Written on 2020-11-26


My password has been "fido" for years

This is outside of my normal posts, but its been jumping out at me for the past couple of months so I thought I should post something about it. I can't say this any more clearly than if you are using your pets name, STOP! Also don't use your kids name, your spouse's name or anything similar, unless you want to get pwned as that will almost certainly happen at some point if you continue this really terrible practice. Also, be sure to not use any of these passwords as well as they are the most common passwords. If you are currently doing any of these practices, then read on!

Note that this is a huge subject and this read addresses only a very small fraction of the entire story. I'm purposely avoiding a lot of the more complex issues here to avoid clouding up the goal of having people realize that things have changed with regards to passwords and they need to change with them.

Current Situation

The basic levels of encryption that are being used by sites is generally too good to be able to break so the way most passwords are broken (outside of social engineering) is by brute force. Brute force is used by iterating through an entire list of the most common passwords much larger than the above hoping to eventually hit the magic combination that will let them into your account. At the end of the day, if your password is in one of these lists you are certainly susceptible to exploitation and you consider taking action to protect yourself from attack

What is the Remediation?

There are multiple ways to better protect yourself that are currently in widespread use. What we are doing is making the brute force method described above so distasteful for your account that its not possible to break it in a timely manner. If we do that, you are reasonably safe from these types of attacks. Look at the ones outlined below and consider using at least one if not more of them to make your online presence a lot more secure. Here is a really good overview of them if you are interested in digging into them a bit further.

  • Short Codes
  • Password Databases
  • Diceware
  • Two Factor Authentication

Short Codes

This has been around for a long time and something that I initially used back in the 90s. Its better than using a dictionary word because its not going to likely be in any password dictionary. The weakness in this is that currently the length that most users go with is not sufficient. Its pretty simple to use though, just think of a long phrase and then take the first letter out of each word in the phrase. A short example would be "My dog is blue and has fleas". In this case (don't actually use this) the password would be "mdibahf". You can then make this more secure by adding capitalization, numbers, and characters in the phrase. So something like "mD1b&Hf" could be your password. This way you just have to remember the phrase and through repetition you will remember the actual password. As I mentioned the recommended length of passwords has increased recently as the computing power has increased. Currently, you really should be looking at 16 or more characters. If you want some examples of these types of passwords, you can try look at this online generator which is quite nice

Password Databases

These are becoming more popular and are really nice to use especially given the recommended length of passwords and wanting to use different passwords on different web sites. I would recommend giving them a try if you have not already done so. Password databases allow you use a single password to access all of your other passwords that are stored either locally or in the cloud so that they can be shared across multiple PCs. Browsers currently have their own brands of these as well if you happen to use Firefox or Chrome. I personally have grown fond of Bitwarden and have used it for some time. It's nice because it supports both web access and access via a smartphone. It is a cloud solution and therefore does allow you to share your passwords across multiple systems easily. It is open source and they have shared their security audit that was performed in in 2020 so you can see how they fared. They do offer a free option that comes without two factor authentication (described a bit later). For anyone that spends significant time on the net, this would be a good option.

Diceware

I've not heard of this prior to reading the article, but it is a very secure method of creating a password. It is a two step process, the first of which is locate a diceware word list. The exact list you decide upon is based upon the number of dice that you plan to role. Here is a five die list. The standard recommendation is five dice. Secondly, you need a locate a dice rolling application online. The site random.org has a nice dice roller application as an example.

The sequence is to do the following:

  • Roll x number of dice and record the numbers on each die in order
  • Look up the word in the word list with the number represented in the five dice and write it down
  • Continue this to obtain a total of six words
  • These six words strung together become your new pass phrase
    • To assist in memorizing these words create a sentence using them in order
    • Continuing to repeat the sentence in your mind will ingrain the sentence and thus your pass phrase.

The sheer number of characters in this pass phrase is what makes it very secure. The length will make it problematic for use in cell phones, but where a keyboard is used, it isn't a difficult operation.

Two Factor Authentication

Finally two factor authorization. You may see this written as 2FA in a lot of places. It can also be called Multi Factor Authentication (MFA). This is adding a secondary authentication method as a requirement once you have passed the first method, usually a username/password combination. It will likely be combined with one of the above listed methods as it is generally always an "add on" method of security used in addition to another method.

Just like password generation technologies, 2FA also has methods that are better than others. Currently the recommendation is to us an application on your device rather than an SMS message which was pretty standard prior. An application like Authy will go a long way to making your life more secure.

The way Authy and similar devices usually work is the following (Assuming the application you are logging into supports Authy).

  • Launch Authy
  • Add an account, where account is the application that supports
  • Authy for 2FA.
  • On the application side, when you select that you want 2FA a QR
  • code will be presented.
  • On the Authy app use the camera to scan the QR code on your monitor
  • There will be a username/password that you will be required to add for the account that you want Authy to permit access to.
  • You may receive some one time recovery codes that will act as a one time access in the event that you lose the device. Obviously don't store these on the device itself, and never give them to anyone as they are keys to your account.

Once you have 2FA configured for an application, whenever you log into a site and provide your credentials another window will appear asking you to enter a code. Its normally a six digit number. That number can be found within the Authy application for that account just configured. There is a time limit of normally 30 seconds for each code before it changes. The code in the Authy application is entered at the prompt in the application and the login process is completed. Since each application has its own 2FA configuration, this is targeted at the individual application level.

2FA is considered very secure as even if someone somehow does compromise your password, they would not get access to your account unless they could also do the 2FA portion. If you have the ability to use 2FA on any accounts, do so... its one of the most secure simple ways to help ensure the bad guys aren't getting into your stuff.

Summary

Hopefully this quick overview was helpful. There is a lot involved in security, but you need to take it seriously and at some point you need to just jump into the water and start to swim. Maybe reading this can give you the courage to climb up onto the diving board.

Until the next blog, don't talk about it...

Shut up and Hack!


    
Unless otherwise credited all material © Wilcis.com by Roger Williams