The problem with passwords

Chris Sienko: Hello and welcome to InfoSec Institute's informational video series. Each week, we will cover a different aspect of the security industry including deep dives into the most popular tools of the trade, desirable career paths, and like this week, we'll be covering tough topics in security awareness.

There's been an increase in talk about security in the news, especially passwords and whether the escalating arms race of length and complexity of passwords is really deterring hackers. Might there be other methods?

Today on the show, we have Susan Morrow, a frequent contributor to our InfoSec resources website that you can check out at resources.infosecinstitute.com as well as several well attended webinars we've hosted in the past year. Susan has been working in the security sector for over 20 years. She is currently head of research and development at [Evoco 00:00:54] Secure and specializes in designing solutions for consumer and citizen identity systems.

She has a great deal of experience of the good, bad, and ugly of passwords and other types of login credentials. She says that she always tries to put the human being at the center of technology whilst balancing security which can sometimes be quite a challenge. To start things off, what are some of the biggest systemic mistakes that people and organizations are making with regards to their passwords these days?

Susan Morrow: Okay, well there's been a general air of misinformation about how to secure a password, what is a secure password and it's been along certain lines. We're going to talk about this in a little more detail later when we discuss [inaudible 00:01:35] and the [inaudible 00:01:37] regulations, but just to give you some examples.

Making passwords too complex. More complex a password is, more sort of combinations of characters and numbers and letters that you insist that a person has to use [inaudible 00:01:57] create a password, more likely it is that they're likely to a) forget about it and then have to use your recovery system or b) write it down on a piece of paper.

Chris: Right.

Susan: Those things are sort of the [inaudible 00:02:13] of making something secure. It's like creating a false sense of security and that false sense of security is something that is pervading not just passwords and login credentials by every other area of security. Also, one of the other... It's a particular [inaudible 00:02:32] of mine, this one, is forcing people to update their password.

Now, things are getting better in this area and you're seeing it less and less, but there was a few years ago it was a real sort of trend to make everybody update their password every 30 days. It came out of the enterprise world, that, but when you try and import enterprise thinking into the world of consumers, it invariably fails and that was one of the failing points and people were getting sick.

Actually what happens is that people update their password by sort of adding a couple characters to the and we'll discuss that later on as well because that is another failing of the system.

Another thing is making password policies obvious on your website. Sometimes you'll go to a website and it'll say, "Create your password" and then underneath it'll have something like, "It has to be a capital letter, it has to be at least eight letters long and it has to have an exclamation mark" or something like that. They'll spell it out. You may as well give a hacker the key to your house and say, "Come and burgle me."

There are my main sort of concerns about passwords. It's all around policy. There's also one other thing and again this isn't proven. It used to be worse, people were not [salting 00:03:50] and [hashing 00:03:52] passwords when they were storing them. A hash is you would take a password and you would jumble it up and create numbers and letters to represent it, in such a way that you can only do it one way, you can't unhash it.

But salting it adds an extra piece of protection to it. A salt is kind of like a little bit at the beginning and sometimes the end of a password or something similar and that then adds an extra piece of junk into it so it's just really, really incredibly difficult.

Chris: Now, what are your thoughts on the uptick of two factor authentication such as you enter your password and then they send a number to your cell phone and you type the number in? Is this an improvement? Do you think this helps at all?

Susan: Absolutely. Two factor authentication will improve security. However, at the minute, currently only 10% of Gmail users are actually using two factor even though they've got the option. Not everybody offers the option of two factor because the web developers have to add the capability in and it's an extra piece of functionality and it's an extra piece of cost to companies, so on and so forth.

But it's not just that. On the user end, people don't like two... They don't like two factor. It's taken me several years to actually add it into my Paypal account even though it's really, really important to do that. People get sick of it, but it is really important to do it if you can. Of course, it's not the perfect solution. There are, as a lot of people know, [inaudible 00:05:29] vulnerabilities that allow session cookies and things to be...

There's a new one for example in LinkedIn where you've got two factor authentication issues in LinkedIn. There are ways of phishing and you can actually hack someone's LinkedIn account. It has to be implemented correctly and securely. It's not 100% perfect.

