Nashville Webworks - A Reasonable Digital Future

Return to the index

The Password To Your Empire

January 29, 2021

A man with fishing rod and hook steals data from a laptop user

Eighteen thousand companies were compromised as part of the Solarwinds breach. Solarwinds is a US corporation that develops network and infrastructure management software for a who’s-who of international corporations and government agencies. Reports from security investigators reveal the company was addled with the same complacent security culture that is ubiquitous throughout the US and beyond.

The financial impact? 90 million in insurance liability alone... and counting.

The amount of personal, financial and national security data compromised? Unknown.

Security and IT professionals are freaking out, as they should be. President Biden ordered a security report and has already signed executive orders to enhance US security.   Congress passed an unprecedented cybersecurity funding bill in December.

These measures are welcome. They will help. However, we need to stop looking at this exclusively as a technology problem.

This is a culture problem.

We could invest trillions in insanely complex technology solutions to secure our data but it won't solve a root cause:


Even the educated and security paranoid folks that lurk in the IT and software engineering departments make mistakes. Many IT departments or "the IT guy" at your local company don't give a shit about security, because there is no management accountability, personal incentive or third-party oversight. Over time they get impatient with resetting passwords and just go with whatever reduces their workload. They write down passwords, use weak passwords, or share passwords over email. Software engineers building the software you use can get distracted and leave a temporary backdoor or password in shared source code they intended to clean up later. They get drunk at a bar after work and leave their phone in a Lyft. They forget to encrypt a laptop that is stolen in a coffee shop.

As my colleague likes to say, "Humans can't be trusted."

But even if they don't make any of these mistakes, even the most security-paranoid could be fooled by a well-conceived ruse.

We need a cultural revolution in information security with real legal & financial incentives to make it a reality:

The global software industry, including online services like social media is too valuable to continue with a lassaiz-faire approach to data security and privacy. Researchers estimate that the digital economy is worth $11.5 trillion globally, equivalent to 15.5 percent of global GDP and has grown two and a half times faster than global GDP over the past 15 years.

Yes, companies have a market incentive to protect data and make their products more secure, but so far what we've been doing hasn't been working. Until there is a stronger liability incentive for security before tragedy strikes and a stock price takes a temporary hit, it simply will not change. Although companies like Amazon Web Services, Google & Microsoft have evolved security-centric cultures, the national bar is too low for engineers to design systems that begin with assumptions like strong end-to-end encryption, cryptographic authentication, sensible service permissions models and system-enforced user best practices in mind.

The devastating SolarWinds hack is a great example of how pervasive the cultural problem is. Reuters reports that security researcher Vinoth Kumar contacted the company in 2019, alerting them that anyone could access its update server by guessing the password “solarwinds123” because someone at the company had accidentally published the password as part of shared source code on the public internet.

While this was probably not the method of infiltrating SolarWinds itself, it illustrates a glaring fundamental problem: 

Short text secrets are still the dominant means we use to secure access our data.

A simple phrase comprising thirteen alphanumeric digits was the key to the backdoor of SolarWinds’ vast empire of valuable financial, personal, corporate and national security data their products managed. It's not just a shit password, it's the fact that it was even an option in a commercial enterprise component.

The sobering reality of password use today:

Tricking Most People is Easy

Sophisticated hacking strategies with fancy hacker names like trojans, backdoor exploits, bots, & man-in-the-middle attacks, etc. are indeed dangerous, but low-tech strategies are really the fundamental problem because humans are just, well, gullible.

Let’s say you get an email from HR, or your boss. It looks, smells, tastes like a legitimate email. It asks you to provide some information, perhaps to update your payroll information or reset your payroll portal password.

You can't afford to miss a paycheck this month, so your cortisol levels spike and you immediately take action.

The email contains a link. You click it. It takes you to a secure webpage with your corporate logo that asks you to login with your company credentials (step 1).

Once you login, you fill in a form with your HR information in (step 2).

Congratulations, you just got phished. As a hacker, I got your username and password in step 1 and all your personal information in step 2.

That is an inexpensive and low tech “social engineering” hack requiring only basic computer engineering skills. It’s also one of the most reliable and effective.

Email spoofing and phishing are remarkably simple, but thanks to improved system rules and pattern monitoring algorithms by Google, Microsoft and the primary providers of email services, these are increasingly detected and a warning is provided to you when you open it.

The problem here is that HR departments and managers actually still use email with direct links like this all the time, which assumes a ridiculous level of trust over a fundamentally insecure channel of communication developed in the 1970s, especially in small companies. Again, this is a culture problem you can help change. 

