Passwords and Logins – Simplify Your Life (Without Compromising Your Security and Privacy)

 

Introduction

Imagine a system so secure, that to access it required possession of a physical key card, a 100-character password and a biometric face scan.

Now imagine a system so easy to access it just required the ‘logon’ button to be clicked, without entering a password or username, then a glance at a smart phone.

Now imagine all the security of the first system, combined with all the ease of the second system. This is what modern tooling can achieve, with just a few minutes spent setting it up.

This paper looks at password techniques, password managers and multi-factor authentication and how modern versions of these tools can make everyone’s lives easier and much more secure.

 

Does Length Really Matter?

While there are many new safeguards designed to prevent password guessing, the length, complexity and uniqueness of a password are still important factors to make an account secure.

Computer programs designed to guess passwords work by harnessing new technologies to make millions of guesses per second. The longer and more complex a password the more guesses are required before the correct combination is found. Modern password guessing programs will also try dictionary words, common variations and commonly used passwords, which makes unique passwords important.

Many safeguards have been developed to protect against these guessing methods and are often extremely effective where they are implemented. In some cases, systems may only allow three incorrect login attempts, or there may be inherent limitations, such as bandwidth and processing power, that stop multiple login attempts. Additionally, new cryptographic storage techniques are making it harder for attackers to guess passwords, even in ‘offline’ attempts.

Unfortunately, though, these safeguards are not implemented universally, and are not completely full proof. Individuals should never put all of their personal security in the hands of a security features which may or may not be present.

It is for this reason that making passwords long (lots of characters), strong (using lower case, upper case, special characters, and numbers) and unique (only used for one system/login) is still an important baseline for personal security.

 

 

 

Is Multi-Factor Authentication A Silver Bullet?

Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA or TFA) is when a secondary (or more) authentication method is used to verify the users identify. This is normally carried out by validating the user has something physically (such as a smart phone, token, smart card etc) or that they are something (such as biometrics including fingerprint and face scan technologies). Modern MFA techniques leverage smart phones and one time codes via SMS or app based login approval.

Its now commonly believed that modern MFA techniques nullify 99.9% of attempts to illegitimately gain access to a accounts, but why is this?

In traditional investigations, investigators often look at three key elements, means, motive and opportunity. Unfortunately, with illegitimate account access, particularly when the system is internet based, all that is required to carry out an attack is an internet connected device, anywhere in the world. This means that billions of people have both the means and the opportunity to commit the crime.

Multi Factor Authentication looks to combat this problem, as access now requires a secondary verification which is much harder to fake from different physical locations.

When a Modern smart phone is used for MFA, a third verification is often added in seamlessly to the user. Most modern phones will require either a pin code or face/fingerprint scan to unlock them, and in doing this the user has provided an additional verification method.

It may not seem like a lot, but by typing in a password online, then glancing at an iPhone and pressing the accept button within an authentication app, a user has not only verified they know the password, but also that they have physical possession of the only device in the world that will allow access, and that their face matches the face of the approved user.

Defeating MFA is not entirely impossible, but in most cases gaining access to an account protected by MFA becomes far too hard for an attacker, and they move on.

The usual process of a criminal breaking into an account would involve them using a list of a million or more email address, along with a database of billions of possible passwords, and using a high powered computer to attempt combinations over and over again until one works.

When an account is protected by MFA, breaking into that one account would require targeted physical action, such as pickpocketing a device or sim-swapping, then the attacker would have to overcome the devices biometric verification, then the criminal would have to guess the password in the short space of time before the user become aware their device was missing. Its for these reasons that MFA is said to nullify 99.9% of attempts to breach accounts and passwords.

Almost no criminals will have the means to overcome MFA, and even those that do know they will have much more lucrative results pursuing the other 999,999 accounts which can be done in a matter of hours, rather than spend weeks trying to break into a single MFA protected account.

MFA should be set up where ever it is available, but if that is not possible at the very least it should be enabled for a users more important accounts, such as internet banking and email.

 


 

Why is Email so Important?

It's not something often considered, but most modern online system rely on email accounts as a backup verification. If the password or other login method is forgotten, the 'I've forgotten my password' functionality will send a message with password reset instructions to the users emails address.