Chris: So, some of the hurdles to acceptance have been basically that it adds a lot of extra functionality on the end user site and also that people are just... It's sort of a pain to do. But you think it's going to become more common over time?

Susan: I know that in Singapore [inaudible 00:06:12] it's a lot more than they are in countries like USA and the UK.

Chris: Oh, okay. Why is that?

Susan: I'm not entirely sure why. Maybe they're more open to technology than we are. I really don't know. I know that there are other problems with it as well. For example, to issue SMS codes, text codes, it costs the company hosting that service money every time it goes out. So, if you're hosting a service that's hit by millions of users, that's going to rack up, even if it's auto sent. That racks up, so you don't want to do that.

The alternatives are more techy, so you've got Google authenticator, that type of thing and Google authenticator, [inaudible 00:06:58] equipment. Sorry, an iOS equipment and so on. [inaudible 00:07:03], they generate one time codes that you enter and they're free. Obviously they're free and they're very secure actually, as well, but you have to download an app, you have to understand how the app works, you have to know to click on it.

There are other methods as well. Telegram is a great method and Telegram is a messaging app. You can send [inaudible 00:07:26] a link to the Telegram app when you're sending it in. You can click on it and you don't have to put in any code. It uses [inaudible 00:07:32] code. You just have to click that code and you're in.

It's improving two factor's improving but it has to improve to the point where you just have to go click and you're in.

Chris: This sort of goes out to folks who use the internet less common than us do but there's that belief that maybe all of your passwords don't really need to be secure. If you have a website where you haven't added any of your pay info or any of your personal information, it's like a newsletter or something like that to get tea cozies or something like that, doesn't really matter. You can just use a junk password for something like that.

Susan: Well, the problem is human behavior. For example, I might use a less secure version and then I'll go to a site that has potentially sensitive information on it and think I better make it a bit better. But to make it a bit better, they'll capitalize the first letter and then stick a one one at the end of it. Hackers know this.

In fact, the [inaudible 00:08:38] bot net attack that happened in 2016 where half the Indian internet went down, this was where hundreds of thousands of [inaudible 00:08:48] devices were hacked and they were turned into bots and the bots then controlled what certain web servers [inaudible 00:08:56] web servers and they took quite a lot of websites down.

The reason that they were able to hack those devices was because a lot of people were using lazy versions of passwords. We all do it. [inaudible 00:09:11] I do it as well.

Chris: Same here.

Susan: God almighty, diversion slightly but it's very important. There was a study done by Last Password that [inaudible 00:09:22] the average business user has 191 passwords.

Chris: At least after password 100, you're like, "Fine, I'll do blah blah blah blah blah blah again." Yeah.

Susan: And hackers know this, so they've got tables of passwords, common passwords and common variance of passwords. The struggle is if you start doing that, it carries on a behavior into your next password and so the problem is you can do it, [inaudible 00:09:50] do it but you might end up reaping consequences of it because you won't even realize that your [inaudible 00:09:58].

Chris: That's a really important thing to keep in mind is whether or not they actually get to you, whether they can get to your information, they can use you to sort of springboard into attacking the entire site or the entire-

Susan: Yeah, that's right. The problem is for the average consumer, it really has become a quagmire. People are really... They just don't know what to do and I don't blame them. It seems complicated but in the tend, try and think of it just as trying to think one step ahead if you can.

One of the good things about [inaudible 00:10:36] is that they've encouraged the use of longer passwords and the reason that they did that was because they recognized that things like pass phrases were... The way that we think, you don't remember complicated multi character, number passwords but we do remember my dog's name is something such or the name of my four children or something that is personal to you but is harder for someone to come across. Actually, I wouldn't recommend those two ones I just said there.

Chris: Yeah, those are off the table now. Also, it seems like that means that we're thinking in terms of global password safety almost the way we think of flu shots as a sort of herd immunity. Even if it doesn't affect us that season, it's still sort of like we're making the network of people that much safer. Is that reasonable to say?

Susan: I think it is. I think we're just starting to need to think like a community and [inaudible 00:11:39] an industry we're talking about culture of security. That culture of security needs to sort of filter down into the wider world as well and we need to build a community of security where we all look after each other.

