If you’re away from your main computer, you can still access your password vault from their website.

Switching to LastPass

(Read this and this to get better instructions on specific tutorials – this is just a summary)

First, you need to decide how often you need to enter your password on certain devices. It goes without saying that you should install LastPass on your web browser on your computer(s). If you ever enter your passwords with regularity on your mobile device (iPhone, Android, iPad, tablet, etc) then you might think about signing up for LastPass Premium. It is $1 /month, which is what you paid for the movie ticket to see Man of Steel, which was a letdown of a movie, so do yourself a favor and buy LastPass Premium as consolation.

To start, sign up for a LastPass account at LastPass.com (don’t ever, ever, ever use the same password for LastPass as any other password you use. Never. Just don’t. Period. Not for email, not for anything), then download the browser extensions here, which will add LastPass to your browsers. I only installed it on the main browser I use, which is Google Chrome. If you sign up for LastPass Premium, you can also download the app from the Apple App Store, Google Play, etc, on to your mobile device(s).

Once you have it all setup and ready to use, just let it collect your passwords for a while by using the internet as your normally do. As long as you’re logged in to LastPass (you’ll see a red icon with a white asterisk as opposed to a gray icon with white asterisk; the picture below shows that I am logged in to LastPass), it will see you entering passwords on sites and offer to save them. Tell it to save them. From then on, whenever you visit the site, LastPass can automatically fill in your username and password for you.

 

Every now and then, you might come across a site that doesn’t work with LastPass for whatever reason, and the username and password will not properly auto-fill. This is actually fairly simple to work around; when you’re on the site, click on the red LastPass icon in your browser’s toolbar, and the menu below will pop-up. Click on the entry at the bottom which shows the site name and your username:

 

Then select “Copy Username”, paste it into the site’s username form, and then do the same thing to “Copy Password”, pasting it into the site’s password form:

 

Once you have been using LastPass for a while, and have a good number of sites stored in LastPass, start going to those sites and changing your password. When you get to the change password screen on each of those sites, ask LastPass to generate a new, secure password for you. Many people have opinions on password strength and what is proper versus improper (see this XKCD comic for an example), but something of the following is probably ok:

 

Some sites are way behind the times and won’t accept special characters, won’t accept passwords over 8 characters long, or have other bizarre password requirements (American Express, I’m looking at you; although this may have been fixed since the article was written). If you run in to sites like that, you may have to modify the password settings.

As you change passwords, you may need to re-enter the passwords on your mobile devices. For instance, if you have an Android phone tied to your Google Account, then your Android will ask you for the new password to your Google Account when you change it. Same with Facebook apps, etc. Keep this in mind before you use a 150 character password like I did on LinkedIn, and now simply don’t have the patience to enter that in on my phone on the LinkedIn app.

Don’t attempt to sit down and change all of your passwords in one hour. Take some time to do it – but make sure you get it done. Slower is better than never. I don’t think many of us would get excited at the prospect of spending several hours just changing passwords. Also, as you change passwords, make sure you tell LastPass to get rid of the old password so you don’t get confused later on as to which password is the correct one for Gmail, Facebook, etc.

While you’re at it, remember what I said about the same passwords for sites you don’t care about? Well, if it is this easy to use different passwords… why not take an extra second and use different passwords? It can only help in the long run.

LastPass also has a “Secure Note” tool which lets you input some important details in a note format for future reference. Say, for example, your social security number, checking account number, the name you used to answer “What is your mother’s maiden name?” question on websites (some other day I might write a post that explains this, but don’t use your mother’s real maiden name. Especially if she’s on Facebook, where chances are she put her maiden name in her Facebook account name to help old friends find her.)

Finally, there are a few LastPass password security settings you can enable as well, if you want to. For example, LastPass allows you to use two factor authentication via Google. Or, you can require that you enter your LastPass password every time you need to access a password stored in your vault. These are trade-offs in respect to time, hassle, and real or perceived security benefits. You will have to make a decision on whether you use those features or not. Make sure you understand them before you turn them on.

Done?

If so, congratulations. Stick with it, and it becomes second nature to not enter the same password. There are a few cases where it becomes a little annoying to deal with, but the small hassle is worth it in my opinion. Just be careful with your LastPass master password, as that holds the keys to everything else. If you let that be compromised, then you have a bigger password security issue on hand.

January 2015 update: LastPass also offers multi-factor authentication now. Great to use in conjunction with Authy on your smartphone.