Passwords are a pain in the a$$. In fact, in an interview with The Wall Street Journal, Fernando Corbató, now 91 years old and the inventor of the password back in the 60s said that passwords have become “kind of a nightmare”.
The Plague: Someone didn’t bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and…
Margo: [glares at The Plague]
The Plague: …god. So, would your holiness care to change her password?
From the film Hackers – 1995
I don’t know how true that list actually is for 1995. Seems rather simple now doesn’t it. Love, sex, secret and god. Amazingly the word “password” didn’t make the list. It must have been too long for the 1990s brain. Allow me to update you as of 2017 with the top 10 passwords. If your password is in this list, you know what to do. Here we go:
1. 123456 (Unchanged)
2. Password (Unchanged)
3. 12345678 (Up 1)
4. qwerty (Up 2)
5. 12345 (Down 2)
6. 123456789 (New)
7. letmein (New)
8. 1234567 (Unchanged)
9. football (Down 4)
10. iloveyou (New)
Some new and notable that didn’t make the top 10 but did make the top 25 were “starwars” at number 16 and “freedom” at 22. Even more fun is “passw0rd” at 19. A rather large number of people thought changing that letter o to the number 0 was a cracker jack defensive move.
SplashData, who creates this list every year estimates almost 10% of all people have a password in the top 25. 3% have the password 123456 somewhere in their world. Pin numbers count.
What surprises me is that there are still accounts out there that allow for such simple passwords to even exist so we can only assume that many of these passwords are a part of legacy account creation like really old yahoo email accounts from a bygone era where you could use just about anything as a password.
We all know that isn’t the case now, to a fault. A typical account creation or password replacement process often requires you to include at least one uppercase, one lowercase, one number and one “special” character like %$*! or any of the traditional cartoon swear word characters which seems quite fitting considering that’s the general reaction to having to concoct some sort of memorable pattern or word which complies with such a ridiculous requirement, like P@$$w0rd!. By the way the exclamation point at the end of the word is the most common special character addition so if you thought that was clever…
The current state of the internet wasn’t quite a consideration when passwords first started. Nowadays the average internet user can have upwards of 100-150 different accounts across multiple services. You might be thinking… not me! When was the last time you actually tallied up all your online identities. You might be surprised. Each service is now putting sufficient password restrictions specifically force you away from that top 10 list above, but ensuring that you’ll probably forget what your password is… unless… you have a system. A clever system!
Typically our clever system involves taking those exact words above and capitalising the first letter and then replacing some of the characters with either their number or special character equivalent like a = @ or 4, s = $, o = 0, e = 3, l = 1. The list isn’t that long and is extremely predictable. Another popular technique to make a password memorable but compliant with the minimum password requirement is to add the year. Password2017! Or perhaps P@ssword2017! Super cyber secure!
(By the way I’m not getting into pin numbers here but it’s worth mentioning that if you have a pin number that starts with either 19 or 20 (modern birthdates) you’re probably in the top 25 pin numbers and it’s worth a rethink.)
The final straw in enforced “security” that frankly makes my blood steam a little is when your workplace forces you to change your password every 3 months or so. Like it wasn’t hard enough to remember that password but now you need a new one 4 times a year. To make matters worse it remembers your old passwords and prevents you from reusing any of them. It makes sense of course but it’s infuriating. As a result we tend to come up with another ingenious system like… adding a incrementing number. So Passw0rd becomes Passw0rd01 and then 02, 03 etc.
So whats the big deal with passwords anyway. Why isn’t P@ssword2017 perfectly fine? It’s not in the top 100 and it’s goofy enough that somebody isn’t going to just go to yahoo.com and guess it… right? Well that is true. The problem with easy passwords is more to do with the way they are stored and the extent to what the internet bad guys will go to brute force guess it.
How Passwords are Stored
When you create a password for a new account, the password isn’t stored as plain text typically (that would be really bad) but a password is typically hashed into a bunch of gobbly goop. A common method for hashing is a highly secure method called SHA256.
Hash algorithms are one way functions. Essentially they turn your password into a huge fixed length code of alpha-numeric junk. The point being, that bunch of junk cannot be reversed back into your password. A good hashing algorithm will also never produce a duplicate code known as a collision. Even a tiny change will result in a completely different looking bunch of junk so even if you the hashes for words that look like your password you could still never figure out other passwords code from it.
The SHA256 hash code for “codifyre rocks” = 16B8089DBAF59E291D15D204BFCDA557827DDD443D69F25611F83D2E1F20988D
The SHA256 hash code for “Codifyre rocks” = 76CD3057EB05B76AAE78F66D0A6115C6A34C17F74EE2CDEB62EAD15FB1B9FC6F
A one character change from c to C yields a very different result.
Here’s a mystery SHA256 hashcode: 0FD205965CE169B5C023282BB5FA2E239B6716726DB5DEFAA8CEFF225BE805DC
When you login into a website, the back-end verification service will take you password and perform the same hashing process it did when you created your account and then, it will compare the two hash codes to see if it’s correct.
This probably all sounds safe but getting back to the problem of using common words or systems like the one I mentioned above is that there are vast databases already in existence that the bad guys use to look up hash codes like the ones above. If you want an example of how that works, check out https://crackstation.net/. This is an online service you can use to reverse engineer a hash code into a password. Try the mystery one above for a bit of fun. If you’re curious if your password is in the bad guys look up tables you can go here to turn your password into a hash code like the one above http://passwordsgenerator.net/sha256-hash-generator/. In fact that’s where I got the codes above. Now go to the Crackstation and if it succeeds in looking it up, I highly recommend changing your password.
Modern systems do now use something called a “salt” to prevent even common passwords from falling victim to these sorts of lookups. A salt is where the account will take your chosen password, “fluffy2017!” and it will add a bit of random junk to it making it “RanDomJunkfluffy2017!”. Then it will store the salt in plain text and the resulting hash. It might sound confusing but even with the hash code AND the salt you cannot reverse engineer the password, nor does the hashcode appear in common lists AND you can still login.
The point above is that bad guys out there aren’t guessing passwords. They are using the results of data breaches (see my previous podcast) which, although may contain passwords which are very rightly stored as hashes, many of the hashes were created with a “salt” and they themselves can be run against a lookup table of 1000s of hashed passwords through a program like the crack station example in a few seconds and every one on the top 100 will be there. Not only will they have the top 100 passwords for the past 20 years in the list but every systematic character substitution you can think of as well. A good look up system will also try all of the typical things like adding a year or a number to the end.
It’s a good idea to look at a password a bit like key a to your house. We don’t trust people so we lock the door. We don’t use the same key for every single door we own and gone are the days of locks that can be picked or keys duplicated easily. Of course I say that and yet I live in in the United Kingdom where it still seems like a large percentage of the keys here are still those skeleton key type things so… maybe were not as modern as we should be.
Typically though we provide good security for our most valued possessions. In many cases we provide a multi-factor defence. We might have an alarm system or perhaps some kind of camera system. That same thing should apply to our online presence.
IS there such a thing as a good password anymore? It’s hard to tell as time seems to render all good ideas inert. At the moment the consensus seems to be trending towards a passphrase. That’s a bit of a misnomer as it is specifically not intended to make any sense. It comes down to a series of about 4 to 6 words that don’t make any contextual sense. An example would be
chocolate paper wagon helicopter sword bacon
While some of these words might exist in the password lookup tables, hashes are created on the whole thing making this, from the perspective of it just being a sequence of characters, quite unique. It is easily memorable to humans but difficult to guess for a machine. Some people even create acronyms to make it easier. For example if were to be a big fan of bacon (hypothetical of course) my passphrase might be
bear asks cattle over night
Bizarre enough to remember and should I stumble, the word bacon is a reminder. Easy.
There is a problem though. Many astute password checking systems still insist that you have a symbol, a number, a capital and so on and so on turning your life back into a tiny bit of password hell. Some don’t allow spaces in the password! What can be useful in these circumstances is to try the same idea but you can add some stock junk at the end and it’s still far more secure than what the world is currently doing.
bear asks cattle over night
Bear acquires C4 over night!
