Podcast: Passwords Suck - Consul-vation

This episode took me a while for some reason. I’m not sure why. It’s about passwords. The bane of everyone’s existence, so you would think that it would be simple, right? Apparently not. I mention password managers a lot in this episode. I also go over how the hackers take advantage of our laziness and what makes for a good password and much more. This is a good one and its only the tip of the iceberg when it comes to authentication. My name is John Virgolino and I’m your host; this is ConsulPod. Let’s get into it.

John 00:00:45
A while ago, I wrote a blog post about using password managers and how everyone needs to use them. I recalled opening the post saying that “passwords suck!” I’ve been thinking about it again, and they really do, and not much changed since when I wrote that post; if anything, it has gotten worse and more dangerous. You can’t use a simple and easy-to-remember password for anything anymore and forget about reusing the same password for all your accounts.

John 00:01:28
That means the only way, the best way really, is to generate a completely random password for every service and let a password manager handle the “remembering part.” Because if you don’t have to remember the passwords, then you won’t have to come up with them and we all know how that goes, our passwords are ridiculously easy-to-crack, and repeating their use over and over again makes our accounts vulnerable. Now, I am not naive enough to believe everyone will move to a password manager immediately, you really should, but I get it; things take time. I also don’t believe everyone will go out there and clean up their current passwords and eliminate all those duplicates they are using. I get it, it’s easier, but it’s just not something you can get away with anymore. I’m serious; if you think you can put this off, you can’t. It’s not about you being a nobody that some hacker wants to target. You are right; hackers don’t want to target you personally. They are looking for the gold prize, a database somewhere they can breach, and get everyone’s passwords and personal information in one big swoop. They probably already have your email and password as it is, at least some of them. How? I’ll get into that in a minute. But first, let’s talk about stuffing.

John 00:02:53
Not the delicious stuffing you put in turkey at Thanksgiving, but password stuffing. It’s a kind of attack where hackers take full advantage of our laziness to get the best of us and, more notably, our money and time.

John 00:03:11
What is password stuffing? Simple, hackers break into a database or buy one that’s already been breached. Sometimes, they are just given away and available for the taking. Let’s say, for the sake of an example, LinkedIn. Millions upon millions of logins. Let’s say they get into LinkedIn and steal this database as they did in 2012. Now, let’s say the passwords aren’t stored in a way that is exactly high tech, just like LinkedIn did, you get my drift here? The passwords are easily determined and now the hacker puts the list up for sale on the dark web, as they did with the hacked LinkedIn database in 2016. Other hackers buy that list and add it to their own growing list of emails and passwords. The hacker now goes to every bank website and tries the logins they stole or bought. Once they get a hit, they start using that same password on multiple sites until they get more hits. For instance, they start with Chase bank and then Facebook and maybe other social sites. They will try Amazon next. If they get a hit anywhere, they will start buying up products left and right on your stored credit cards or steal and transfer what they can. Then they move on to the next service. Stuffing your passwords in every login form that will take them, hoping to get a hit. Do you see what they are doing? They are assuming that someone is going to use the same password everywhere and try out the most popular services and this technique works very well. Why? Because we are human beings. We don’t want all the complications of authentication. We don’t want to think about security when we are logging into Facebook and we don’t want to remember some complicated password.

John 00:05:21
So, if you aren’t going to use a password manager, again, you really should and if your business is restricting you from doing so, talk to IT or management and push for it. It is your customer’s and your own internal data you are protecting after all. Anyway, the question is if you are going to have to create a password, what’s the best way to go about it. There are a ton of videos, blog posts, and articles that supposedly address how to make the best password ever. Which one do you listen to? There really is a lot, and it seems like so many people have so many opinions on this. Whose advice do you follow? NIST is a solid option.

John 00:06:08
Good ole NIST is back on the pod. We had discussed NIST, the National Institute for Standards and Technology, in episode 5 when we talked about compliance. NIST provides a whole host of goodies and how to make a good password is one of those standards. Although they don’t dedicate a whole standard to it, it is a major part of NIST 800-63B which covers Digital Identity Guidelines. Appendix A is where the good stuff lives. It’s titled “Strength of memorized secrets” and this is where they go into what makes a good password.

John 00:06:50
This revised standard came out in 2020 and was a big deal because NIST changed its recommendation after decades of advocating the same approach. In this revision, they abandoned the idea that you have to change your password every x number of days. They now claim this is ineffective because people don’t come up with nice unique passwords every time, they add a 1, 2, or 3 at the end of the existing password. Again, the hackers know this too.

