“Keep it secret, keep it safe” - Gandalf, Lord of the Rings by JRR Tolkien. 

Password Mindset

It is important to understand that wherever you have created a digital or online account, including via Internet-powered apps on your mobile device, you are establishing a form of secure safe or vault in that provider’s digital ecosystem, that contains valuable information about you. Passwords and their related access control components are the keys that both lock and unlock those vaults.

It might help to think of this in the physical world. Imagine your city or town and all the physical stores you visit and shop at. Imagine if each time you made a purchase in one of those physical stores, the store created a small safe for you in which they kept all the information you provided them in the transaction. You get to create the key, but they maintain the safe. 

When you swipe or tap a credit card or scan a QR code to make a purchase, you are digitally transferring your financial account data to the store by which you are making the purchase. By doing this, you are essentially leaving some of your most prized property in that store’s vault, property that thieves would absolutely love to have.

Now imagine that when you leave the store, you lock your vault using a unique code you created for that particular vault at that store. Your information is there, locked away, and available to reuse the next time you visit. But that also means it’s available to anyone else who might have a copy of your key or who can pick the lock.

Now translate this idea to the Internet. Every time you visit an online store, think of it as a property. Every time you create an account, think of it like setting up a safe in their back room. Every time you provide them personal information like your name, address, credit card number, or Venmo account number etc. you are depositing that information into that safe, and it needs to be locked. When you setup your account, providing a username and password, you are generating the key.

Just as in the physical world, digital locks and keys have varied levels of sophistication that make them more or less susceptible to picking or being broken open. In addition to this, in the digital world there are additional layers of security that can be easily added to increase protection of your data, including encrypting it when it’s not being accessed or adding additional layers of authentication to the unlock mechanism itself.

But it all comes down to your initial key: the password.

Understand the Threat

Passwords, and their corresponding usernames, are one of the most sought after and prized commodities in the criminal world. This is not only so among common criminals and organized crime, but also so for nation state threat actors, militaries, and state operated intelligence agencies. Everyone wants your password, because it is the key to your digital vault and everything it contains. It is still VERY common for Internet-based service providers to use simple authentication mechanisms like a username and password combination to “secure” customer accounts.

With a valid username and password, the adversary doesn’t need to hack or break-in. They can simply log in and use whatever permissions and access is granted to the authorized owner of the account they are using. Additionally, they can avoid setting off alarms from monitoring tools that watch for signs of digital attack. Afterall, if someone logged into the account, how can the provider know if it is the legitimate account owner or someone else?

In fact, most malware used by sophisticated adversaries in data breach, data theft, and espionage campaigns, is designed to steal passwords from web browsers or computers, whether they are stored in active memory or when entered by keyboard, during login transmissions, or even when stored in a document or file on the hard drive. 

Password theft and use is almost always present in the big data breaches we read about in the news. There is a strong misunderstanding of the so called advanced persistent threat (APT) actor in that many assume they have a never ending set of sophisticated tools that can break into any system, anytime. In reality, their capabilities are limited (by people, process, technology, time etc.) and they don’t want to use sophisticated means, and risk exposing some of the secret tools they do have, unless they absolutely have to. Once they use a secret tool, the defense community has an opportunity to observe that and build a countermeasure. Again, despite popular misunderstanding, there are only so many vulnerabilities and weaknesses that can be exploited.

When an adversary can use a valid username and password, they can effectively impersonate the account owner which also serves to bypass or evade monitoring or other controls designed to find indicators of attack.

And so passwords remain the most important and valuable tool for a criminal.

This is evidenced by the large lists of passwords that are always available for sale in the criminal underground marketplace. There are criminal operations that do nothing but steal and sell passwords.

Known Weaknesses

Simple passwords as a standalone key for access management, have been rendered obsolete. When you use a simple combination of username and password, you should assume that account is not secure.

It is a trivial task for a modern computer to break-in to an account where a simple password is the only key. So called brute force attacks can submit lists of stolen or generated passwords at a login prompt at a rate of speed that achieves a high rate of success in a short period of time.

Password spraying is another common technique used by attackers when they have a large list of passwords and usernames and want to automatically try combinations of many of them against the same login service over some period of time. They try various combinations until one of them works. They can even automate spraying these combinations across different Internet properties, including ones with weaker levels of account security. If they can find a match at one Internet property, it’s likely they can use it elsewhere.

