Asia Pacific - Passwords: You Think You Know. But Do You?
Legal News & Analysis - Asia Pacific - Cybersecurity
13 October, 2016
It’s simple advice: have strong passwords. The fundamentals are baked in to most password-requiring websites, through the stipulation for upper- and lower-case characters, numbers, special characters and a minimum length. Most people think they know everything there is about it. But there’s actually a lot more to it.
Lesson 1: Longer passwords are harder to crack and can still be easy to memorize.
A common minimum character length is eight characters. But the time it takes to perform a brute force attack, meaning trying all possible keystroke combinations until landing on yours, is within easy reach of determined attackers and state agencies. A 10-character password, even one using only upper case and lower case characters, significantly raises the brute-force attack timeline. For every character you add, you’re exponentially increasing the difficulty.
These longer passwords can be easy to memorize, too. Although you should avoid choosing famous quotes or lyrics like “ican’tgetnosatisfaction,” you can use a string of words that have meaning to you, but little logical meaning to others. For example, chairpinkauthorocean or tomatojacketstarwindow.
Lesson 2: Length and complexity don’t matter, if you use the same passwords everywhere.
Most websites requiring a log-in appear secure. Their URLs often start with https or the browser shows a padlock in the address bar, meaning they encrypt the flow of information. But still, implementation flaws, lack of patching, improper configuration, and human error may compromise the security of your data, including your password. Every day, sites are breached and users’ credentials are exposed. So if your super secure password is revealed, all other
accounts that use the same credentials are also at risk.
While it’s not possible to fully assess the security of a website just by using it, there are some processes that may reveal poor security practices. For example, when you forget a password, and the website sends you your password in plain text, the site is not storing your password in the most secure way. A secure website should be scrambling your password on their servers so it’s unintelligible, both to themselves and to hackers.
Lesson 3: Not all security questions are created equal.
Some security questions are downright bad. A perfect example is: What was your first car? First, there’s a limited universe of answers. Second, most people didn’t have Porsches. They had a Ford Escort or a Ford Focus, or some other affordable car. In addition, many times the answers to these kinds of questions are public information or well-known in friend circles. Think critically about your security questions and answers before relying on them to keep your data secure.
Lesson 4: Don’t let password managers autofill your passwords.
Password managers store complex passwords and many autofill the user name and password fields for you. But if an attacker can spoof a website well enough, the password manager runs the risk of being fooled into auto-filling your credentials right into the hands of a criminal. To protect yourself, don’t sign on for auto-fill, or, even better, don’t store your full passwords with password managers. Add a few characters to your passwords that you’ll remember that you’ll actually type in. Then even if the password manager is breached or autofills your credentials, still no one will have access to your sensitive information.
Lesson 5: Consider using different email accounts for each site.
This requires you to have your own domain so you can make an unlimited number of email addresses. For example, you could have your Linkedin email be firstname.lastname@example.org. Therefore, if there is ever a breach, your compromised email isn’t used anywhere else and brute force attacks using that email will fail everywhere else.
Lesson 6: Choose your authentication factors wisely.
Multi-factor authentication specifically means you have a combination of something you know, something you have, or something you are. But many implementations of multi-factor only involve something you know. For example, you know your password. Often the second factor used is email. People believe they “have” their email, but the fact is email ownership is based on credentials, which is something you know. SMS messages as a second factor can also be something you know rather than something you have. For example, if your SMS messages are directed to a virtual phone, such as Google voice, the second authentication factor is again based on the credentials to the Google voice account.
The saying goes, “You don’t have to run faster than the bear. You just have to run faster than the slowest guy running from the bear.” The same advice can apply to credential management. You might not take all of my advice, but what you do take will lower your risk of being easy prey to a cyber attack.
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg