Wednesday, December 7, 2016

Account Security Risks and Reasons to Use a Password Manager and 2FA

Scope Of This Post and Some Basic Recommendations

I consider switching to using a password manager to be one of my best life decisions in terms of costs and benefits.  The security and convenience benefits are immense, and the costs (setup effort) are small.  Yes, using a password manager made managing and logging in to my accounts much easier, faster, and less stressful, but this post will focus on security issues.  My thanks to Troy Hunt for influencing me to make the plunge.

Without a password manager, it borders on impossible for a human to do passwords correctly.  By "do passwords correctly", I mean having strong, unique passwords for all of your accounts.  To illustrate why it is good to have strong, unique passwords, I will go over several of the account security risks most humans face, with special emphasis on passwords.  Maybe this will directly persuade some people to start using a password manager, but also it will establish some background for another post that will discuss why password managers are big security improvement over the alternatives and are overall the best choice.

For generating strong passwords (with the goal of surviving offline attacks), I recommend:
  • For passwords you want to remember, such as your Google password and master password: choose 6 random words from the Diceware word list (pdf).
  • For passwords managed by your password manager (you don't have to remember them and it's very rare to actually type them): have your password manager randomly generate at least 16 random lower case letters, upper case letters, and digits.

Also, I highly recommend enabling 2FA on all of your accounts of even mild worth.  A very common form of 2FA is that when logging in from an unrecognized device, the login attempt will also require a verification code sent to the account's associated email or phone.  This additional layer of defense may protect you even when bad people know your password, and 2FA is only a minor and rare inconvenience.

Risks from Password Reuse

Imagine that you use the same password for your bank and LinkedIn account.  One day, LinkedIn gets hacked, and your LinkedIn password is now in the hands of bad people.  Perhaps you don't care very much about your LinkedIn account, but the bad people use your personal information and LinkedIn password to log into your bank account, which you probably do care a lot about.  Or maybe you're a Dropbox employee and bad people use your LinkedIn password on your Dropbox employee account to get onto the Dropbox corporate network and get their hands on more sensitive databases.

I consider this the biggest risk for most people because:
  • Humans reusing passwords is very common, and bad people rely on this.
  • The risk remains, perhaps unknown to you for a long time.  Once one account provider is hacked and one of your passwords is out there, it's out there forever.  Your hacked password will always be in password dictionaries that bad people will use when guessing passwords.
  • You have a weakest-link-in-the-chain effect.  It only takes one security vulnerability at any of your shared-password accounts to put all of those accounts in jeopardy.
  • Many security precautions are defeated by the bad people using your password on the very first try.  It doesn't matter if your bank is unhackable and they rate-limit login attempts if the bad people already know your bank password from LinkedIn.  If you're lucky, you have 2FA with your bank and the bad people can't log in from an unrecognized device.  Even 2FA can be defeated if your associated email account has been compromised (perhaps aided by password reuse?).
Many bad people are smart, or at least use smart tools.  A bad person knowing one of your passwords is now much closer to guessing similar passwords of yours.  I know friends who use a password scheme where the combine some word with the name of the service, like using "amazondaisy" for their Amazon account and "yahoodaisy" for their Yahoo account.  Even if a password scheme is more sophisticated than that, it still makes bad people's job much, much easier, and I still consider that as password reuse.

Note that a website getting hacked is just one of many ways that bad people can get one of your passwords.  Password reuse increases the probability and magnitude of damage from all the types of attacks by bad people.

So, this section is a bit different in that its focus is on the implications of something account users do, rather than describing particular attacks from bad people.  I give password reuse it's own specific section because it is so damaging to account security, and it leads to a very simple recommendation: use unique passwords for your accounts.

When reading sections below on risks, remember that password reuse magnifies the damage/likelihood and 2FA reduces the damage.