Chris: Okay, well we've started talking about that a little bit here with regards to sentences or phrases or whatever, but let's sort of put it all on the table. What's the best way to create a secure password? Even if you're using a very complex password, should you still be using unique passwords for everything you log into?

I guess even more to that point, what's the best way, in your opinion, to safely store passwords? Because as you said, 190 passwords. You're not going to be able to conjure up 190 variants of my dog's name is Fido or something like that. Can we sort of come up with a network of ideas or hints that we can use to rebuild our entire password pile?

Susan: Apparently only about 12% of people use password managers and that is probably because it's yet another piece of technology that we have to use and have to think about. Password managers to my mind are a single point of failure, not just because they can be hacked. I know LastPass got hacked last year for example. LastPass is one of the more well known password managers.

Susan: But also because you might lose your credentials to access that and if you've lost your credentials to access your password manager, you've lost all your passwords. In other words, it's kind of storming up trouble. So, I personally don't use a password manager. I do have my own techniques for managing passwords which are very simple but they are protected.

But then that is me. It might not be as simple for your average consumer to do this. It is problem, having lots and lots of passwords. I think that it is important not to use the same password across all of your websites. One of the reasons for that is for example, it's worth the listeners having a look at have I been pwned and websites have I been pwned. I would Google it because the spelling is a bit weird.

Chris: Yeah. Have I been P-W-N-E-D?

Susan: Yeah. [inaudible 00:14:08] have I been pwned and put in any of your email addresses, you'll see if you're [inaudible 00:14:15] to be hacked. A lot of companies now [inaudible 00:14:17] username. Passwords are generally associated with a username and for convenience, companies have tended towards choosing an email address as the username. You might not have to use a different password every single website but try and use a number of them and have them [inaudible 00:14:41].

I mean, in the end, what a lot of people do and I've done this myself quite a lot is you end up going to the recovery system because you forget your password.

Chris: Yes.

Susan: A lot of people rely on that. You also at that point have to rely on the recovery system itself being a secure recovery system and that's not always possible and also there's all sorts of complications coming from using two factor because you might need to... If you've lost your phone and you're using an authentication app on the phone, then you've lost that. It all gets very complicated and I've designed these recovery systems and I know all of the possible glitches within it.

So, designing a recovery system is in itself as difficult and is in itself a challenge, so try and avoid them if you can but if you have no choice, you're going to have to use them.

Chris: Okay, so in creating new passwords, it sounds like you can sort of think of it in terms of themes and variations where you have three to five go-to password things that you can cycle and maybe do some internal variance on, things like that. Is that-

Susan: If you go off these guidelines... The problem is, Chris, that it's not up to the consumer often.

Chris: Yes.

Susan: The consumer has to follow the policies of the organization that they're creating a password with. It's very important that the organizations who are asking for these passwords are following these guidelines, the updated ones and the more recent ones, all of these guidelines to allow their users to be able to create more secure passwords and to have a better system for password recovery and to make sure that the passwords in the bank in, if push comes to shove, that they are protected, they're fully salted and [hashtag 00:16:38] protected.

There's also [inaudible 00:16:42] the new aspect to it is the more efficient aspect to it. It's not just about passwords, it's about security and understanding that. It doesn't matter how brilliant your password is. If you're phished and you enter that password into a site, it doesn't matter how great it is, it's gone. It's a combination. It's a combination of all of these things.

This is why it gets really messy and a quagmire for the average user and this is why I'm talking about building a community that is based on secure thinking and everybody helping everybody else out.

Chris: At this point, I imagine everyone who's watching is thinking about all of the Apple123 passwords that they've got over hundreds of websites and stuff. What are some best practices for updating bad passwords? If you're thinking immediately, "Oh my god, I got to change 100 passwords here", what would you say is your best practices to systemically go through everything you can think of and get your passwords in tip top shape? Is there any way... Because I know there's probably sites out there from 15 years ago that I haven't checked in years. Is there a system that will find all of the places that you have user passwords?

Susan: Yeah, there are. I've written a couple down. The problem is, like you say, it's discovery, isn't it?

Chris: Yes.

