Passwords
Summary
Objectives
By the end of this session you should be able to:
- Explain the value of digital data in todayβs marketplace
- Evaluate risk levels associated with passwords
- Identify ways to mitigate the major weaknesses of password security
Key Points
- Short, low-entropy passwords are easy to bruteforce and common passwords are easy to guess
- Passwords are sometimes leaked - sharing them between accounts increases your exposure
- Password lists are bought and sold for large sums of money by criminals who see them as an investment
- Using password managers to store unique, high-entropy passwords will safeguard against brute-force attacks as well as leaked passwords
- Multi-factor authentication is another easy way to secure accounts
Breakdown
The Black Market in stolen passwords
The web has a burgeoning black market for stolen account details - bank accounts, social media accounts, online shopping accounts, etc - which all have one thing in common: the password. Passwords are an excellent thing to steal - people just enter them anywhere, copy them into insecure documents, type them whenever an email or a text message asks them to. People use the same password everywhere - many of you will use the same password to share your Netflix account with your friends or family as you do to secure your bank or email account. And once people get into your email account itβs game over - password resets are sent there; they can access everything. With this access they can spend your money. If you have anything valuable they can hold it ransom; anything embarrassing is ripe for blackmail - or simply selling on. The data will be collated and sold on the black market, where specialists will purchase your data and go about seeking to exploit it.
Common passwords and brute-forcing
Complex passwords are hard to remember, so people tend to cheat. Unfortunately, people are very predictable - using passwords like qwerty or 123456 or password1. The top ten million most common passwords are well-known and with modern computering it's trivial to brute-force using these passwords in many cases - this is also true of short passwords, which only have so many combinations.
info
Banks still use four-digit pins despite them being pretty easy to guess - instead of insisting on more complex passwords (which may possibly make you spend less money!) they have large anti-fraud teams that try to detect fraudulant transactions and block them. It's possible you've had to contact your bank before because of this!
Password leaking and sharing
Companies are under constant attack from criminals trying to steal user data, such as passwords. Sometimes they succeed, especially on low-value targets (such as small websites and forums) - which means those criminals will have your passwords to those low-value sites.
Unfortunately, most people use the same password for everything - meaning that once a criminal has your password to one website they have it to all of them. This is a common way that secure websites are compromised; try usernames and passwords from a leaked, weaker website until something works.
Worse, people share passwords - compounding this problem, because an innocent Netflix password may also be the password to your bank account. Sharing passwords means that if something goes wrong you have no choice but to suspect the people you've shared that password with.
Protecting yourself
There are three easy things you can do to protect yourself effectively from such threats:
- Use long passphrases made up of 3-5 random words (e.g. from flicking through a dictionary), adding numbers and special characters at random locations in the phrase. This will be very hard to guess but relatively easy to remember.
- Use multi-factor authentication (e.g. Google Authenticator). This means that even if a criminal has your password they wouldn't be able to get into your account without your second factor.
- Use a password manager to store complex, unique passwords for every account you have. Secure it with a strong passphrase and multi-factor authentication.