Print Issue: January 2017
Treat your passwords like your underwear: make them exotic, keep them to yourself, and change them from time to time. That’s the memorable approach that Cisco Chief Privacy Officer Michelle Dennedy takes to creating strong passwords.
But sadly, most people do not put that much effort into crafting passwords for their online accounts, and this can have dire consequences for corporations. In 2015, 63 percent of confirmed data breaches involved leveraging weak, default, or stolen passwords, according to the 2016 Verizon Data Breach Incident Report.
“The capture and/or reuse of credentials is used in numerous incident classification patterns,” the report explained. “It is used in highly targeted attacks, as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike.”
The use of stolen, weak, or default credentials in breaches is not a new trend. In 2015, attackers who used stolen credentials in breaches predominantly used them to steal more credentials (1,095 instances), export data using malware (1,031 instances), and to conduct phishing (847 instances), among other threat actions, according to the Verizon report.
“We are realists here, we know that implementation of multi-factor authentication is not easy,” the report said. “We know that a standard username and password combo may very well be enough to protect your fantasy football league. We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea.”
But just what should those stronger authentication mechanisms be? What approach should you take to make your passwords stronger in 2017?
Make them exotic. Creating an exotic password can mean something different, depending on who you’re talking to. For Dennedy, having an exotic password means creating a password with different characters that’s not a dictionary word. For instance, pick a favorite book and use the first letters of the first paragraphs of various chapters in that book to create a password.
“And have some special characters thrown in there,” Dennedy explains. “That’s a great formula, and you don’t have to remember anything more than the book.”
Or, exotic passwords can be developed from a pattern that is special to a various website. “So having something that reminds you of your shopping list site and then adding on your special paragraph pattern,” Dennedy says. “These are tricks that can make your password exotic enough that it’s not guessable, and yet memorable enough that you actually get use out of it, rather than having to change your password every time because you’ve forgotten it.”
Another option is to go for length, says Lance Cottrell, chief scientist for Ntrepid’s Passages. “It used to be that if you had an eight-character password, that would be enough, they are not going to be able to guess your password,” he explains. “But realistically these days, that’s not true. They are able to get through much longer passwords, particularly if you’re not using the full breadth of characters available to you.”
Instead, users should aim for at least 20 characters and use upper case and lower case letters, numbers, and emojis—if that’s an option.
“You just can’t beat length; the longer your password is, the better off you are,” Cottrell says, adding that 20 characters is long enough because it’s well outside the realm of brute force attack ability, while remaining manageable to type when you need to type it.
However, Cottrell says he doesn’t type his passwords very often anymore, something he sees as key to creating strong passwords.“People are still in this mindset of ‘I’m going to make up this password and remember and then type them in from memory,’” he explains. “My general rule of thumb is a password that you can remember is probably too simple.”
That’s because “memory-based” solutions violate what Cottrell thinks of as the prime directive of password security: never reuse passwords.
“There should never be two websites with the same password from you,” he says. “Because it’s easy to guess your username; it’s probably your name or more often your email address. So if I steal your password on one website, I’m going to try that email address and password on every other website I know of. I’m going to hack it off of some website you don’t care about, and then try it on your bank and every bank out there just to see whether it will work.”
Instead of using a memory-based solution for his passwords, Cottrell uses a password management application to keep track of the passwords for his hundreds of online accounts created over the years. This application then syncs with his devices, such as his iPhone and iMac, so he doesn’t have to remember them.
“If there’s one practice that I could say, ‘Go do this thing and it will make your security better,’ it’s to start using a password manager application,” he says, adding that he uses the application 1Password to keep track of his.
Like most password management applications, 1Password allows you to create a login and then save all of your passwords for your online accounts to the site. It then encrypts your data, securing it from potential hackers who might try to gain access to the site to steal your credentials.
“I have one really good password for that vault,” Cottrell says. “I have one really big, long passphrase that I have memorized that unlocks that, and then that gives me access to everything else.”
While you can add passwords you’ve created to the password management application, you can also choose to have it automatically generate a password to your specifications—such as 20 characters in length—to give you completely random passwords for all of your online accounts.
