Saturday, June 11, 2016

This is Why We Can't Have Nice Things

 on  with 1 comment 
In , ,  
There's any number of reasons why users will not conform to good password policy.  It's difficult to remember so many without writing them down somewhere, we're not supposed to write them down, it's difficult to come up with a new one every 90 or 180 days that isn't one of the x number of previous used passwords, etc.  Honestly, I would rather see a user write them all down in a notebook kept in a safe location than to use the same username/password combination for everything, but I'll get flamed for that view by some.

But the reason for bad password use that I'm going to discuss here today is the conflicting information that users get from different sources.  I came across this article on Reddit recently, and while I seriously hope the article is taken down, or at least fixed by the time that you read this, I have no hope that it will be.  Most of it is harmless, and I even agree with most of the author's suggestions.  We could all stand to take a little more time to clean out our inboxes and to make better sense of the file system structure in our Documents folder.  But there's one very dangerous suggestion.  Here's the gem from this article that I'm referring to:

8. Try to use one password for everything
It's pretty easy to devise a password eight figures long or more that includes one upper case letter, a number and a symbol. Dream one up and try to use it across every business account – maybe choose a different one for your internet banking and PayPal​ accounts, however. You don't want hackers guessing your password and using it to get to your hard-earned funds.

Let's just stop right there and reread that statement one more time.  Try to use one password for everything.  Yes, contradictory to everything that I.T. and security professional are constantly saying, just reuse your super password.  Simplicity is way more important than anything else.  It's not often that the comments on an article are all in lock step on an issue and saying the same thing, but as of the time I read the article, all 16 agree that Alexandra Cain is giving harmful advice.

That's right, Ms. Cain, author of the "The Big Idea" column for The Sydney Morning Herald, is suggesting that you "declutter your digital life" by using a single password for everything.  This column is targeted at small businesses, and she is honestly suggesting business owners use the same password for everything.  If you don't know anything about computers and the Internet, this may actually sound like a reasonable suggestion.  It shouldn't matter that I use the same password over and over again if it's complex enough that nobody is going to guess it right?  Isn't that what password complexity rules are all about?

So for the reader who finds this to be reasonable, why am I saying that it isn't?  Lets start with how you login to a website.  First, there's the username or login (same concept, and I'll use the term username throughout).  Many sites let you choose your own, which saves you against compromise if your password is discovered, right?  Not exactly.   Some sites do not use a username, only your email address as your login credential.  Other sites will accept your email address instead of your username.  So the username is not unique from site to site if your email address is being used.

In my early days in I.T, I've taken enough service tickets regarding a user not being able to send out 100 party invitations from their work email account to know that people prefer using one email account for everything.  So for most users, the username and password combination is not unique from site to site most of the time.

Why does this matter?  Again, we're using a complex password that can't be guessed, right?  It doesn't matter.  Do you use Hotmail, Gmail or Yahoo mail?  Millions of passwords were leaked last month in a breach of these three services.  Are you a Tumblr user?   65 million passwords were leaked recently.  Did you forget about your old MySpace account that you haven't touched in years?  The hackers didn't, and they've got 427 million passwords.  This is just the first few things that pop up when searching Google. Of course I could keep going all day, but you get the idea.  You've certainly heard about hacks and password list compromises in the past.

Now let's talk about why these breaches matter to the average user.  Because I have your login credentials to one of these services, I no longer have to guess your super complex password.  It's on a list on the Internet, and I can download that list.  Do you think anybody is taking the username and password pairs from those leaks, and trying them elsewhere?  Absolutely they are.  So everywhere you use that password, the hacker is likely to have access to your account.  It doesn't matter how complex your password is, or how good your bank is with online security.  MySpace wasn't, and because of that, you've given dozens of people with bad intentions access to your bank account.

Now let's talk about the aftermath of any of those hacks.  Does the average user change their password on the site that was compromised?  Possibly.  Does the average user change their password on every other site that they're using the same password for?  I don't have any statistics on this, but we can assume that many don't, and the ones who try probably don't remember everywhere that they've used it.  And I hope your email account was the first one you changed, otherwise I'll just click the forgot password link and have a password reset email sent to that email address that I still have access to.

So let's say that you heard about the breach in a reasonable amount of time, you actually do remember everywhere that you've used the compromised password, and you work all night to change it everywhere that it's been used.  You're safe, right?  Not exactly.  Most of these compromises take place months, or even years, prior to the word getting out.  Companies aren't exactly racing to the press with news that they've been hacked, especially if they don't know or aren't 100% sure yet.

A common excuse I hear from people, my wife included at one point in time, is that "I'm nobody, I don't own anything. Why would hackers come after me?"  The answer to that is because it's easy.  As an average Joe, you don't have the knowledge, the skillset and the resources at your disposal to properly protect yourself and your assets.  The banks are where the money is at, but they're also a lot more secure.  Draining a couple hundred bank accounts will still get me a sizable chunk of change with a lot less risk and effort.

I use the site Have I Been Pwned? to alert me when my email address and/or commonly used usernames appear in one of these password lists online.  I highly recommend you do the same.  It's a free service, and for perspective, they list the current top 10 breaches in terms of compromised passwords.  Stay safe friends.

1 comment:

  1. I didn't realize this article was already 4 months old when I talked about it. I didn't check the date, and the discussion I came across sounded like it was recent.


Discuss this post!