Susan: [inaudible 00:18:14]. Everybody and their dog asks for accounts to created these days. Even if you don't need an account. You don't need to create an account. I'm hoping that [JCPR 00:18:22] will rein some of this in and people think twice about forcing people to create a password. You just simply don't need one. But the cat's out of the bag now, let's face it, and if you've been around for more than a few years, you're going to have...

I don't think about how many accounts I have out there but there are some sites. I've written a couple down actually that I thought were reasonable ones. You have to be careful because of course there's been... Not these ones, but there have been a couple of [inaudible 00:18:56] where there's been some question of they actually collect your data [inaudible 00:18:59].

But there's a couple. There's one call Knowen, K-N-O-W-E-N.com. Https Knowen.com. It'll take you through and you can identify accounts which have your username or email address associated with them and then you can go in and use the recovery system because let's face it, you will have forgotten the password.

There's another one which is actually supposedly quite good and it's an app and it's called Deseet Me, which if you go the website, it's Deseet, so D-E-S-E-E-T.me.

Chris: Okay.

Susan: It's a similar sort of process. It'll just look for accounts that are associated with your username and password and you should be able to go in and hopefully delete your account. You should be able to delete your account as well [inaudible 00:19:58].

Chris: Then in general with the others, can you sort of suggest a system? Because there's probably still going to be 50 or more that you're going to want to keep your password. If you're sitting there and you're thinking about how you're going to save up 50 passwords in a row, can you suggest a system for...

Susan: The trouble is that a system is dependent on the policies applied by the company that is [inaudible 00:20:28] the password, so it's really difficult to give you one. Most of them that I've come across are still requiring policies like has to have a capital letter, must have eight characters, no more than 16. It's really, really difficult.

I would say you need to follow the [inaudible 00:20:49] guidelines on this and have a pass phrase rather than a password if you're allowed to have a pass phrase. Have a pass phrase. But the problem is, Chris, that I know that there are so many companies out there who are enforcing this policy thing and until they catch up with [inaudible 00:21:04], people are going to be kind of stuck in this cycle of password.

What I would say again is that above and beyond passwords, make sure you're phishing aware. Make sure you understand and I just had a friend [inaudible 00:21:21] yesterday with a phishing message and it's absolutely like Apple. I was really impressed and she was phished because of that and has had some problems.

Chris: I was just talking my mom through changing her Yahoo password because some friends of hers got hacked and sent her a very realistic email saying, "Could you buy an iTunes gift card for my niece for me while I'm out of town for $400?" The price was the part that really threw her off but she's 70 years old and she doesn't necessarily... So yeah, I mean it's getting very realistic and very scary but let's talk a little bit about the new [NIST 00:22:01] requirements and stuff and how they've changed.

I know you said that you feel that you've gotten some vindication on things you've been saying for years. So, talk a little bit about that.

Susan: [inaudible 00:22:13] authenticators, because I have so many arguments with people, particularly people who've worked in enterprise and have been sort of brought up with that kind of view, you have to change your password every 30 days, it has to be these policies, that type of thing. Well, NIST have turned it completely on the head and I'm so grateful to them because now I don't have to educate people anymore. I can just say, "Oh yeah, NIST. See NIST. [inaudible 00:22:37] me, I don't know anything, see NIST."

Again, all the things [inaudible 00:22:42] that they're all based on what NIST is saying, like don't prevent your users from creating long passwords. Don't prevent them from creating passwords that are over 16 characters, for example. Don't put your policies for all the world to see on your website. It's common sense stuff really. I don't know how it ended up where people did that.

I want to think it was a movement because it was a sort of movement of the enterprise onto the internet and people just didn't really think about consumers or [inaudible 00:23:20], that's all I can think.

What else is there? Password hints. Because we use [inaudible 00:23:25] hints all the time. Don't use password hints on your website because hackers will just use them against you. They add little benefit to the consumer but they offer the hacker another way of getting into someone's account.

One of the important things as well and this was actually a study done by [inaudible 00:23:48] years ago, because I remember reading this. One of the things that [inaudible 00:23:53] are focusing on is verification of people and also double checking people are who they say they are. One of the areas that I've looked at in the past is this think called [inaudible 00:24:04] which are the questions like, "What's your first dog?" [inaudible 00:24:05]. What was your first dog?

