Super-secure passwords made easy
Human laziness, complacency, general failings and unending ingenuity to subvert systems have undermined passwords forever. It’s time to next-gen your security, and save all your passwords, says Neil Mohr.
In any system, humans will find a way to subvert the rules for their own gain. It’s a recurring theme: from skipping class, cheating in games, fixing the banking system, and exploiting welfare, down to stealing from work, and gambling in Vegas. So it shouldn’t be a surprise that most humans choose the lazy option when it comes to password security, as well.
It’s too easy just to say humans are lazy, and pin terrible password security on that. Humans will always attempt to game systems at both ends, which is why passwords are being hacked and people want to avoid memorising them in the first place. It’s not good enough to just use a strong password; we now live in a world where so much is tied up with our online lives that hackers are doing more and more to break into online accounts.
So we’re going to look at the whole subject of password security, and hence online account security, how we can choose better passwords, how we can make our lives easier but also safer, how we can increase protection beyond passwords, and how hackers attack and use your account details.
Some of this advice you’ll have probably heard before, some of it is hopefully new, but by the end, you’ll be suitably terrified that you’ll overcome your human propensity for laziness, and get up off your arse, and protect your passwords!
Let’s start by scaring the trousers off you. There has been a host of research on password security, made much easier by the huge number of database breaches in recent years. One of the widest-ranging research efforts was by Google, published mid-2017 in its ‘Data breaches, phishing, or malware? Understanding the risks of stolen credentials’ paper ( research.google.com/ pubs/pub46437.html).
Some sweet nuggets from that little cache include the fact that the researchers swept over 1.9 billion non-unique account usernames and password credentials. These were taken from a variety of leak sources, but mostly blackhat security forums. An insane 76% of these could be (or already were) easily converted to plain text (best practice is to hash and salt stored credentials). The researchers were able to reverse an impressive 36% of hashed passwords, using a suitable keyword attack.
Of those stolen via phishing attacks, 49% were from Americans (with only 1.8% being from Australia). When it came to pure security leaks, 39% of credentials were linked to Americans. As for credentials stolen via keyloggers, Americans were targets in 8% of incidents; Brazil accounted for the highest amount in this group at 18%.
Credential leaks appear to happen regularly these days. The largest ever remains the initially hushed-up Yahoo leak, back in 2013, in which pretty much every Yahoo account ever was leaked, totaling 3 billion. Adult Friend Finder topped 412 million, the 2017 Equifax breach hit 143 million Americans, while MySpace, Adobe, LinkedIn, Dropbox, LastFM, NexusMods and many more have all had their leaks, each individually releasing millions of users’ details.
These leaks show the basic issue with password reuse: If you are using the same password across all of your online accounts, it just takes a single leak to contain that password, and all your accounts are compromised.
SCIENCE, SAVE US!
So the logical next question is: What makes a secure password? Entropy. That means the level of randomness in a system. By randomness, we mean true randomness. It’s not enough to have a long password, it has to be long and truly random. We stumbled across a lovely analysis of poor passwords by WPEngine, at wpengine.com/unmasked.
Among many things, it shows that password creation is a truly gender neutral pursuit — men and women can live equally in a world with terrible passwords. It’s worth a read — as well as being funny and interesting, it highlights a lot of general failings of humans when it comes to creating passwords.
The obvious beginnings are the standard bad passwords: “123456” and any variation thereof, “password”, “qwerty” and again any variation of those. Obvious stuff. Another issue is that many password guidelines are bad — forcing upper-case letters, for instance, because people tend to just capitalise the first letter; forcing at least one number, because people just put “1” at the end; or demanding a password of at least a certain length, because people use a pattern on the keyboard. For example, the seemingly random “ADGJMPTW” is actually people typing 2–9 on a smartphone number pad. This is what happens; it doesn’t make for strong passwords, because they’re easier to guess with a much lower entropy.
It’s that human nature thing. One group wants to protect a system, another wants an easy life, so it circumvents the rules, a third group is attempting to break in. So how do we make stronger passwords?
A few years ago, a Dropbox engineer, Dan Wheeler, wrote a blog post ( tinyurl.com/apc457-wheeler) referencing Randall Munroe’s classic XKCD correcthorsebatterystaple cartoon ( xkcd.com/936) on password entropy, alongside Mark Burnett’s earlier research ( tinyurl.com/apc457-burnett). Dan’s post is long and complex, and focuses on what makes a strong (high entropy) password, alongside how that can be easily measured and communicated to the user. Conversely, Randall’s point was part password strength, but he was largely extolling the need to make password systems human-friendly.
We don’t want to get into the nittygritty too much, but effectively a good password is a long password. Simple. The XKCD approach is to use a memorable series of words or phrase, usually painting an odd scene, such as the classic example of a “correct horse battery staple”, but it could be a phrase such as “basketball on a unicycle flying high”. From a memorable point of view, this taps into techniques used by memory experts. Of course, throw in some numerals and symbols, and it’s even stronger.
None of this addresses the core issue, though, that we now have a seemingly endless number of online services to use and try, each with their own password and login. Even making
“Chrome’s basic but smart enough password manager means that as long as you’re logged in to your Google account, a right-click in a password field offers the option to generate a secure password.”
passwords memorable wouldn’t solve the innate issue of having to remember them all. The solution to that is a password manager.
MICROSOFT, SAVE US!
