The Password To Your Empire
January 29, 2021
Eighteen thousand companies were compromised as part of the Solarwinds breach. Solarwinds is a US corporation that develops network and infrastructure management software for a who’s-who of international corporations and government agencies. Reports from security investigators reveal the company was addled with the same complacent security culture that is ubiquitous throughout the US and beyond.
The financial impact? 90 million in insurance liability alone... and counting.
The amount of personal, financial and national security data compromised? Unknown.
Security and IT professionals are freaking out, as they should be. President Biden ordered a security report and has already signed executive orders to enhance US security. Congress passed an unprecedented cybersecurity funding bill in December.
These measures are welcome. They will help. However, we need to stop looking at this exclusively as a technology problem.
This is a culture problem.
We could invest trillions in insanely complex technology solutions to secure our data but it won't solve a root cause:
Even the educated and security paranoid folks that lurk in the IT and software engineering departments make mistakes. Many IT departments or "the IT guy" at your local company don't give a shit about security, because there is no management accountability, personal incentive or third-party oversight. Over time they get impatient with resetting passwords and just go with whatever reduces their workload. They write down passwords, use weak passwords, or share passwords over email. Software engineers building the software you use can get distracted and leave a temporary backdoor or password in shared source code they intended to clean up later. They get drunk at a bar after work and leave their phone in a Lyft. They forget to encrypt a laptop that is stolen in a coffee shop.
As my colleague likes to say, "Humans can't be trusted."
But even if they don't make any of these mistakes, even the most security-paranoid could be fooled by a well-conceived ruse.
We need a cultural revolution in information security with real legal & financial incentives to make it a reality:
- education programs that help both companies and the average person better understand data security and help establish norms of sensible practice and even basic security certification
- clear regulations for data security & privacy as it relates to liability for commercial software developers, software vendors and the companies that use those products
The global software industry, including online services like social media is too valuable to continue with a lassaiz-faire approach to data security and privacy. Researchers estimate that the digital economy is worth $11.5 trillion globally, equivalent to 15.5 percent of global GDP and has grown two and a half times faster than global GDP over the past 15 years.
Yes, companies have a market incentive to protect data and make their products more secure, but so far what we've been doing hasn't been working. Until there is a stronger liability incentive for security before tragedy strikes and a stock price takes a temporary hit, it simply will not change. Although companies like Amazon Web Services, Google & Microsoft have evolved security-centric cultures, the national bar is too low for engineers to design systems that begin with assumptions like strong end-to-end encryption, cryptographic authentication, sensible service permissions models and system-enforced user best practices in mind.
The devastating SolarWinds hack is a great example of how pervasive the cultural problem is. Reuters reports that security researcher Vinoth Kumar contacted the company in 2019, alerting them that anyone could access its update server by guessing the password “solarwinds123” because someone at the company had accidentally published the password as part of shared source code on the public internet.
While this was probably not the method of infiltrating SolarWinds itself, it illustrates a glaring fundamental problem:
Short text secrets are still the dominant means we use to secure access our data.
A simple phrase comprising thirteen alphanumeric digits was the key to the backdoor of SolarWinds’ vast empire of valuable financial, personal, corporate and national security data their products managed. It's not just a shit password, it's the fact that it was even an option in a commercial enterprise component.
The sobering reality of password use today:
- At least 65% of people reuse passwords across multiple sites.
- 13% of people use the same password for all accounts and devices.
- About 80% of data breaches in 2019 were caused by password compromise.
- 91% of participants in a recent survey understood the risk of password reuse but 59% admitted to doing it anyway.
- 42% of companies were breached by a bad password in 2019
- 81% of hacking-related breaches are due to leaked passwords.
- The average person reuses each password 14 times.
- An estimated 49% of employees only add a digit or change a character in their password when they’re required to update it.
- Passwords were leaked in about 65% of breaches in 2019.
Tricking Most People is Easy
Sophisticated hacking strategies with fancy hacker names like trojans, backdoor exploits, bots, & man-in-the-middle attacks, etc. are indeed dangerous, but low-tech strategies are really the fundamental problem because humans are just, well, gullible.
Let’s say you get an email from HR, or your boss. It looks, smells, tastes like a legitimate email. It asks you to provide some information, perhaps to update your payroll information or reset your payroll portal password.
You can't afford to miss a paycheck this month, so your cortisol levels spike and you immediately take action.
The email contains a link. You click it. It takes you to a secure webpage with your corporate logo that asks you to login with your company credentials (step 1).
Once you login, you fill in a form with your HR information in (step 2).
Congratulations, you just got phished. As a hacker, I got your username and password in step 1 and all your personal information in step 2.
That is an inexpensive and low tech “social engineering” hack requiring only basic computer engineering skills. It’s also one of the most reliable and effective.
Email spoofing and phishing are remarkably simple, but thanks to improved system rules and pattern monitoring algorithms by Google, Microsoft and the primary providers of email services, these are increasingly detected and a warning is provided to you when you open it.
The problem here is that HR departments and managers actually still use email with direct links like this all the time, which assumes a ridiculous level of trust over a fundamentally insecure channel of communication developed in the 1970s, especially in small companies. Again, this is a culture problem you can help change.
Email, message or call your boss or HR department independently on a trusted channel and verify. It takes 30 seconds.
Never, ever, EVER comply with directions to click a link in a message to provide information unless:
- You initiated the request and it’s an obviously timely response.
- It’s via a recognized authorized system that you login to independently using an address you already verified.
- Or, you’ve verified it with a follow up via a known channel.
What’s the worst that can happen if you don’t comply or respond? They have to call you or contact you via a more reliable method? Good. Tell them why. Don’t encourage the culture problem.
Why is reusing passwords REALLY dumb?
Let’s say you have a super creative strong password you’ve crafted and memorized.
- It’s long
- It has uppercase and lowercase letters
- It has numerals
- It has non-alphanumeric characters like $#@!
Hey, at least you’re not using a weak password, but since you memorized it and think it’s so solid, you decide to use it on multiple sites and services.
All it takes is for one of those sites to be hacked in a “data breach” and now that email/password combo is for sale in the black market. If I was a hacker, I program my bot to try that login on thousands of popular sites for banking, email, stock trading sites, Amazon, etc. I go play video games or walk my pet lizard while my computer dutifully cranks through my script and feeds me a list of all your services that use those credentials.
Fortunately, sites like Amazon, Google and (hopefully) your financial institutions at least log your IP personal address or phone device ID and will notify you immediately if someone logs in from another location. Increasingly they block the login and verify it’s you via a text message, which is a basic practical form of Two Factor Authentication, or “2FA”.
2FA is annoying, but it’s smart to use on every online service that matters to you. Opt-in for it. It takes an extra 15 seconds and could save your ass.
The Problem With 2FA
2FA can be inconvenient. At our company, we use it across a wide range of different systems that share a Single Sign On model.
There have been situations where I've misplaced my phone and missed an important online meeting. It makes me even more paranoid about leaving the house with my phone because it’s the key to my virtual office.
One solution for professionals is to use two phones with an SMS relay service that will send inbound texts to both phones: one that stays home and a security hardened phone you can take with you on the go.
Passwords Are Not Going Away
Experts will blather on about the future of biometric SSO or device key authentication for days (as they've been doing for years). These are all great forward-thinking ideas, but let’s face it -- passwords are not going anywhere for a long while.
Passwords are still a solid balance of convenience and security if the software enforces reasonable strength. But they often don't, so it's important to understand a few basic concepts:
- Think of your security in terms of two rings of trust.
- The devices that stay in your home are near the center. You password lock screen them with something fast, reasonably strong and easy to remember.
- On those devices, you use an encrypted password vault and automated password manager. It sounds fancy, but it’s really simple to use.
- For your password manager, you invent a very long and strong passphrase that you memorize. You don't write it down or email it to yourself. Memorize it.
- Use your password manager to generate unique, random and extremely strong passwords for every website and service you use that exists in the outer ring of untrusted security (the web). The vault manager takes care of everything for you.
How The Hell Do I Manage All These Passwords?
It’s incredibly easy, actually. A password vault manager is possibly the greatest practical personal security invention of the past 20 years.
- You have a file called a vault
- It’s protected by a level of (reasonably) uncrackable encryption using your single strong password that only you know.
- It’s transfered and stored in the cloud only in the locked encrypted form so you can sync it on any device.
- It’s never unlocked in the cloud. If the cloud is hacked, the vault is an encrypted block that is more or less useless.
- The entire vault is uploaded each time you add or change something.
- Only you can view it on your local system by decrypting the vault.
- Opt-in for two-factor-authentication as well and you have an excellent level of security.
Password manager vaults work seamlessly with your web browsers across all your devices. With one master password in your local ring of trust, you control the credentials of all the services in the untrusted ring. It’s utterly brilliant because the core design is inherently more secure than other options.
How To Create A Strong Memorized Password
Here are some possible strategies for creating your passwords:
- Think of a phrase, quote, or song verse and select the first character of each word to create a password. “In the middle of a difficulty lies opportunity.” translates to “Itmoadlo.”
- Passwords are often case sensitive and here we’ve used a capital “I” just like the start of the sentence.
- Vowels can be replaced with numbers to add entropy “Itmoadlo.” translates to “1tm0adl0.”
Note the use of the period punctuation mark in the password. Punctuation is a good way to add entropy to your passwords as well as a little length. Create a unique string that you can prefix or append to your passwords.
– prefix string + password = stronger password – tdr0cks! + itm0adl0. = tdr0cks!itm0adl0 – tdr0cks! + torvt11. = tdr0cks!torvt11
Your Browser's "Remember Password" feature is NOT a secure Password Vault, but it's better than reusing passwords
There are a lot of myths about browser in-built pass management. I've heard people say that they are insecure. They are actually reasonable secure if your device, iCloud, or Google Account password is unique and very strong, but these managers are not necessarily local encrypted vaults.
After using Chrome for a decade, I recently returned to Mozilla Foundation's Firefox, which has regained the vanguard position among browsers in terms of performance, privacy and in-built security. Brave is a new player that is rapidly disrupting the space with innovative features like automatic ad and tracker blocking, TOR-enabled private browsing (for total anonymity) and support for the decentralized protocol IPFS.
While Google Chrome's Password Manager does keep information secure, the in-built Google Password Manager is just one facet of a larger infrastructure and is protected by the same measures used to safeguard Gmail accounts and other customer information.
Using Google Password manager protected by a strong memorized password across your browser devices to generate and manage many unique strong random passwords is much safer than using weak passwords or reusing passwords.
Google isn’t transparent about what it does to keep information protected but promises sophisticated physical security, encryption techniques, strong internal controls and consistently evolving practices to keep customer information secure. The company also pays hackers via a Vulnerability Reward Program, challenging them to find weaknesses in their systems.
That said, Google was hacked in 2019 and customer data was compromised. If they were following the password vault model, or hashed password storage passwords should not have been a part of the leak.
Google has many detractors who criticize their business model, but the company deserves a lot of credit for pushing for a more secure internet. Fifteen years ago, Microsoft’s Internet Explorer was a security disaster. Google and Chrome disrupted that space and pushed for greater transparency, privacy and security.
License: Creative Commons Attribution 4.0 International (CC BY 4.0)