“As a PC Pro reader, you can play your part in helping to spread the password manager message”
Davey dedicates his column to password security, starting with easy tips for you to share with friends before upping the ante with Authy
As you might imagine, I get an awful lot of press releases, research papers and statistical surveys coming my way. I haven’t counted them as I’m not that sad, but the majority cover three topics: data breaches, vulnerabilities and passwords. I focused on password reuse in the final paragraph of my last column, and I’m going to fully focus on passwords in this, my last column of 2019. “What do you mean? It’s February 2020 you fool!” It’s actually a few days before Christmas in my office (and the rest of the country to be fair), courtesy of the peculiarities of preparing a print publication. Which means that the analysts have all been going mad analysing the worse passwords of the year so I might as well start there.
What’s a bad password anyway?
What makes a bad password? Lots of things, like being a dictionary word (dictionary words strung together to make a passphrase are another thing altogether) or being too short, not random enough or simply one that’s used for more than one login. The last on that list, password reuse, is a real bugbear of mine as it causes no end of grief to those who fall victim to a breach at one site only to find other services compromised as a result.
Microsoft recently found more than 44 million such passwords ( pcpro.link/306pass) for Microsoft accounts that also appeared in a database of some three billion credentials leaked onto the dark web. All of the users involved were forced to reset the passwords by Microsoft – and they were lucky in my never humble opinion.
Indeed, if I had to pick one thing that makes a really bad password, it would be if it appears in any of the “commonly used passwords” lists that surface from the dark web at this time of year. More than four billion records were exposed during data breaches in the first six months of 2019 alone, and at the beginning of December a researcher uncovered a billion plain text passwords in an unsecured internet-facing database. Seriously, it’s long past the point where you need to get serious about passwords.
Being a PC Pro reader, maybe you don’t have to worry too much yourself; I imagine you’re well aware of the dangers of reused passwords. Your users and your family may not be, however. I can’t stress enough that it’s not only the passwords that pop up on the dark web that you need to avoid; if you reuse any password at all, that’s already a candidate for compromise. You may scoff at the idea of someone using “12345”, “123456” or “123456789” as a password as we emerge into 2020. And I used those examples purposefully as one analysis of 500 million breached passwords found that these three notched up 6,348,704 appearances between them. But “jKyStr7M*z&3QzBg80ER8bmz@” or “^ZCZ0DbGwdN0h#%s^80J6H&fe” are just as weak in my eyes if you use them in more than one place.
Use a password manager, dammit!
Password management is the key, if you’ll excuse the nerdy pun, to taking control of the situation, be that as a small business or an individual.
Here’s yet another recent survey, this time by a password-less security outfit (so obviously MRDA) called HYPR: pcpro.link/306pass2.
HYPR found that 35% of folk keep their passwords written down either in physical notebooks and sticky notes or Excel spreadsheets. The twoyear study of human behaviour as it applies to password management was less of an eye-opener to me than a confirmation of what I already knew. Read the findings and weep. Some 72% of in dividuals reuse passwords at home, and 49% of employees only ever change or add a digit or character when updating work passwords. 42% relied upon their memory alone when it came to passwords at work, and 35% in their personal life. Hardly surprising, then, that the numbers who had forgotten a password, and so required a reset, within the previous 90-day period was high: 57% at work and 78% at home.
HYPR analysts concluded that people are, overall, not relying upon the technology that’s out there, created specifically to help manage passwords. It’s due to three factors: a lack of knowledge that such tools exist (so start spreading the word), uncertainty when it comes to usage (again, PC Pro readers are the ideal teachers) and a lack of trust in a seemingly random third party to secure this valuable property.
The irony isn’t lost on me that folk who distrust a password management service to properly secure their passwords will happily write them on a notebook or stick them in an unencrypted Excel file. Again, as a PC Pro reader you can play your part in helping to spread the password manager message when it comes to security. Just remember that I’m talking about the relevant risk to the average user of having a managed password database that’s properly encrypted and stored compared to the options of a notebook or list on a phone.
“Seriously, it’s long past the point where you need to get serious about passwords”
A portion of salted hashes please
Which brings me nicely on to my next rant, but I’ll be quick I promise. Even if you
store truly unique and random, long and complex, passwords for every site and service in an encrypted password manager app, that doesn’t mean your credentials are safe from attackers. Sure, dictionary and brute force attacks, which are exactly what you would imagine them to be, are less likely to be bothersome if you stick to unique, random, complex and long passwords (mine all exceed 25 characters where allowed).
The use of rainbow tables, which are less easy to define if you’re just going by the name alone, ups the ante a tad. These are, in effect, lists of pre-computed password hashes. A hash is a one-way numerical value used in encryption; that means it’s very hard indeed to get the encrypted text out of something where you only have that numerical value. Unless the password and matching hash for the hashing algorithm are in a rainbow table, which makes cracking them relatively quick and simple. Salted hashes, where random characters have been added to the password before it is hashed, would make any such table too huge and timeconsuming to compute.