Because people with social media are putting this sort of stuff up on social media sites. For instance, I was on Etsy a few years ago and there was actually a whole thread on Etsy saying, "What is your mother's maiden name and what is your favorite color?" It's just a great way to harvest... Forums and social media are a great way to harvest things.

Chris: Yeah, any one of those is maybe not necessarily terribly unsafe but the people who do 10, 12, 15 of them in a row, suddenly, you've got a tremendous amount of data on that person.

Susan: So, it's obvious to us but it's not obvious to everybody else. Why would you not tell people what your favorite color is? Hackers being the way that they are, they are very astute and very clever at getting information out of people and getting people to trust them, earn their trust, building up that trust and then [inaudible 00:25:03], they've got your account.

You know what? I've had my [bank accounts 00:25:07] hacked, I've had all sorts of other accounts hacked, and I have had this happen to me. If it can happen to me, it can happen to anybody because I'm extremely cautious, more cautious now. Extremely cautious. Okay, so NIST have said [inaudible 00:25:19], bad.

Chris: Yeah. Yeah, I think that's also something worth mentioning is if you are helping a parent or a friend or something like that, it's worth noting to them that we've all had this happen. I've had hundreds of dollars grabbed out of my bank and I've had people on the phone who have said that they were my credit card company and I've given my numbers over. It is fool me once, shame on you but sometimes they're going to fool you once. It's a matter of whether or not they're going to fool you twice.

Susan: Yeah, they're very good at what they do.

Chris: Right.

Susan: They're really, really good at what they do.

Chris: Yeah, so for the past month and a half, I think most of us have been getting endless requests from all of our mailing lists and all of our stuff on the internet. Due to new regulations, it's time to absolutely say for sure that you want to be on our service, which is a nice thing but it's also very irritating.

What I was going to say is it makes me feel as though privacy and security are finally being treated as a serious issue. Do you feel like something like this represents a fundamental sea change in our thinking about security on a day-to-day basis or do you think once all these implementations have been changed, things are going to start drifting to business as usual until everyone confirms that they want to be on Betty Crocker's Favorite Cupcakes list? Is there a way of keeping this in people's minds, yes?

Susan: I hope so. You get into a comfort zone and then something happens, you go, "Oh!" And then you go back. It's not [inaudible 00:27:02] really in the NSA revelations and that sort of higher level of Privacy. People in the privacy industry have been going on about these things for decades and they've been saying something's bound to happen, something's got to give. More and more data's being generated on the internet. More and more of these bloody accounts are being created on the internet and it's getting unmanageable.

[inaudible 00:27:26] has come in because of all of those things, because it's been under development for many years as it's watched these things happened, so the [inaudible 00:27:33] has definitely come in at quite the right time. The tipping point is about now, isn't it?

Chris: Mm-hmm.

Susan: And it's coming at the right time and it's great and everybody is taking it very seriously, mostly. Although, there is some backlash is as well which we can go into later but the problem is is that human beings tend to... It's just innate in us to kind of just forget about things. We don't want to think about things. It's too complicated, it's too difficult, and we can't be bothered to really think about things.

So, we'll [inaudible 00:28:06], people will do a little bit to sort of try and tick their [inaudible 00:28:10] boxes, ask for consent. It's a lot of administration and things get forgotten and they're not really frightened of the GDPR and I can understand why. All sorts of fines hanging over your head and people do genuinely want to be respectful of people's privacy because of what's happened with Facebook and [inaudible 00:28:31]. People want to be respectful in general, people want to be respectful.

But in the end, it comes down to... I've got a friend who's got a really great charity, for example. She is doing her best to the utmost to get into GDPR compliance and just got loads of people, myself included, who are helping her to do it but it's a massive amount of work. It's a very small, understaffed, underpaid organization to try and get these things [inaudible 00:29:01]. She will do her best because she wants to respect her supporters but we will see.