One downside of password management applications, however, is that they can be inconvenient to use, which is one reason Dennedy adopted the practice and then gave it up. “I’ve tried them and I’ve made the super password easy enough that I’m not inconvenienced, and that makes me nervous,” she says, adding that she’s had trouble finding a solution that scales across all the places she needs to be, especially when traveling.
“My job is weird; no two days are the same and I’m doing planes, trains, and automobiles, so if my login fails, that’s a real pain,” Dennedy explains.
Keep them to yourself. Many users have been there before. They have access to a corporate account, such as a Twitter account, and another employee needs access to it. So, they email the other employee the credential. While that might be an efficient way to share access, it is not a secure one and should be avoided if at all possible, Cottrell says.
Instead, if you’re sharing an account, make sure the password is strong—exotic, long, and possibly generated by a password management application. Also, make sure that you’re not sharing it through email.
“Even sending it through a text message is better than sending an email,” Cottrell says. “Send it in a path that avoids email and using the computer…as that makes it much more difficult for an attacker to make use of it. An actual physical note with the password on it, that’s shredded later, is going to be even better.”
Also, when it comes to passwords, make sure you’re not giving information away on social media sites that could be used to compromise your password hint questions, which are often a fixed set of questions with information that’s easily discoverable.
“Don’t put as your security question the name of your real dog,” Dennedy says. “It’s okay to lie there.”
Instead, make up an answer such as using the name of a dog that you don’t own to answer your security question. And to keep track of these answers, you can set up a list in most password management applications to store them. This way, you don’t have to remember what your lie on your security question was, Cottrell says.
“So if the security question says ‘Where did you go to high school?’ Put in something like Richard Nixon High School or a Lord of the Rings reference,” he adds. “Anything you want can go in those slots, and then just add them to the notes section of your password management app.”
Change them. When it comes to changing your password, how often is too often? And does changing your password regularly make it less secure?
The answer is complex. U.S. Federal Trade Commission (FTC) Chief Technologist Lorrie Cranor made headlines in 2016 when she suggested that companies rethink mandatory password changes for employees.
“There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily,” Cranor wrote in a blog post. “Unless there is a reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good.”
This is why all organizations should consider their risk profile and the security benefits and drawbacks of having employees frequently change their passwords, Cranor added in her post.
“Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely,” she explained. “Encouraging users to make the effort to create a strong password that they will be able to use for a long time may be a better approach for many organizations, especially combined with slow hash functions, well-chosen salt, limiting login attempts, and password length and complexity requirements.”
A cryptographic hash takes a message (your password) and computes it into an alphanumeric string, called the hash value, for password storage; this stores the alphanumeric string, instead of the original version of your password—making it more difficult for the password to be stolen.
Slow hashes are designed to be inefficient, making it harder to crack a password once it’s been exposed. Organizations can also use salt, random characters in the hash, to defend against dictionary attacks.
Cranor makes a valid argument, Dennedy says, but only if you don’t follow all of Dennedy’s prescriptions—exotic, secret, and changed often.
“So if you’re changing passwords often ... between ‘1234567’ and ‘ABCDEFG,’ you’re still going to have an incredibly weak system,” she explains. People who change passwords frequently have trouble remembering them, so they do a lot of password recycling.”
And from a corporate security standpoint, having employees regularly change passwords is a good idea because it shrinks the window of opportunity for hackers to use stolen credentials to access corporate networks.
“It’s a real plus in reminding people what’s important [data] and it’s also helpful in that brute force attacks are quite brutal these days with computer power as strong as it is today, so even if you have a semi-exotic password and it’s static over a period of time, it’s that much easier to put the combination together,” Dennedy says. (The FTC did not return requests for comment on this article.)
But while developing good password habits can help increase security, it’s not a silver-bullet solution.
“If someone can hack the computer itself, they can probably get access to all of the passwords,” Cottrell says. “So no matter how good your password hygiene is, it’s no better than the security of the device you’re typing it into.”