And I’ve not even started on the real spanner in the secure password works: malware and social engineering. Malware that scrapes your credentials as you enter them, or a phishing attack that cons you into entering credentials on a cloned login page, will make your highly secure password as much use as a one-legged man at an arse-kicking party. Regular readers have probably guessed what’s coming next. Yep, that’s right, you need a second authentication factor. 2FA codes, especially those that are generated by an app or a hardware key, make it much, much harder for an attacker to access your accounts, even if they do have your password.
The new smartphone fly in your 2FA ointment
Installation and usage of authenticator apps is easy enough, but that doesn’t mean they are always hassle-free. I was recently contacted by a reader who had upgraded his smartphone to a new swankier model. Which was great, until he tried to set up his authenticator app and found that, while installing the app itself wasn’t problematical, accessing his accounts using it most certainly was.
His mistake was in executing the factory reset option on his old phone, an otherwise highly recommended move, before he’d got the Google Authenticator app up and running properly on his new one. As he found out the hard way, by doing this he couldn’t simply activate each of his protected accounts on the new device by disabling 2FA using the old one. Why? You need a valid authentication code to disable 2FA, and the secret key that’s used to generate the QR code that you scan to add a service to your 2FA app is stored locally on that one device. Once the app has been set up on a new device, a new secret key is required for each registered service. It’s easy to switch the app from one phone to another, but you can’t do the same with those keys. At least not if, like most people, you’re using the Google Authenticator app.
Our unfortunate friend was fortunate enough to have saved emergency one-time codes for some of his accounts to his password manager. This meant he could access those to quickly disable 2FA and make the change. The remainder, sans reset codes, required going through the account recovery process on a service by service basis. This, he says, and I believe him, took more than a week of form filling, ID document scanning and numerous phone calls before all his accounts were accessible again.
It doesn’t have to be this way, though, and while retaining your old device and doing the disable/enable 2FA dance works well enough it’s still time consuming and tedious in the extreme. Assuming you don’t want to go down the hardware key route to 2FA, which usually involves a cocktail of cost, complexity and service support, what other options do you have? I took the Authy way out.
Authy ( authy.com) is another authenticator app and is compatible with any sites and services where Google Authenticator works. There are versions for Android and iOS, plus Chrome, macOS and Windows. You can back up, and restore, encrypted 2FA account tokens to another device, secure in the knowledge that decryption only takes place on the local device itself and passwords are not stored in the cloud. This alone offers some reassurance to those who worry they will be locked out of important accounts if they lose their smartphone and don’t have the requisite emergency reset codes stored on a different device.
Okay, I know what you’re thinking: having an authenticator app installed on more than one device weakens your security posture. Sure, there’s no doubting that it does. Two devices that could potentially be lost or compromised, giving access to your 2FA app, obviously presents a greater risk than just the one. But, and it’s a big but, good security must be about a balance between risk and usability. If usability isn’t
“But good security must be about a balance between risk and usability”
factored into the equation then fewer people use the solution, and so end up being less secure.
The Authy backup is an optional feature, and if you want to tweak that balance more in the “ironclad security” direction, don’t enable it. Keep your Authy backup password long and complex (password managers again, remember) as it will be hashed (1,000 rounds) and salted so you can be sure it’s secure. The authenticator key that pops out is encrypted with AES-256 in cipher block chaining mode, along with a different initialisation vector for every account. It’s only the encrypted result, salt and initialisation vector that gets sent to Authy; the key itself is never transmitted. To breach the encrypted backup that’s sent into the cloud would require an attacker to know, or guess, your password (hence the keep it long, random and complex requirement) or be able to crack both AES-256 and SHA-256 encryption. The latter isn’t going to happen any time soon, and if an attacker has the former you’re dead in the water anyway.
So you’ve installed Authy on more than one device (the browser-agnostic desktop version is good for the second) and enabled the backup option, what next? Well, in the new phone scenario, something I’ve recently gone through as I upgraded to a Samsung Note 10+ 5G, this is where things get easy. Install a copy of Authy on the new device and it will ask for verification from one of your existing devices (the desktop, if you’ve got rid of the old phone). This is good and secure as you’re verifying from an existing device that’s already known to, and trusted by, Authy.
Authy will now sync your accounts and can be used as normal. Here’s the most important thing, though: once you’ve done this, you should disable the “Allow multi-device” setting so no new additional apps can be installed. Everything will continue to work on your existing two installations, but an attacker with your username and password, or a SIM-swapped device, won’t be able to sync your 2FA data. If you need to do the phone change thing again, just remember to re-enable the option and Bob is your mum’s brother.