If a criminal were to gain access to an email account, they can use it to reset passwords and ultimately gain access to many of other accounts. This is why it’s important to have a really strong password/passphrase, which is not used anywhere else, and to enable MFA for email accounts. 

 

 

Enter Password Managers

Password managers are very good pieces of software and are highly recommended.

Password managers randomly generate very complex, very long and unique passwords. They then store them securely, along with other account details, so the user doesn’t need to remember them on each login. Password managers will also automatically prefill account and password information, greatly improving the experience of users who regularly login into multiple different websites or systems.

 

Once set up, the user will only need to type one password and then enjoy a seamless, one click login experience while simultaneously getting the benefit of very secure passwords.

 

Key features of a good password manager are:

 

·         ‘No Trust’ architecture – this means all data is encrypted before leaving the device, so even if the password manager infrastructure suffers a breach, the criminals can’t read any passwords.

·         Generate passwords – In order to be effective a Password Manager must generate long, strong, unique and random passwords.

·         Multifactor Authentication – As a Password Manager will hold all passwords, it is critically important that it is highly secure. A good password manager will have the option for MFA to be used on every login.

·         Breach Monitoring – No matter how strong a password is, accounts can be compromised if passwords are given to the wrong person as a result of being tricked. Good Password Managers will monitor various dark web and underworld websites, and notify the user if their email addresses are included in the data criminals are exchanging.

Unfortunately, password managers don’t always work for every corporate and personal application. They also need an initial password or passphrase from the user, and so the ability to create and remember strong passwords is still extremely important for both users of password managers and non-users.

 

 

 


 

Why do I need different passwords/passphrases

There are many ways that a criminal could come to learn a password through no fault of the users. Once a criminal has a password, the length and complexity no longer matter.

As soon as the criminal has a password, they will begin trying it on other systems to see if the user has used the same password on facebook, Instagram, Hotmail, gmail, and so on. Often this will be automated, with the email address and password combination tried on thousands of websites within seconds. Other times the process my be more targeted, with the criminal using the email address to locate the user on LinkedIn, finding out where they work, then attempting to use the user name / password combination to access corporate data.

The uniqueness of the password prevents this, and ensures the criminal only has access to the single system where the password was first set up.

 

 

How could criminal's actually get my password/passphrase and how likely is it?

There are several methods criminals could use to obtain a password/passphrase, they include:

  • Brute forcing - This is the term given to the method discussed earlier of using a computer program to make lots of random guesses very quickly. This is the primary reason we need long and complex passwords/passphrases, as it makes this process much harder, and take much longer.

  • Phisihing - Pronounced ‘fishing’, is a social engineering technique where criminals create emails and websites, often using well-known brands, such as google, amazon or financial institutions. They then trick users into entering a username and password, which is then sent to the criminals rather than the legitimate organisation.

  • Breaches - A breach is when a criminal gains access to a website or systems list of usernames and passwords. When this happens the criminals usually gain access to every username and password registered with that website. This doesn't just happen to small websites that can’t afford good security, some recognisable names have suffered very large breaches of varying severity.

    • Facebook - 540,000,000 user records breached

    • eBay - 145,000,000 user records breached

    • Equifax - 147,900,000 user records breached

    • LinkedIn - 165,000,000 user records breached

    • Yahoo - 3,000,000,000 user records breached

  • Criminal Collaboration - after one of the above techniques has been used successfully, criminals will often sell and share the usernames and passwords they have gained access to. In some cases, these are then compiled into large databases that contain 100's of historic breach that criminal can buy access to. Sometimes, after successfully stealing usernames and passwords criminals will post them publicly online, giving access to anyone and everyone.

 

 

 


 

 


 

Conclusion

By implementing MFA wherever available, using a modern Password Manager, and creating unique passphrases when needed, anyone make all of their accounts virtually unbreachable, while also reducing the need to remember passwords and simultaneously improving their experience across multiple websites and systems.

Cybercriminals have modernised and progressed their capability and collaboration in recent years, and it is no longer acceptable to use the same or similar passwords between systems. Modern software and safeguards have also progressed, and it is no longer necessary to remember or write down large numbers of passwords.