Passwords are an essential part of our digital lives. But despite their pervasiveness, there is much confusion around passwords and how they should be properly used. In this post, we will go back to basics and look at passwords generally along with some specific problems and solutions.
Many people use weak passwords, such as a pet’s name for a website or a birthday as a phone passcode (both easily discernible from social media). In fact, data breaches reveal that 123456 is consistently the most commonly-used password! While these may have the benefit of being easy to remember, they also make it easier for an adversary to brute force guess your password.
The easiest way to create and remember complex passwords is to use a password manager. For passwords that you should not store in a manager, you can use three random words to create a password that is sufficiently complex but still memorable. This will be covered in more detail in the next post in this series, but, for now, the passwords that you should manually create and remember are:
- Passwords for your devices.
- Master password for your password manager.
- Password to sync your passwords between devices (if different from the master password).
- Password for your email account.
In addition to weak passwords, another common mistake is to re-use the same password for multiple services. The problem with this is that if compromised in one location, that password will then allow access to your data in all the other locations that you have used it.
But why should this matter if you never disclose your password to a third party? The problem is the services that store your data. Responsible service providers should encrypt your password when they store it and use a random number (called a salt) to make it even harder to crack. If a provider fails to do this, or makes a mistake in implementing the encryption, an adversary may be able to obtain your password without you ever disclosing it. If you have reused the same password with other services, the adversary now has access to your sensitive information in multiple locations.
So, in order to contain the damage caused by a compromised password, you should use a complex and unique password for each service.
A password is analogous to the combination used to open a safe. The combination is not the only thing protecting a safe’s contents from unauthorised access, the lock itself plays a crucial role.
In the physical world, adversaries can gain access to the safe without the combination: a weak lock can be picked (analogous to brute force guessing a password), destroyed or circumvented (analogous to hacking), or may not even limit access in the first place, if there are other ways to gain entry.
In the digital world, most cloud providers use weak locks because their staff may be able to access your data on their systems. This weak ‘lock’ may be the vulnerability that an adversary uses to gain access to your information by coercing staff or compelling the company to hand over your data.
One advantage the digital world has over the physical world is encryption. In principle, encryption is the ultimate lock. Without the key, an adversary would need to guess the password, which would take an impractically-long time – provided the password is sufficiently strong.
In general, online platforms with strong locks will likely have encryption listed as one of their main selling points. You should therefore know which of your services use strong locks and which do not. Unfortunately, many services have adopted language around end-to-end encryption and at-rest encryption, for example, that would suggest the presence of a strong lock but they use those terms to mean something else. So, you will need to examine services closely and look for terms such as “zero knowledge” or statements claiming that only you can access your data. Reading online reviews may help with this. Another good indication of the presence of a strong lock is a warning that a password reset will cause you to lose access to your data if you have not previously set up an account recovery method.
Similarly, a good indication that your device is using encryption is if you received a warning during setup about losing your data if you forget your password. You can also check the settings for BitLocker in Windows or FileVault in macOS, for example.
Unfortunately, checking all your metaphorical locks to ensure that they use encryption and ensuring that all your passwords are complex and unique is not enough, because passwords can be bypassed.
Many smartphones and other devices allow users to bypass entering their password by supplying biometric data, such as your fingerprint or face. This does not make the lock weak – it is still based on encryption – and the strength of your password is irrelevant. Your face and fingerprint are now another factor that you need to protect from an adversary. The safest course of action is to sacrifice usability and disable this functionality.
This problem is not limited to biometrics. An adversary that compromises your email account can then use the password reset functionality on another service they wish to access in order to bypass having to enter the correct password. Further, some platforms allow access to a device via an online account. For example, Apple devices and those running Windows can use iCloud and Microsoft accounts respectively to unlock any devices attached to these accounts remotely. Setting up two-factor authentication (2FA) on your email account can mitigate these threats.
Finally, you may be the bypass. Phishing is commonly used to obtain login credentials for devices and accounts. Two-factor authentication can again mitigate this. Given the importance, we will cover 2FA for devices and services in a future post in this series.
It is essential that you follow the usual advice to use complex and unique passwords to protect your information. However, this is not the only factor that you need to consider; you also need to examine the ‘locks’ and any bypasses. Doing this will ensure that the effort you put into passwords will have the security benefit that you expect. In the next post, we will look at password managers and how they can support you in this task.