What I learned from resetting over 300 passwords
In May, Lastpass announced an intrusion on its network that led to a data breach of user account information. LastPass is a cloud-based password manager; users load the LastPass extension into their web browsers and all the pesky password management tasks are taken care of. The user is given one-click access to fill in the username and password on known sites and the option to generate a long password and save credentials on new sites.
It’s a great, convenient service but not without its pitfalls — your passwords are stored on the cloud, so can be more dangerous than a local password manager. One hack could expose all your credentials.
I started using LastPass about three years ago, after a long stint with KeePass. I decided to make the switch, partly out of convenience and partly because it forced better password habits. For example, if I didn’t have immediate access to my KeePass database and I had to create a new account, I was more likely to use a weak password.
LastPass also supports two-factor authentication, which means an attacker has to have access to my database and my mobile phone in order to gain access to my account. I weighed the pros and cons of each and decided to move my passwords to the cloud. Looking at it from a risk-based approach, I’m more likely to lose a KeePass database from error, house burning down along with all backups, or database corruption than someone hacking into my LastPass database. It’s not a foolproof solution, but the best one for me at this point in time.
You can imagine my surprise when LastPass announced its service had been hacked. However, the silver lining is in the way the company handled the bad news — it is a textbook example of exactly the right way to handle a data breach. It notified customers at first sign of intrusion and were very forthcoming about what was taken in the attack. They also offered next steps for each customer to protect their account: change the master password immediately and enable two-factor authentication.
It was at this point I took a hard look at my password habits. I’ve been using a password manager for nearly eight years, which meant nearly all my passwords were unique and strong — but not all. Sometimes I didn’t have access to my password manager and created a weak password on the fly. I also don’t use the same password between sites — anymore. Prior to probably 2009, I reused some passwords and have some weak ones in place.
Also, keep in mind that what was considered a strong password in 2000 is a weak password today due to exponential increases in computing power that can brute-force crack passwords. My important accounts, such as online banking, trading, email and cloud storage were secure but some that seemed less significant, such as shopping or news sites, were less secure.
After the LastPass breach I decided to do a full audit of all my accounts and assess my risk. I also thought about how accounts are often linked together and how a security failure in one area can lead to a domino effect.
This happened to technology journalist Mat Honan. For example, in order to reset an Apple ID over the phone, one needs the last four digits of the credit card on file. Amazon displays the last four digits in its account settings, so if an attacker gets a hold of the credentials for an Amazon account, the information can be used to compromise all Apple services someone uses. In Honan’s case, this gave attackers access to his iCloud account, enabling them to wipe his iPhone and Mac.
My first challenge was simply gathering a list of websites that I needed to audit. The accounts I’ve logged into in the five years or so were easy to gather — they were in KeePass, LastPass or in various note taking programs. Almost 25 years of Internet usage meant there were presumably hundreds of accounts that I hadn’t logged into for over a decade that might have weak passwords and my personal information. After scouring my memory, emails and receipts, I had a working list of just over 300 accounts.
Now the hard work started. I logged into (or tried to log into) each site, used the site’s “Change Password” or “Forgot Password” function and slowly worked my way through the list. It took a weekend but I finished — and I learned a lot. I learned much about the general state of password and account security on major sites on the Internet. I also learned about my own password habits and how they have changed and evolved over the years.
Here are some of the major things I’ve learned:
- A few sites still have terrible username/password rules. I came across three websites, two government and one quasi-government, that had my Social Security number as the username and a four-digit PIN as a password. This is terrible, for several reasons. Usernames are usually not hashed, so my SSN is sitting out there along with my real, full name. A four-digit PIN isn’t a password at all anymore and can be guessed using brute-force attack in under a day on modest computing hardware. If websites still use this as the main method of authentication, do they have the ability to detect and respond to a breach? Probably not. I have to use these sites, so I changed my PIN, made a ritual offering to the Patron Saint of Identity Theft and moved on. I’m lucky that I have free credit monitoring for a very long time, courtesy of Anthem, Target and Home Depot. I’ll need it.
- Many sites still email forgotten passwords. When a user goes through the process to recover a lost password, many sites will email the current password. This is bad for two reasons: first, this means they are storing the password in plaintext. A site should never do this — a password should always be stored as an irreversible cryptographic hash. Second, email is a very insecure method of transmitting data. Always operate with the thought that email is compromised and being read by third parties. Emailing the current password (bad) or a temporary password (not as bad, but still bad) is not secure.
- Many sites force users to use weak passwords. About a quarter of the sites that I visited did not allow me to use special characters or passwords over 12 characters in length. If there was a data breach and an attacker got a hold of the hashed passwords, it would be much easier to crack the passwords than if strong passwords were required.
Tips for Users:
- Take an active role in protecting your personal information. We’re at the point now where it’s not enough to sign up for a service, give all your personal information and just assume they will protect it. Data breaches are the new normal. Use strong, unique passwords when possible and be judicious about giving out personal information. If a site does not employ good security practices and you have a choice in the matter, move on. Use a different service.
- Consider using a password manager. There are cons of course to centrally storing passwords, but there are many pros. Evaluate your own risks. For the average user, the biggest threat is a data breach at one of the sites they commonly use. Password managers allow users to very easily use a strong, unique password for each site. This will considerably contain the bad effects of a data breach.
- Be careful with cognitive passwords. Cognitive passwords, alsoknown as “knowledge-based authentication” is a common way sites allow secondary access to an account. Upon account creation, sites ask the user a series of questions, such as “What city were you born in?” and “What is your mother’s maiden name?” When you come across these, ask yourself two questions: One, can the answers be obtained on Facebook, LinkedIn or public records? Second, what will happen if an attacker gains access to these answers? Can they use the answers to gain access to other accounts on other sites? Sites should store these passwords in a one-way, non-reversible hash, but many do not. Consider giving a non-answer — a string of characters or a nonsensical answer to the questions and store the questions and answers in your password manager.
- Your primary email account is the key to the kingdom. Protect it like no other. In most cases, I can reset my password for a site via email account, whether it was a reset link or a temporary password. If an attacker gained access to their victim’s primary email account, they could do exactly what I did and reset the passwords to hundreds of websites. This could be devastating on many levels. Use a very strong password on your email account and never, ever reuse this password anywhere else. Enable two-step or two-factor authentication on your email account. If your provider does not offer this feature, consider moving to one that does.
After my exercise was complete, I was humbled and surprised at the inconsistency of password management techniques across different sites. Even when sites say they use strong security or claim they delete personal information, many times they do not, as is the case of Ashley Madison. The only way to adequately protect yourself is to take an active role in your own account management.
Originally published at www.csoonline.com on August 5, 2015.