John 00:07:24
NIST now says the main factor is length. The longer the password, the better. Why? Well, let’s say you have a password that is 8 characters long with letters and numbers; it will take a relatively decent computer about 30 seconds to figure it out using a brute force attack. That’s when the computer tries out every possible combination. If your password was 32 characters long, it would take the same computer centuries to break the password. This is a password without symbols or mixed case, by the way. Keep in mind, the bad guys generally steal the databases, and they try to crack the passwords on their own time on their souped-up equipment offline. They don’t have to worry about firewalls and all that; they just have to have the computing power to iterate through every possible combination. Once the hackers are done cracking all the passwords, they then put that list up for sale, like we said before. Again, it’s about the money.

John 00:08:26
This is why NIST recommends long passwords now. Really long ones. The problem with creating a really long password that is 32 characters long is that you will never remember it. If only there were a way to create such long passwords, store them, and not remember them and do that for every login you have. Oh wait, there is. It’s called a password manager, and you should use one right now.

John 00:08:55
So you still need convincing? Maybe if you knew how many breaches your email was a part of, that might help you get some perspective. Go to a site called haveibeenpwned.com. The well-respected Australian security guru Troy Hunt developed this site to track your participation in breaches, large and small. Go on over and type in your email address, and rather quickly, you will see all the breaches that his database has with you in it. I was in 15 different breaches, including the LinkedIn one I talked about before. Troy’s site has over 11 billion unique accounts logged. You can also put in your password on his site, and it will tell you how many breaches that password was found in. He also makes his entire password list available, not in plain text, but hashed, so that if you are a system administrator and want to check your user’s passwords against the breached database, you can help your users stop using the same, already cracked, passwords. This will help stop password stuffing attacks from working.

John 00:10:25
So, you’re finally ready to jump on board and get that password manager. Which one should you get? Well, you have a few decisions to make. First, are you going to use a cloud-based manager like 1Password and trust all your passwords to a 3rd party? That’s a risk assessment you need to make for yourself or your company. They all create long, impossible passwords automatically and will autofill login forms for you and do lots more, like alerting you when reusing passwords. They also have mobile versions so that you can log in from your phone or tablet. By being in the cloud, your passwords are centralized, and you can access them from anywhere. If you don’t want to trust a third party, there are solutions that run locally on your PC with all the same functionality, but the data isn’t in the cloud. Keep in mind though, that if you need to use it on a mobile device, you are going to have to store the passwords on a common device. There are a few ways to do this, so speak with your company geeks or drop me a line; I’ll try to help out.

John 00:11:40
There are a few very popular online password managers available and they are very affordable. They have family plans so you can share family passwords and get the whole clan together in the interest of security. They say it takes a village, so for a few dollars a month, it is well worth it. LastPass has had some credibility issues recently and in my opinion, you should look around at a few before making a decision. 1Password is another choice and the local, non-cloud popular choice is the free KeePass, spelled k-e-e.

John 00:12:26
For businesses, the major players all have business plans available and there is nothing to stop a business from using Keepass as well, for free. For larger business, there are enterprise solutions out there that are much more expensive and have plenty of features, but usually you are going to have very specialized needs in those cases. Most small businesses will be perfectly fine with the titles I mentioned before. Just use something. You just have to remember one good long password and forget about the rest. Just make sure your one single password isn’t password123.

John 00:13:12
There are companies out there innovating with new approaches that are truly passwordless. They combine multi-factor authentication and generally make it easy to login securely. It’s going to take time for these technologies to reach everyone, so in the mean time, we are stuck with sucky passwords.

John 00:13:34
Remembering them, creating them, storing them, resetting them, all of it is a hassle. But it is the world we live in, so make the best of it and get yourself a password manager today and clean up your duplicates, start using really long passwords and I promise you will actually feel some relief when you start seeing that you don’t have to remember a password for some random site. You won’t have to sit there trying to figure out what you can remember. Be kind to yourself and set yourself, your family, and your business up with a password manager and eliminate some of that suckiness from your life. That’s an official IT recommendation if there ever was one.

John 00:14:17
Alright, that’s it for this episode. At some time in the next episode or two I am going to announce some new features to ConsulPod, so come back to hear about those and let your colleagues and team know about us as well. Word of mouth can make a huge difference for us podcasters. Thank you for listening, I’m John Virgolino, stay safe out there.

Share this Post: