World Password Day, celebrated on the first
Thursday of every May, is a timely reminder of the fact that our passwords are
the key to a wealth of personal information about us. However, poor password practices,
including the use of the same password to access multiple accounts, can create
serious risks and undermine our privacy and cybersecurity.
It would be nice to imagine that if the
various contenders for “inventor of the password” had known how much of a
hassle its computer variety would end up posing centuries later, they would
never have bothered. Or maybe that inventor – perhaps a Gileadite or Roman soldier
– just didn't care about the tradeoff between security and convenience that
would plague us in the internet era. Either way, the legacy of the military
watchword is here to stay.
Quipping aside, the routine works like this:
you sign up with your username and password that only you know, and you’re golden.
To log in again, you just need to recall and input your login credentials. Of
course you knew this would happen, so you took some “precautions”: you set up
the account with an easy-to-remember password.
And therein lies the problem.
“Easy-to-remember” most often equates to short and simple, as well as easy to
guess. That’s especially true for password-cracking software doing the bidding
of an operator intent on brute-forcing his way into your account. Such software
can open the trove of treasures just as magically as the phrase “Open Sesame!” does
with the mouth of a cave in a well-known folk story.
On the flip side, a password that is long,
complex and random is harder to crack, but also harder to remember. And therein
lies the problem (yes, again!). Recalling many impossible-to-guess passwords and
being able to remember to which particular online service each belongs is just too
much of a tall order, unless you have the memory of an elephant.
Indeed, passphrases – say it with me, “I
LOVE to Read WeLiveSecurity!” – may help both in terms of security and convenience
(the latter being simply a proxy for memorability). However, is it reasonable
to expect every user to remember a distinct passphrase or password for each and
every online account?
Something’s
got to give
What many people do – at least those who are
not elephants – is skimp on their security, use an atrocious
password (“123456”, anyone?) and go on their merry way. Until their accounts
are hacked and their online personas are compromised or, worse, their identities
and money are stolen. After all, it is human nature to disregard risk until
disaster strikes.
Indeed, it feels like you can’t have it all;
that is, many online accounts, each of which has a supremely strong,
unique and memorable password or passphrase. It is little wonder that our
patience wears thin and we take mental shortcuts. Enter another coping strategy
that greases the wheels of hacking – password reuse.
While being antithetical to userland security,
you can bet your last dollar that password recycling is invariably right up
there with all the other most
frequent and ill-advised offenses committed by users in the realm of authentication.
Passwords created with another oft-used strategy, which involves slightly modifying
the password for each account (“partial reuse”), tend to be predictable and, thus,
just as easy to crack.
Why
is password reuse so risky?
The neighborhood that is the internet can
be rather less than neighborly in many ways, doubly so when data breaches are a
reality of our age. The breaches often expose login details that – if you use
them to access multiple accounts – can be successfully exploited for attacks
known as credential
stuffing. This becomes particularly troubling when an attacker uses stolen
or leaked access
credentials that belong to one account in order to break into another –
often higher-value – account. Thanks to frequent password dumps, user/password
combinations are easy to come by, and often at little-to-no cost at that.
If a breach hits and the credentials aren’t
stored with advanced salted-hash
functions (think, for example, a hack
against Adobe in 2013), a strong password, or even a passphrase, may not be
enough to thwart an account-takeover attack if you use that password to access
multiple online services.
Factoring
in another factor
Many account-takeover attempts can be
foiled with two-factor
authentication (2FA). An added authentication factor provides an extra
layer of defense beyond the simple passcode/password/passphrase and, in a way,
fixes some of the inherent human foibles that are routinely exposed by our poor
password choices.
So far so good. However, many online
service providers have yet to implement 2FA into their authentication schemes.
(You can check the status of various websites vis-à-vis 2FA here: https://twofactorauth.org/.)
Additionally, as shown by a recent report about the adoption rate of 2FA among
active Google accounts (lower
than 10 percent), even if such an option has been available for years, most
users simply don’t take advantage of it, be it that they’re unaware of it or apparently
have bigger fish to fry.
There are other forms
of authentication, of course, that may take some of the weight off our
shoulders (and brains), be it biometrics (e.g. fingerprint or iris recognition)
or algorithms to measure behavioral characteristics (e.g. typing rhythm) or others.
Their availability and, by extension, adoption are nowhere near widespread,
however.
Is
there another way, then?
Well, yes, although it actually flies in
the face of much advice dispensed by security folks. In 2014, Microsoft Research
released a paper
that suggested a different tack. In thinking of various online accounts as
somewhat of a continuum, the paper averred that some degree of password reuse
is inevitable, but that it should be reserved for low-risk, low-value services.
Put differently, the reasoning went that all accounts are not born equal and
should, therefore, be divided into groups according to value. ESET Senior
Research Fellow David Harley weighed in on this approach, while hinting at its
potential pitfalls, in this insightful piece.
On a different note, chances are that you
won’t cull your online accounts all the way down to whatever number you can
manage easily with unique and strong passwords or passphrases. Nor will you
probably be willing to engage in some serious mnemonics or aspire to eligibility
for a memory competition.
With that in mind, the easiest thing to do
is, arguably, to put all of your passwords (strong and unique, of course) into
a kind of digital safe. That vault is dedicated password management software that,
ideally, encrypts and stores all of your passwords locally and offline.
Indeed, password managers are all the rage in
password security and, intuitively, it is hard to deny their merits. In
addition, recent research found
that password managers benefit both password strength and uniqueness, although
apparently this strategy works only if the passwords are generated by the
software.
Either way, assuming that you trust the
implementation of your password manager – and you wouldn’t use it if you did
not, right? – then its security is largely determined by the robustness of your
master password. That’s doubly relevant if you consider that you’re effectively
putting all your eggs, including some made of gold, into a single basket. That
basket could, in fact, become a single point of failure.
They
shall not pass
To be sure, passwords are flawed. Except that,
in our internet era, there’s no other ubiquitous method of user authentication.
Having their impending demise
predicted back in 2004, passwords may well have outstayed their welcome. However,
it appears that it will still be some time before they go the way of the
dinosaurs.
All told, some things in computer security
are beyond the control of a regular user, but why not go and fix those that are? In a way, the persistently poor
password practices of many other people give you a chance to be ahead of the
pack. What’s not to like?