That might not be the best password in the USA unless you want Homeland knocking on your door asking who “the bear” is and what they’re planning with the C4. You get the idea though. It’s pretty easy to remember and that certainly won’t be guessable or present in any common password lookup.
Let Facebook Handle It?
Let’s assume you’ve changed your Facebook password to something smart now. There is another conundrum that services like Facebook, Twitter, and Google present to us fairly regularly and that is something called Single Sign On or SSO. Many services, Spotify is a good example, offer you the opportunity to use one of these services as a way to sign into and create an account for their service.
I asked myself whether this was a good idea or a terrible idea. For starters, if I didn’t have a sexy new password technique like we just discussed, and somebody could gain access to my Facebook and could change my password and lock me out, they would then also have access to everything I used Facebook to log into! What’s worse is that Facebook has a tendency on your mobile phone or your desktop computer, to stay logged in for long periods of time. I know so many people who have been fraped (a fairly vulgar term for when your “friends” find your phone unlocked and post embarrassing Facebook messages as you). All it would take is somebody who wasn’t so nice to actually use that opportunity to change your password. They could even leave your Facebook logged in on your device so that you’d still not realise it had happened until Facebook logged you out. That could be quite a long time while they used your account details to explore or exploit your life.
There’s another potential hazard to using a single sign on mechanisms and that is the implied connectivity between the new service and Facebook. Many services just throw up a list of permissions they “required” to operate like your contacts list. Some go a bit over the top with what they ask for and we as users tend to not monitor what that is. In the last podcast about Data Breaches I revealed that the number one source of data leakage is actually us and this is an example of how we just give away personal data thoughtlessly without consideration for where it’s going and what it’s used for.
Check out this path in our Facebook https://www.facebook.com/settings?tab=applications and you’ll find a list of applications using Facebook to login. I was pretty surprised as some of the application permissions I had given were for applications that I don’t even remember ever using. It’s worth having a good clear out.
Playing devil’s advocate, it is worth mentioning that single sign on services like what Facebook and Google offer are pretty handy. It means only knowing one password instead of 100s so if this is something you find might be a good idea I would recommend using Twitter as a single sign on instead of Facebook or Google.
Even if you don’t have a Twitter account but you want a service that provides a single sign on, I’d recommend creating a Twitter account. Not only is Twitter kind of a fun personal news feed that isn’t as cluttered as Facebook, it’s simple. Twitter doesn’t require that much information, if you are an active Twitter user, or Tweeter, all posts are already publicly viewable so you aren’t going to accidentally give another service access to personal information. It’s the safest option IF… you like going that route. But there is a better alternatives.
You may have heard of something called Password Managers. There are many on the market. SplashData who release the top 25 passwords each year is an example of one. There is also Dashlane and Lastpass among many other options. I haven’t tried them all but I have had personal experience with both Dashlane and Lastpass and they are very similar. My preference is for lastpass for a very simple reason which I’ll expand on shortly.
I’ll first explain the point of all of these managers. What they do is store your passwords in a vault which is protected by a master password. It sounds sort of dangerous but actually it’s pretty handy. My master password for lastpass is one like I discussed previously. It’s a long series of easy to remember words that really make no sense. So much so that I find it very easy to remember because of their obscurity.
The reason I chose LastPass over Dashlane is because, at the time, Dashlane insisted on the old password system with symbols and capitals etc. It’s restrictions for a master password prevented me from created a properly secure password which I thought was a bit backward for a tool or company which should be cutting edge when it comes to passwords.
After establishing the master password, the service provides a browser extension. Going forward when you create a new account or change your account password it can auto-generate a ridiculously complex password and store and remember it away in your vault for the next time you log in.
The advantage is, you retain control over your data and your login. You can access the vault using your master password to grab any password and you can do that without ever displaying them on the screen and actually maintain a level intentional ignorance should be you in a public place.