The obvious place to start is to ask what tools Microsoft provides in Windows 10 or beyond. The blasé answer is ‘none’. Windows doesn’t come with any specific password management tool. What Microsoft has done is build a basic password manager into its Edge browser, which enables those saved passwords to be synchronised across your Windows accounts, and to any other instances of the Edge browser you might be running — Edge on Android, for example. But what if you’re not on your Windows account? What if you’re not on Windows at all? What if you’re using Chrome or Firefox? What if you want to create a strong password? What if a site is demanding non-standard credentials? The Edge password manager is basic at best, and fails to help in all but the most simple of scenarios.
BROWSERS, SAVE US!
How about a browser that you might actually want to use? The most widely used browser at the moment is Google Chrome, and it comes with a reasonable password manager built in. To kick off, if you’ve logged in with your Google account, it syncs passwords across all of your devices and operating systems (Windows, macOS, Linux, Chrome OS), and is, of course, available on Android and iOS devices, too. Google also offers an online service at passwords.google. com that enables you to log in and access passwords from within any browser on any device.
Beyond passwords, Chrome also supports intelligent form filling. You can enter a default address, phone number and email address, and if Chrome thinks you’re filling those details in, it offers to try to auto-fill entire forms or individual elements. Alongside this, it has a secure credit card storage option,
if you find the idea of Google having your credit card details a good one... What could go wrong?
Chrome’s basic but smart enough password manager means that, as long as you’re logged in to your Google account, a right-click in a password field offers the option to generate a secure password. There are no options, it just provides a random password of suitable length. It then, of course, saves and manages that login and password for you. You can set exceptions and manage the saved passwords from within the Advanced Settings. Access to these is protected via a system prompt to enter your Windows password.
The other main browser worth a mention is Mozilla Firefox, although it doesn’t provide much more functionality than Microsoft Edge. It synchronises your password across its own Firefox account to any supported OS or devices. It doesn’t support forms, won’t generate passwords for you, but does offer an independent master password to protect access.
LASTPASS, SAVE US!
So browsers generally leave us wanting more when it comes to real password management. You could get by with Google Chrome, but we can do better. Enter the world of dedicated password managers. We’re going to concentrate on LastPass in this main section — for alternatives, see the various boxes throughout the feature. It’s certainly one of the prime options to look at when it comes picking a password manager; the free account provides the majority of the basic functions people require, while the paid-for premium edition is just US$2 per month.
LastPass is a multi-device, multi-OS, multi-browser tool. It largely works as a browser plugin for the big five: Chrome, Firefox, Safari, Edge/Internet Explorer and Opera. It runs on all the main desktop OSes: Windows, macOS, Linux and OpenBSD. And for mobile devices, there’s Android, iOS and Windows Phone support. Plus, you can log in to your LastPass password vault through any browser, too.
The name LastPass comes from the fact that your LastPass account password will be the last password you need to remember; it’ll take care of all the rest. So what does it do? The main use is via a browser plugin and apps on your mobile devices. As you create new accounts or log in to existing ones, LastPass stores your usernames and passwords, or offers to generate new passwords as accounts are created.
The LastPass password generator is pretty sweet. You can choose any length, up to 100 characters, select any mix of upper and lower-case, choose the quantity of numbers to use, and decide if it should use symbols. There are also advanced options for
avoiding ambiguous symbols or attempting to make it pronounceable.
Accounts can be grouped into categories and searched. You can add notes and opt for automatic logins, to help speed you into accounts. LastPass also supports automatic filling of standard forms: names, addresses, emails, phone numbers, bank accounts, credit cards and custom fields. There’s a general encrypted notes tool, too. It also offers a warning for insecure forms, plus a security audit of existing accounts that you might import from your browser. Two-factor authentication is supported, too (we’ll cover this later). The paid-for service expands password filling to other applications, on both Android and Windows — LastPass can fill in a program’s password and fields; handy these days as more programs require some type of login for subscriptions.
Once installed, it’s worth looking at the Preferences. We like to add a log-out time, so if you leave your PC alone, it logs itself out after an hour, for example.
LastPass isn’t the only password manager to offer all these features, but it does provide an idea of the expanded capabilities, improved security, and genuine ease of use a dedicated service offers.
But with great power, comes great responsibility. A service like LastPass requires you to use a strong master password; if that is hacked, someone will gain access to every service you use. Or if you forget the password, LastPass can’t restore your master password, as it is never sent it in the first place, as a deliberate security measure. It might sound like we’re putting all our eggs in one basket, but what do you want — an individual basket for every egg, or just one awesomely secure basket?
Even security conscious businesses can be hacked and run into issues ( en.wikipedia.org/wiki/LastPass#Security_ issues). LastPass has had a number of vulnerabilities exposed, and even had a successful hack attack on its own servers in 2016. But as a security conscious company should, LastPass offers bug bounties — which it honours — and is open about breaches with its users, while using best practice on its secure storage. So even the server breach in 2016 meant users’ own passwords remained secure.
GABEN, SAVE US!
A question that security experts started to ask a while ago was: Is there anything better than passwords? You won’t like the answer, but it’s unlikely we’ll ever be completely free from passwords, though two-factor authentication offers a respite. Called TFA for short, the premise is that people require two forms of identification, aka authentication; typically, the first is a strong password (something you know), and the second can be your fingerprint, your delightful face or a generated one-time-use passcode (something you have).
As you might have spotted, many phones are now using fingerprints and face scans to authenticate access. Financial institutes are even happy enough that NFC-equipped phones can authenticate credit card transactions. Some systems (LastPass, VeraCrypt) accept USB thumb drives and specialist USB keys (Yubikey, www.yubico.com) as a second form of authentication. Steam is a good example of a service that was quick to provide two-factor authentication. You should be familiar with its email verification, which sends a code to your default email address, while more recently, Valve introduced the Steam Authenticator app, which is required if you’re messing around with its trades.