Phishing

Phishing is where someone tricks you in to providing sensitive information for them, like your Yahoo username and password.  Often, this is done by impersonating an acquaintance of yours or impersonating an account provider.  These attacks can also be part of an attempt to get you to do something (like visit a particular malicious website) that will infect your device with malware.

Malware and Exploits

If a device of yours gets infected with malware, that has many nasty consequences, including keylogging of account credentials, thus putting in jeopardy any accounts you log into using the infected device.  Malware may also extract stored credentials that are not protected by encryption.

I'm uncertain how sophisticated malware is these days with respect to extracting account credentials from things like remembered passwords in your web browser, or encrypted password database files used by password managers.

There are also vulnerabilities in software that can be exploited by bad people.  For instance, imagine a vulnerability in your web browser that a malicious website can exploit to do things to your browser/system or gain access to sensitive information.

So, malware is very scary/bad in that getting hit by malware can possibly do a lot of damage to you across many of your accounts.

Snooping/Interception

Imagine you are at a Starbucks or an airport and your device is using their wifi for internet connectivity.  If the wifi is unencrypted and bad people are listening (perhaps they left a small wifi snooping device there), they can see all of your traffic.  If you log in to a site over http, bad people will be able to see your password.  Even if the website remembers you and you don't have to log in, it is still possible for people to hijack your session (if it's using http) and communicate with that website as if they were you (one, two, three).

A lot more could be said about public wifi (or any potentially untrustworthy network), and I won't say more than try to use https (which provides encryption and authentication) as much as possible.

Like phishing and malware, snooping/interception is an attack where password strength does not help you because the bad people don't have to guess it.

Offline Guessing Attack (Account Provider Hacked, Bad People Get User Database)

This attack is where the bad people have somehow hacked your account provider and the bad people now have the provider's user database with password info.  It's possible for such a breach to remain unknown for a very long time.

If the user database has all the passwords in plaintext, then it doesn't matter how good your password was (but you still remember the consequences of password reuse and 2FA though, right?).

If the user database instead has hashed (and hopefully salted) passwords, then the strength of your password matters greatly.  You can read about hashed passwords here, but to put it very shortly:
  • Hashing a password transforms the password into a (big) number which we'll call a hash.
  • The reverse of this transformation is very hard to do.  The easiest way to figure out a password from the hash is to guess a password, then hash the guess and see if the two hashes match.
  • Good hashing algorithms will give very different numbers even for very similar passwords.  This property makes it so people do not get feedback on whether their guesses are close to the original password.
  • Salts make it so that the hashing process is unique to each user.  The bad person must customize his hashing for one user, and then start over from scratch when guessing passwords for another user.  Without salts, a bad person could pre-generate a bunch of guesses and hashes, and very efficiently look for matches with any user in the database.
With a database of hashed passwords in their possession, bad people are capable of a very high number of guesses per second, as in a single computer with a decent video card may be able to check tens of billions of password guesses a second.  A bad person with some affordable hardware can guess all 8 character passwords in ~5 hours (assuming each character has 95 possibilities).  It's possible that the guesses per second is slowed down by things like key stretching, but you might be horrified about how frequently account providers do not follow best security practices.  For perspective, 90% of the 6.5 million LinkedIn password hashes were cracked in 6 days.

Not only can bad people make password guesses very quickly, they can also make them very smartly (one, two, three, four, five).  I find that most people and even several security experts underestimate the sophistication of password cracking tools.  If you have a password generation trick, like changing a letter to a digit or rotating a word, that is entirely anticipated by password crackers.  If your trick is ten times smarter/better than that trick, it's still probably anticipated by password crackers.  Even a ridiculously long password that relies on some pattern or known phrase can be defeated by the sophistication of password cracking tools, such as the 42 character long "MrobidAngel_90MrobidAngel_90MrobidAngel_90" or "sonsofanarchymotorcycleclubredwoodoriginal".