It is also an unfortunate fact that many people actually use a common password. This is true in multiple ways; they use a password that many other people also use, and/or they reuse a personal password for many different accounts. This gives adversaries an important advantage. If they have a large list of stolen passwords, the likelihood of finding one you use increases. Your password might be in a list of other people’s passwords, coincidentally creating a weakness for you.

Passwords are also easily forgotten, especially for those of us who have accounts at many different Internet properties which we have setup over extended periods of time. It’s easy to forget which password you used where, and especially so if you haven’t logged into a particular account for an extend period of time. Because of this, it can be very tempting to use a single or a small number of unique passwords, and to write them down or store them in documents or places that criminals know to look.

Multifactor or Scondfactor Authentication (MFA / 2FA)

MFA and 2FA are your ace in the hole for securing your accounts. With multifactor authentication standards, in order to gain access to an account you must prove your identity with:

Something you know (like a password or pin)

Something you have (like one-time use token or access card)

Something you are (like a biometric scan or sample)

It is extremely difficult for even the most sophisticated adversary to break MFA, especially when all three factors are used properly. Unfortunately, many online providers have chosen to simplify this model down to 2 factors (2FA) and often their implementation of the second factor is itself insecure. 2FA is better than a password alone, but that is another article for another time. Suffice it to say, MFA is your ace in the hole to truly protect your online accounts.

Practical Steps

Create and use unique passwords

It is important to create passwords that are unique; unique to you and unique to the account the password protects. It’s like having a unique key for each lock, so that if any one is compromised (stolen or copied) only the contents of that one safe it unlocks are at risk.

There are many tools available that can help you generate unique passwords, including web browsers, password managers, and even your mobile device OS.

The risk to using random password generators, is of course remembering them. Practive Security recommends only using generated passwords if you also store them in a password vault or password management tool. More on that later.

Create complex passwords

If you do choose to manually create your own passwords, make sure they are complex. Best practice for a strong password with sufficient complexity is to make sure it meets the following criteria:

1. Is at least 12 characters in length (14 is better)

2. Contains a combination of at least 1 of each of the following

1. Letters - lower case and upper case

2. Numbers

3. Special characters

3. Does not contain a word in plain-text (words with letters substituted by numbers or characters is ok)

Generate passwords from passphrases

To help keep passwords memorable and relevant and thus increasing your chance of using them, Practive Security recommends using phrases as the basis for each password. 

For example, if I want to generate a new password for my account on an online sports shop, I might consider as a foundational passphrase something like: mysportinggear

From that I can create something complex by substituting letters with numbers or special characters. 

Store your passwords in a vault

Because it is imply impossible for most of us to remember all our passwords, it’s good practice to use a dedicated password vault or password storage application. With these applications, when you need to recall a password, you simply open your password manager, find the relevant entry, and can often copy/paste from the vault into the login screen.

Practive Security recommends 1Password, although there are many available from different security vendors. OS providers are also providing password managers by default.

It is very important to make your password vault password unique, complex, and memorable. If you can’t remember it, you lose access to all your passwords.

Periodically change your passwords 

Even with all the security features in the world, passwords are stolen or new lists of seemingly random passwords are generated by the criminal underground. It’s best practice to periodically go through all your online accounts, and change the passwords.

Practive Security recommends doing this annually. Consider marking a day on your calender, perhaps the day you change the batteries in your home smoke detectors, and step through the process for all the Internet properties you have accounts with. This is also a good opportunity to close accounts you no longer need.

Use secure logins

When logging into a website, before entering your password, check your browser to make sure the website is using SSL to encrypt the transmission. This will help keep your password secret as it passes from your computer to the website in question. 

You can know a website is using SSL if their web address starts with https. Some web browsers will also display a lock icon in the address bar when they don’t display the entire web address or URL.

If you are using an app, you can often read on the app provider’s website about their authentication architecture to make sure it also uses SSL or TLS for data transmission.

Use MFA / 2FA whenever possible

Enabling MFA or 2FA is an effective way to harden your accounts and significantly decrease the likelihood of unauthorized access. The most sophisticated adversaries can bypass some common MFA or 2FA implementations, but this requires a degree of effort that most criminals do not employ.

When you use MFA/2FA, the most secure option for satisfying the “something you have” factor, is to use an Authenticator app that generates random one-time use tokens. Some of these authenticator apps will also leverage your mobile device unlock feature or faceID or pin as a form of pass-thru authentication.

Aside from an authenticator app, leveraging one-time code generation that sends the code to your email address or phone via SMS is another viable option. However, remember that if a hacker has access to your phone or your computer which receives the one-time token, then they can bypass this security layer anyway.