Two questions might come to mind now.
The first being… but when I log into something my browser asks if it should save the password for me?
The second… what if Lastpass gets hacked, doesn’t somebody then get all my passwords?
Browser Based Password Managers (also suck)
Letting a browser store your passwords is a bad idea. Browsers have been notoriously bad at storing passwords safely. Additionally, if you happen to be hit with some form of malware, they have a tendency to go straight for the browser passwords and send them off to malicious actors. Malware can arrive in the form of a browser extension itself which, a bit like when you allow 3rd party applications to see your Facebook data, can be quite dangerous. Finally, there are already Adware scripts that appear in the sidebars of current websites that employ a crafty tactic of scraping your email address from login forms and sending them off to be included in marketing mailing lists. It’s already been proven that the same thing can be done for your passwords. They do this by embedded an invisible hidden login for into a normal page. The browser based password managers just auto-fill the form even though it’s invisible and presto, our malicious script is sending your details away. A proper password manager is smart enough not to fill in the invisible forms.
I have a plan for a podcast focusing on just how powerful our internet browser is in the near future. That leads me to the next question.
If your password manager software company gets hacked… will all my passwords be safe? Likely yes. Unlike your browser, or your own personal ability to remain safe from malware, a password manager company has a professional incentive (it’s their core competency to protect your passwords) to have the highest possible security. Even in the instance where some form of threat can access the data, the level of encryption and methods used to store that data means that 3rd parties cannot do anything useful with it.
Lastpass (among others) has been hacked! The reality of the internet today is that it’s impossible, if you are a high value target, to be 100% unhackable. It’s how you prepare for such an attack which decides whether the attackers can do anything with the results. While Lastpass did prompt users to change their master passwords, it was also largely considered that the data was very securely hashed and none of it could be used against us. That is why I felt more confident in a password manager and not less. Security researchers tend to agree that password managers are far more secure than your average human at maintaining our password inventory.
Let’s say you’ve taken all this advice and you’ve got a password manager for most situations, you’re using modern sexy passwords that are easy for humans and difficult for machines to guess and you don’t let your browser remember anything for you. How can you be better?
Let’s talk about authentication on the whole. Most mobiles use fingerprint recognition tech as well as facial recognition now. Some workplaces will give you a small device or sometimes a special application for your mobile which produces a unique code as part of a login process, some systems will send you a text message.
Each of these Authentication methods come down to one of three characteristics.
Something you know (eg. a password)
Something you have (eg. your phone)
Something you are (eg. your fingerprint)
For mission critical login situations (which some would argue is all situations) you should have enabled something called 2FA or MFA which stands for either 2-Factor Authentication or Multi-Factor Authentication respectively. What that means is that a password alone isn’t enough. Google often implements 2FA using a text message to your mobile phone after you login. You enter a 5 or 6 digit code and you get access to google. That’s a smart setup because Google like Facebook can be a bit too flexible on remembering you and allowing you to just log in.
There is a critical flaw to the text message, or any 2 factor authentication that uses your mobile phone. While it does work if you’re accessing a service via a laptop but if you are using you phone to access the particular service in the first place, sending a message to the same phone isn’t really 2 factor. The “Something you have” is already in the wrong hands so they are really just verifying the status quo.
I mentioned also a special application for you mobile with produces a unique code. Google Authenticator and Last Pass Authenticator are two such applications. A security company called Okta also makes a similar application. While convenient, there is again a flaw in that if the service is being access via the mobile phone it seems redundant for a mobile phone application to act as the 2 Factor Authenticator although it is useful for services which you access via a laptop browser only.
It’s probably worth mentioning that I’m assuming that everyone has a pin number activated on their mobile phone or even better the fingerprint or facial recognition feature enabled because that is essentially the 1st tier of security for accessing anything via your mobile.
