Passwords. The first line of defense against online theft and loss, and a weak one at that. Recently, tech headlines mentioned a 1.4B indexed archive of passwords. The massive 41GB file contained aggregated passwords from 252 breaches and lists. Inspection shows there’s about 16% of previously unknown ones. The question is: should you care?
Rings a bell
The researchers that found the file claim it’s the biggest one ever. It is impressive, however by a narrow margin. Hold Security, in 2014, claimed of having found 1.2 billion of them. They messed up the disclosure effort, which coincided with RSA in San Francisco. They chose to offer a “breach check” for a fee (120 dollars). Having people pay to find out if they’re a victim, sounds unreasonable at best. Also, there’s a good chance you get a message saying “you’re good!” for that money. Nowadays most of such efforts are managed free of charge, like “Have I been pwned?” by Troy Hunt. That one even sports an API.
So is 1.4 billion a lot? It is. We never counted to that number out loud. However, big numbers are quite normal. There’s no need to panic, the 1.4 billion is something that sounds rather great in a press release.
The bad thing about passwords
Password are the most widely used authentication factor today. In entry level infosec courses, we learn there is multiple factors, the most common ones:
- something you know (password, PIN),
- something you have (certificate, smart card, your OTP token generator),
- something you are (finger print, your retina, your face).
Here’s where things get complicated. Using a super complex random password only is considered “one factor” authentication (it’s just something you know), but using a chip and pin credit card is two factor (you have the card, you know the 4 digit PIN).
As a rule of thumb, two factor is more secure than one factor. Many cloud systems like Google and Facebook are pushing towards 2 factor, usually in the form of knowing your password and having a SIM card with your phone number. 2 factor is widely being deployed, but adoption is slower. It’s often not mandatory. Many people (outside infosec) are not aware of the risks.
The caveat is there’s ways around it, usually in the form of manipulating some kind of “backup” process, like “I lost my phone”, “I have a new SIM card”, “I forgot my password”, or something else. In order to reconnect your account to your 2 factors, obviously you need to jump through some hoops. These hoops are a favorite playground for hackers. Can they manipulate the process, find creative ways to get access to your account?
For all practical purposes, passwords, antiquated, inadequate and non ergonomic as they might be, are still our first line of defense.
The good thing about passwords
You can make passwords as complex as you like. If you do that, you need to be either a savant to store them in your brain mass, or use a password manager, as an average human needs a lot of them. For example, I consider myself security aware and I use 153 passwords. (I started the day at 151 though).
And complex passwords, for all practical purposes, are very very very difficult to crack. People tell me it would take the NSA 2 years of clustered breaking for a 256 bit password. I don’t know about that, but the math behind crypto dictates your password probably not going to be cracked. That is, if you don’t reuse them.
Most people can’t memorize complex passwords, so you store them in a password manager. There’s a slew of nice ones out there. I use KeePass, as it’s off-line and I’ve been using it for 10 years. There’s others, life Password Safe. There’s online ones too (good luck!). All of them have nice features, for example typing the passwords in for you automatically. These features sometimes add risk. There’s been research into online password managers, which states pretty much all of them had vulnerabilities. It’s difficult to assess the risk of each and every one of them, but using one is probably more secure than not using one.
Reusing passwords is bad
If you reuse passwords you are at risk. For example, you might choose to use the same password for LinkedIn and Google. In 2012, LinkedIn was hacked and user / password pairs were stolen. What happens is if hackers happen to bump into the LinkedIn passwords, they’re going to try them out on Google. So now LinkedIn is hacked, but hackers now own your Gmail too. And if hackers own your Gmail account, they own your identity, as for many authentication (such as “I forgot my password”) mails are sent to your e-mail address. Which is why Mikko Hipponen calls Gmail the “single sign-on for the internet”.
Two of my passwords have been stolen this way. So I would be in dire situations, had I re-used them. Because I use unique passwords, I am not.
This is why we don’t re-use passwords.
What do we do then?
This is what you need to do if you don’t have any idea where to begin with passwords. Bear in mind because passwords are so ill fit for purpose, this process is not straight forward, and requires diligence to manage.
- Start using a password manager today.
- Backup your password file. Please do. I have a backup on on my home drive at work for example.
- Create one master password, unique and “kind of” random, but not so random you can’t remember it, and remember that. Write it down on a paper and lock it in a vault, should you forget. Give your lawyer a copy of the vault key. (Or tell your spouse where the key is, the important thing is you want a back-up process)
- Let the password manager create random passwords which u use for all your accounts.
- Do not re-use passwords. I repeat, don’t do it.
- Using a password alone is not enough. 2 factor everything you can. Quoting from infosec 101, one should combine at least two of three factors: something you know (password, PIN), something you have (certificate, smart card, and something you are (finger print, retina, face).
What happens if I don’t do this?
That depends. If you single factor yourself through life with one simple password, I would say it’s a matter of time before something bites you in the behind. Difficult to say how long though.
If you deploy the process, but you forget (or are too lazy) to do steps 2 and 3, then you will be fine until something happens to you or your passwords. There’s many amazing stories of people forgetting their bitcoin wallet passwords (in other words, did not have a backup, and faced losses of 100 thousands of dollars). Here’s a link to a story of a Wired writer forgetting his Trezor PIN.
So yes. 1.4 billion. You should care, but not more than last week. Passwords are broken (just look at number 3 in my suggestion list) and you need to deal with that.
Have a great day.
- Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online
- Russia gang hacks 1.2 billion usernames and passwords – BBC News
- Troy Hunt’s “Have I been pwned?
- Multi-factor authentication – Wikipedia
- KeePass Password Safe