Think very seriously for a moment: if someone had presented you those two passwords and asked whether you think their password tricks were good enough to stand up to a password cracker for a long enough time, what would you have said?  Perhaps it is hard to have an accurate gut feeling about the current state of the art of password crackers.

Things might seem hopeless with 42 character passwords being cracked, but the problem is they lacked entropy (randomness).  Humans are really bad at randomness; you need to rely on a computer to help generate sufficiently random passwords.  A future post will go into more detail, but I suggest the password generation methods at the post of this post.

Online Guessing Attack (Bad People Repeatedly Try Logging In As You)

This attack is where bad people don't know your password yet, and they try logging in as you with your account provider with different password guesses.  Since each attempt requires a response from the account provider over the internet, the password guessing process is orders of magnitude slower than an offline guessing attack.  The account provider can take security precautions like rate-limiting login attempts or even locking out accounts with suspiciously high amounts of recent failed logins, but these precautions are not always done.

Like the offline guessing attack, password strength matters, but the password does not have to be nearly as strong to withstand the same level of malicious effort due to reduced guessing speed.  Guesses will still be smartly chosen though.

Targeted Attack

This type of attack includes things where someone calls up the phone company pretending to be you so they can switch SIM cards and then they start receiving all your calls and texts, and then they use this ability to then further impersonate you and gain control over other things.  It might sound like something that only happens to celebrities or millionaires, but it will sound a lot more mundane and plausible once I call it "identity theft" which happens all the time to "nobodies" like Michelle Brown, where someone impersonated her to in order to spend tens of thousands of dollars and lots of other illegal things that has caused Michelle Brown a lot of suffering.


Your accounts are at risk from more than just the highly automated and mass operations of bot nets owned by the Russian mafia.  There are bad people willing to spend some effort on an opportunity to abuse your bank accounts, your credit, your identity, and so on, especially if they already have some toehold in your life like access to one of your accounts.  If you Google search for "amazon account hacked", you'll see plenty of stories of accounts being compromised because a bad person called up Amazon customer support and fooled the support people into giving the bad person access to the victim's account.

As far as passwords are concerned, you will benefit from strong passwords (that are unique! have I mentioned the perils of password reuse?) in that compromising one of your accounts is less likely, and that you are better guarded against their follow-up online guessing attacks that target you more specifically.

Also on the mundane side, this category includes your roommate or coworker finding your sticky note with a bunch of passwords on your desk, which brings up the issue of password storage.  Keep your passwords secure in an password manager, physical safe, or your wallet (yes, it's okay to have passwords in your wallet; you keep all sorts of valuable, sensitive stuff there).

Parting Thoughts

In basically all of the risks, password reuse makes things many, many times worse, and 2FA can limit damage when an attack succeeds.  Password strength only matters for some of the attacks (guessing and targeted attacks), but golly, those attacks do happen plenty.  Considering that password managers help you with both the uniqueness and the strength of your passwords, password managers can massively decrease your exposure to all of these risks.

For a vivid horror story to haunt you, let's talk about the Yahoo breach, where stuff like email addresses, hashed passwords, and security question answers for 500 million accounts were stolen in 2014...and it was two years before Yahoo found out about it (2016).  They suspect a government like Russia or China did it.

That's really serious.  What if you use your Yahoo email address when you sign up for all of your other accounts?  Many accounts give full control to reset passwords and change all sorts of security options to anyone with access to your email.  In that case, it's the ability of your hashed Yahoo password to endure 2+ years of offline guessing that is only thing standing between you and massive agony.

(Update: Yahoo has made another breach announcement that a different attack in 2013 compromised user information such as names, phone numbers, birth dates, security questions, and hashed passwords for ~1 billion accounts.  Wow, double the accounts and an additional year of going undetected.)

A future post will go more into comparing using a password manager versus alternatives, both from a security and convenience perspective.  Spoiler: using a password manager is the winner in both security and convenience for most people.

No comments:

Post a Comment