Another major flaw in the text message 2FA method is the lack of security that mobile phone companies employ with regards to making contract changes. If I phone up a major mobile contract provider and I wanted to pretend to be you, I can often play dumb enough to past the secret questions or, get the answers to the secret questions from your social media. There is a documented 2FA attack where the attacker calls up the contract provider, let’s say Verizon or 02 and says they have a new phone and they’d like to migrate the number over to a new sim. This will reroute the 2FA text message to their phone. You might think you’re still safe because although this will send them the 2FA text message, they don’t have your password. What if they use the lost or forgotten password route. The service will often use the same 2FA text message mechanism to allow them to reset the password and you are screwed. That’s a pretty far fetched example but possible in some cases. You’d have to be pretty high profile for somebody to try that as it’s quite risky and of limited value on the average person.
The lost or forgotten password is a common mechanism for account hijacking and is commonly overlooked in terms of security. In additional to 2FA, Google makes us provide a backup email address for our gmail account which seems a bit ridiculous because it creates a Russian doll effect. What if they send recovery information to that backup email address and we don’t have that password anymore either? It’s fine because that account will also have a backup email address. If your lucky the two email accounts don’t point back at each other. You’re also lucky if that recovery email address isn’t a yahoo email account that got hacked back in 2013 that you forgot you even had it. The problem with a recovery email address is that it’s often an unused and neglected account with no 2 Factor Authentication. It could have been already automatically disabled or hacked because it’s from a era of stone-age internet security. The stone ages were only 5 years ago by the way.
There are modern tools which can represent the “Something you own” category rather well that aren’t your phone. A recent device called a yubikey (https://www.yubico.com/start/) is a really tiny USB fob which acts as a 2FA device. In fact this is something that I use for my Password Manager as a second authentication to my master password. It keeps my vault independent from my mobile phone. This can also be used with google and facebook and is far better than the text message method. At about $50 it’s relatively cheap but like all devices, you can lose it as it’s conveniently small and light which does make it rather easy to suck into a vacuum or potentially even smash into a few pieces. There’s no perfect solution.
Finally moving onto “Something you are”, the iPhone often relies heavily on their fingerprint scanner and more recently their facial recognition software. The Lastpass mobile application uses the fingerprint to access the vault even if you are already logged into the phone which is quite good. It means somebody you loan your phone to cannot use the app without cutting off your finger in which case you’ve got bigger problems like your tennis game is going to be in the toilet.
The “something you are” category is one that is often grossly misrepresented in films with any manner of hand, face, retinal scan often preventing entry into impressively sexy vaults in brilliant white spacious laboratories often containing a plinth carrying the super special lazer, chemical poison megabomb.
The reality of course is that your iPhone is pretty about as high tech as we’re going at the moment. Facial recognition is only just good enough to be commerically offered and to be fair I’m holding back on using it until it is a bit more mature. I’ve already heard stories of children opening up their Dad’s mobile phone because the family resemblance was accurate enough to fool the tech.
I’ll wrap it up there with a quick recap of how I handle my own password hell. I use a password manager. Last Pass is good but as are many others. It’s difficult to choose a bad one in fact. I have 2 Factor Authentication is turned on for everything where I can figure it out. For my password manager and I use a Yubikey USB key for this. I got my Yubikey for free at a security conference which was awesome.
For accounts I use primarily through a web browser I have a 2 Factor Authentication using a mobile application (as opposed to text message). I use Last Pass Authenticator. Google Authenticator does the same thing. The point is, you should always try to figure out how to turn on your 2 Factor Authentication. There are very few online services out there these days which do not have such a security option although I must admit that they don’t push it very hard. You often have to dig around in your settings to find it which isn’t ideal.
Finally I did a brief review of my recovery email addresses to try and make sure my recovery mechanism wasn’t either going in circles or wasn’t connected to any accounts that were either legacy or non-existent. Apparently I used to have an email account with a company called “briefcase” in the 90s. Yikes.
For those who think this sounds like a lot of work. It kind of is in the short term. I love the password manager system and found it actually was a huge relief once it was all setup. It was also revealing how many accounts I actually had! I really didn’t know and it was a nice way of doing a bit of online life assessment. Did I really need them all? YES! I’m a geek! 🙂