I'm hopeful that people, the general public, understand the importance of privacy, understand that we're going into an era that [inaudible 00:29:21] wait until we start to get [inaudible 00:29:23]. Privacy's extremely important. Everybody has to understand that. It's not just about your name and address. It's about your behavior, it's about whether you're [inaudible 00:29:33] with your house, it's about the aggregation of all that data.

Chris: Mm-hmm.

Susan: What you're interested in, what your political beliefs are, what your religious beliefs are and so on and so forth. It's all of that stuff.

Chris: So, that leads perfectly to my next question. Do you think it is going to be possible someday to get to a post-password world? That's a tongue twister. Is it possible to get to a post-password world and what would be involved in that?

Susan: This year, a new API from [W3C 00:30:06] and Fido was released, called [inaudible 00:30:09]. [inaudible 00:30:11] is attempting to do just that. [inaudible 00:30:15] in a nutshell, it's public privately based, so [inaudible 00:30:19] public privately based and I guess these are sort of an add-in to [inaudible 00:30:25] which connects with [inaudible 00:30:27] device or [inaudible 00:30:28]the desktop to then pass a token back to the browser and [inaudible 00:30:33] and login in one fell swoop, so it's very seamless.

No factors, no [inaudible 00:30:38] factor, no multi-factor. That is the factor, which is great. Sounds great and it's anti-phishing. It's got a lot of positives. However, everything has a fallback when it goes wrong. For example, on your phone, if you try and use your finger and you've got a cut on it, it doesn't work. So, [inaudible 00:31:01] you put in your pin code or when you first start up your phone, you can't use it by [inaudible 00:31:06]. You have to put in your pin code.

So, there's always fallback in the pin code. It's always there as a fallback. You have to have a fallback for when things go wrong and the fallback is always a password because passwords are easy, passwords are easy to implement for the web developer, passwords are cheap and free, and passwords can... People can understand how they work because we're always had passwords.

Chris: Right. As aggravating as they are, they're also kind of comforting.

Susan: Passwords go way back in our history.

Chris: Mm-hmm.

Susan: Yeah, and there's a reason for that. There's a reason for that but again, it's the fallback position. It's the what if something goes wrong, what do you do? Do you lock people out? What about the recovery system? How does the recovery system work? If you've lost the phone. I don't know if you've had your finger chopped off or your hands chopped off and so on and so forth. You have to have a fallback position and I'm not sure what that fallback position is.

Chris: Well, we've given our listeners a lot of different sort of strategies and idea to sort of safen up their passwords here. As we power down the video, what is one thing that our viewers could do right now that would make their password stack more secure? What should be their first step do you think?

Susan: Make yourself phishing aware.

Chris: Okay.

Susan: Be very, very cautious about phishing emails because it doesn't matter how good your password is. Doesn't matter. If you're phished and [inaudible 00:32:33] website, they've got it. Wherever possible, even if it's not 100%, it's still pretty good, use two factor if it's available. [inaudible 00:32:47] available. Try and use the NIST guidelines, if you're allowed. If the website policy allows, is the NIST guidelines and use a pass phrase, a long pass phrase and not just one, use a number of different passwords.

Yeah, that's it and double check those, like I said before. Double check and try and get rid of old accounts. Old accounts are a real problem and it's a probably for things like digital death. If people die and have got vacant accounts, that's one of the things hackers look for, dormant accounts, and they use those. But that's a whole other area.

Chris: As we close up here, I'd just like to double up on what Susan said about the importance of phishing awareness. If you are unaware, the InfoSec Institute has a website called Security IQ and that can be found at securityiq.infosecinstitute.com. We have a free trial version. We actually have a free version that you can use. Once again, it has has a user and a password on it but what it will allow you to do is you will be able to fake phish your friends, your colleagues, your parents, your kids.

You can create realistic looking email templates, realistic looking invoices to be paid that you can send to people and then if they take the bait, they will be told you are safe but you have been phished and through our Aware Ed system, you would be able to watch a series of informative and sometimes interactive videos explaining on how to raise your security awareness a little bit. Once again, that's securityiq.infosec.com. Give us a try today.

Susan Morrow, thank you very much for this incredibly informative discussion today and again, thank you for watching this video. We hope to see you again very soon. Have a great day.