One Account to Ruin Them All!
Hackers know that if they can successfully swipe the login username and password hashes for one website then it’s likely that the same login combination will work on other sites too. This is known as credential stuffing; the taking of known username and password combinations and brute forcing them against other websites. With most users and businesses not employing password management policies this problem is commonplace.
Any website that allows people to create accounts is going to have some value for hackers because of these username and password combinations that are stored within them.
So even if it’s a forum or if you think the site you are signing up to is somewhat less commercially appealling a target, the password you choose should always be unique and as strong as necessary given the use.
Breached Websites: How many are there?
If you head over to this website you can swiftly check if you are likely to be the victim of any known website hacks.
Go ahead and try it to see if you might be surprised to find out that your username, password, address, workplace, credit card, postcode, religion and other data are publicly avaliable.
LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.
Compromised data: Email addresses, Passwords
So lets suggest that you had an account on LinkedIn between 2012 and 2016 and the password was the same as other accounts you used on other sites. You were likely a sitting duck waiting to be hacked.
Have you ever received an email with a threat that if you don’t send bitcoin you will have photos sent to your contacts – worse still confirming a password you know as evidence? This sort of breach amongst many others is likely where it came from!
Here I want to focus on the number one gripe that my clients’ users hate to deal with; Password Management.
Make a good password and never recycle it on another account.
Remembering passwords is difficult. As humans we are best placed to remember things by association. Therefore coming up with some random word on the spot and putting other things around it is complicated. So we tend to make one strong password and use it over again. We think we’re doing the best thing to adhere to the rules placed on us when setting up an account.
However even resorting to writing down usernames and passwords in a book, hidden away somewhere safe, is a better strategy than recycling even the strongest password.
I am pretty good at making up passwords although there are only so many I can commit to memory. So how do I overcome this issue and how do I recommend solutions to my clients?
1) A Password Manager. For the single user.
For years I have recommended using an open source application called Keepass. There are many others that do the same job, just search the app store on your phone for “Password Manager”.
The principle is simple as you use the Keepass application to make a ‘register’ of usernames and passwords.
This register is a database file that lives either on your computer, in the cloud or on a USB stick. The only way to open this database register is through a compatible application like Keepass and with a password and/or additional, accompanying file called a token.
Once you start using a tool for Password Management you will never go back, it will become habitual within a short space of time and you will sleep easier knowing your passwords are strong, complex and unique.
2) Secret Server. For many users and can be installed on your own server (free up to 25 users) or purchased in the cloud.
When I meet a client with a need to share passwords for different accounts with many users (ie: developer teams, IT and finance teams etc) I steer them away from Keepass and towards a more community based solution like Secret Server.
This is helpful as it centralises the password register and makes it easily avaliable across the intranet/internet. Every user’s access is controllable and audited so you can control who sees what. Single sign on with Active Directory is a cinch and provides even more simplicity for the end users. Wherever we have used this it’s been a real success.
3) Authenticator App AKA 2FA or MFA. Everybody should use this where offered.
Many online services now offer second-factor-authentication and some are even forcing it on users (a bank or financial services might enforce this).
Typically it involves being sent an SMS, receiving a phonecall or having a code sent over email. Nowadays it’s smarter and you can get an App on your smartphone (such as Azure Authenticator) that will enable push based notfication authorisation (you get a prompt to comfirm login activity on your phone) or offer a time-based token that you use as the code when prompted.
If you use Office365 there are ways to lose the password altogether and configure something called Windows Hello. This uses biometric technology with either facial recognition, thumbprint or indeed a PIN. This is actually recommended as a stronger authentication mechanism than using passwordsn and is already ubiquitous throughout higher end mobile devices.
I’ve found this strategy to actually be EASIER in the long run. Once you have this all mastered correctly you don’t need to worry too much about forgetting a password – since lookup and recovery is easy and secure.
If you can make strong passwords and go the extra step of using a Password Manager then there is little need to reset passwords regularly. This just means you need to be more sure that the password has not been breached;
- Regularly check the https://haveibeenpwned.com/ website to cross reference your accounts to known breaches.
- If you have MFA switched on then it is more obvious if somebody is trying to access your account.
- In Office365 there are reports and security features wrapped into the Azure side of your portal. I recommend you read my other blog on Microsoft Secure Score HERE.
Password and account management is at the heart of data access. You don’t give the keys to your company to just anybody – check with ACITConsultancy today to see if you know who has access to the digital keys of your business.