Email, message or call your boss or HR department independently on a trusted channel and verify. It takes 30 seconds.

Never, ever, EVER comply with directions to click a link in a message to provide information unless:

What’s the worst that can happen if you don’t comply or respond? They have to call you or contact you via a more reliable method? Good. Tell them why. Don’t encourage the culture problem.

Why is reusing passwords REALLY dumb?

Let’s say you have a super creative strong password you’ve crafted and memorized.

Hey, at least you’re not using a weak password, but since you memorized it and think it’s so solid, you decide to use it on multiple sites and services.

All it takes is for one of those sites to be hacked in a “data breach” and now that email/password combo is for sale in the black market. If I was a hacker, I program my bot to try that login on thousands of popular sites for banking, email, stock trading sites, Amazon, etc. I go play video games or walk my pet lizard while my computer dutifully cranks through my script and feeds me a list of all your services that use those credentials. 

Fortunately, sites like Amazon, Google and (hopefully) your financial institutions at least log your IP personal address or phone device ID and will notify you immediately if someone logs in from another location. Increasingly they block the login and verify it’s you via a text message, which is a basic practical form of Two Factor Authentication, or “2FA”.

2FA is annoying, but it’s smart to use on every online service that matters to you. Opt-in for it. It takes an extra 15 seconds and could save your ass.

The Problem With 2FA

2FA can be inconvenient. At our company, we use it across a wide range of different systems that share a Single Sign On model. 

There have been situations where I've misplaced my phone and missed an important online meeting. It makes me even more paranoid about leaving the house with my phone because it’s the key to my virtual office.

One solution for professionals is to use two phones with an SMS relay service that will send inbound texts to both phones: one that stays home and a security hardened phone you can take with you on the go.

Passwords Are Not Going Away

Experts will blather on about the future of biometric SSO or device key authentication for days (as they've been doing for years). These are all great forward-thinking ideas, but let’s face it -- passwords are not going anywhere for a long while.

Passwords are still a solid balance of convenience and security if the software enforces reasonable strength. But they often don't, so it's important to understand a few basic concepts:

How The Hell Do I Manage All These Passwords?

It’s incredibly easy, actually. A password vault manager is possibly the greatest practical personal security invention of the past 20 years.

Password manager vaults work seamlessly with your web browsers across all your devices. With one master password in your local ring of trust, you control the credentials of all the services in the untrusted ring. It’s utterly brilliant because the core design is inherently more secure than other options.

We recommend Lastpass or Bitwarden, but there are many options out there.

How To Create A Strong Memorized Password

Here are some possible strategies for creating your passwords:

Note the use of the period punctuation mark in the password. Punctuation is a good way to add entropy to your passwords as well as a little length. Create a unique string that you can prefix or append to your passwords.

– prefix string + password = stronger password
– tdr0cks! + itm0adl0. = tdr0cks!itm0adl0
– tdr0cks! + torvt11. = tdr0cks!torvt11

Your Browser's "Remember Password" feature is NOT a secure Password Vault, but it's better than reusing passwords

There are a lot of myths about browser in-built pass management. I've heard people say that they are insecure. They are actually reasonable secure if your device, iCloud, or Google Account password is unique and very strong, but these managers are not necessarily local encrypted vaults.

After using Chrome for a decade, I recently returned to Mozilla Foundation's Firefox, which has regained the vanguard position among browsers in terms of performance, privacy and in-built security. Brave is a new player that is rapidly disrupting the space with innovative features like automatic ad and tracker blocking, TOR-enabled private browsing (for total anonymity) and support for the decentralized protocol IPFS.

While Google Chrome's Password Manager does keep information secure, the in-built Google Password Manager is just one facet of a larger infrastructure and is protected by the same measures used to safeguard Gmail accounts and other customer information. 

Using Google Password manager protected by a strong memorized password across your browser devices to generate and manage many unique strong random passwords is much safer than using weak passwords or reusing passwords.

Google isn’t transparent about what it does to keep information protected but promises sophisticated physical security, encryption techniques, strong internal controls and consistently evolving practices to keep customer information secure. The company also pays hackers via a Vulnerability Reward Program, challenging them to find weaknesses in their systems.

That said, Google was hacked in 2019 and customer data was compromised. If they were following the password vault model, or hashed password storage passwords should not have been a part of the leak.

Google has many detractors who criticize their business model, but the company deserves a lot of credit for pushing for a more secure internet. Fifteen years ago, Microsoft’s Internet Explorer was a security disaster. Google and Chrome disrupted that space and pushed for greater transparency, privacy and security.

License: Creative Commons Attribution 4.0 International (CC BY 4.0)


Return to the index