NCSAM – Post 0010: Let’s Talk About Passwords

Yes, that password. You know, the one that you use on EVERY. SINGLE. LOGIN. But hey, it’s a really good password, you say. Psssst…it doesn’t matter. If you re-use even one password, you are twice as likely to have your account “hacked”, your identity stolen, or any number of bad things.

Don’t believe me? Read this post: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984

Take note of the large chart and the column that says “User assists attacker by…” Notice how many of those fields state being human? Most of them. Put simply, humans are not good at passwords. Still don’t believe me? See: Appendix A: Strength of Memorized Secrets in the NIST 800-63B (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf)

And if you haven’t already, please go take a look at the https://haveibeenpwned.com/ tool and check any emails or logins you may have that have been exposed. Chances are, you have at least a few exposed usernames and passwords – and if you (yes you) ever re-use a password, that number just goes up.

But the problem is that most (if not all) of the online services we use every day still rely on passwords for authentication. So let’s talk about some of the ways that we, as humans, can avoid assisting the attackers, and help improve our daily operational security.

STOP Re-using Passwords

Now. Just don’t do it. To be completely honest, you would be better off by writing down your passwords on a sheet of paper…but then you need to worry about physical security – do you keep it under your keyboard at your desk (no) or do you keep it in your wallet (no) or do you keep it locked up in a safe (maybe).

Or you could use different password phrases or sequences for each login. For example, my password for banking.com would be: bAL0g1n10& but my password for health.com would be hEL0g1n10& – the idea being I take the first 2 letters of the service I’m trying to login to and putting that into my favorite passphrase. This is just an example, make up your own that works for you.

Complexity Matters

Or does it? If you recall from the above Azure AD article, anything less than 9 characters can be cracked in under a day, regardless of the number of letters, numbers, case, or special characters. Want real-life proof of this? Give this a read: https://thehackernews.com/2019/10/unix-bsd-password-cracked.html

Password LengthPossible PermutationsTime in secondsTime in minutesTime in hoursTime in days
6782,757,789,69680.130.0020.00009
775,144,747,810,81675112.520.210.01
87,213,895,789,838,34072,1391,202.3220.040.83
9692,533,995,824,480,0006,925,340115,422.331,923.7180.15
1066,483,263,599,150,100,000664,832,63611,080,543.93184,675.737,694.82

But the problem is this: the longer a password is, the harder it is for humans to remember it and the harder it is to come up with different ones…so here we are back at the original problem of usability and re-use – and there is a very fine line between enforcing ‘complexity’ and risk.

Federation can Help

Federation is a fancy way to say “Login using XYZ” – you’ve likely seen this before and common federated partners are Google, Facebook, LinkedIn and others. One of the primary goals of single sign-on is to reduce the number of credential sets that are used, meaning fewer passwords to remember (and that’s a good thing).

But there are a few things that you need to remember with federation:

  1. This does NOT mean that the new login uses the existing (federated) account – a new user object IS created on the new service, but uses a common attribute, like email address, to link this account to the federated one.
  2. Federation does NOT improve the strength of your credentials – so if you are logging in to Ebay with your Google account, the strength of your Ebay credentials are now effectively the same as your Google credentials.
  3. If your federated account has weak credentials, you have effectively increased your risk of a security breach on any site that uses that federated login – Understand the risk!

The takeaway: make one of your accounts have very strong credentials (and MFA, and anything else to make it more secure) and federate as many logins to this single account as possible.

Stay safe out there!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.