“What harm can come?” Password Security in Focus Again

Brian Krebs, founder of Krebs on Security, has authored a new post this week disclosing the potential harm that can come from reusing weak passwords, and it’s worth some fresh attention here.

He focused on banking passwords, password reuse, the ease of swapping SIM information to gain access to a target’s mobile phone messaging, and the interplay between non-traditional financial entities (like PayPal and Zelle) and regular bank accounts to show how attackers can use a chain of attacks to make off with stolen currency.

Although it’s a post focused on the individual, the lessons for businesses are just as important.

In short, they are:

  1. You need a unique password for every property and tool you use online.  To re-use a password anywhere is to invite trouble down the track if a website or company database is successfully compromised. 
  2. Use multi-factor authentication wherever it’s possible so that you add an extra layer of protection against compromise.

How Unique is Unique?

We don’t have to spend to much time arguing the case that you shouldn’t reuse passwords.  There are numerous examples online of where this has led to individual and business compromise. 

In an effort to ensure a unique password for every service that is nonetheless easily memorable, many people have developed a personalised algorithm that combines a beginning or end and adds a variable based on the name of the company or domain for which the password is required.  In that way, each password is unique, but the individual doesn’t have to remember all the individual passwords, only the algorithm.

The issue with that approach is that it only takes data from two compromised websites to be compared to reveal the algorithm.  Then an attacker can try it at any website across the net.

But how common is it to find information from different breaches combined?  The answer is: “very common”.  In fact, the resulting product type even has its own name: “ComboList”.

Combolists are available from numerous dark marketplaces if you know where to look, and new lists crop up several times each year.  Australian InfoSec researcher Troy Hunt has added billions of records to his website haveibeenpwned.com from such lists.

The solution is to use a password manager to create a completely unique logon to every website and tool that you use.

But doesn’t a password manager represent a single point of failure? 

If all your passwords can be accessed just by entering one master password, isn’t there more danger in putting all your faith in a password manager service?  Doesn’t that just multiply the risk of a total compromise?

Hunt argues (and we agree) that a password manager only needs to be better than a simple, reused password to be valuable.  Humans can’t (typically) remember more than a handful of genuinely unique passwords, he argues in this article.  So we tend to reuse them again and again and deceive ourselves that we’re safe.

The risk of a single, complex password being compromised is small when compared against the alternative of (inevitable) password or simple algorithm reuse across hundreds of domains, all of which represent their own attack surface.  The better choice is the password manager.

Plus, password managers can be combined with Multi-factor Authentication, meaning that an attacker has to have your username and password AND your mobile phone number (or, even better, an authenticator app resident on the phone, meaning that an attacker would have to steal your physical phone rather than just transfer your phone number).

That makes for a much better security posture for your business and/or personal life.

We use and recommend a commercial-grade product from a company called Thycotic.  On the personal side, Troy Hunt recommends 1Password but worthy peers are LastPass, and Dashlane too.