Biometrics, Password Spraying, Brute Force Attack - just a few terms you likely never considered would matter to your day to day. Due to our ever-connected world, we have an increasing need to understand the previously ‘technical team’ lexicon. For some, this might build a sense of overwhelming annoyance, however, if we take it slow, we can demystify this language together.
Firstly, let’s discuss passwords - once considered the only control to keep your accounts safe, now simply one piece of the defence. Passwords have a bad reputation, having to change often, keep random, and never write down - creates the best recipe for a lazy approach to password security. Now let’s look at how humans work: predictable, re-use what we will remember, dictionary words. Realising this, let’s turn that predictable behaviour, ease of memory, and daily use into a secure solution - Pass-phrases. Increasing the length of your password by making it a sentence, example “My littlest ferret loves to go for walks in the Baile Park, it’s 27 steps away.” is a 64 character password with numbers, lowercase, uppercase, and symbols; the best part is its a lot easier to remember.
Whilst some organisations and services still require password rotation, which doesn’t align with the NCSC in the United Kingdom, or NIST in the U.S.A., simply having an easier to remember strong password is starting you out right. Adding in the appropriate security programme of layered controls, you now must add multi-factor authentication. Why is this a requirement? Consider the fact: by creating an account with a service provider, you are giving them your confidential information and simply trusting them to store this securely. What happens if the service provider is breached, furthermore, what if they didn’t protect your password as they stated?
By enabling multi-factor authentication, you are proactively securing yourself from future incidents, including a lost password or a malicious actor’s attempted login. This additional layer of security will allow you to approve all login attempts, so even if a password is lost you can limit the malicious actor’s access.
Often, I’m asked, if I expect people to use unique passwords, and expect these passwords to be long - how do I expect my clients to retain enough passwords for all the accounts they use? Well, personally, I solve this issue by using a Password Manager; a software application or vault that securely holds sensitive data categorised by the services. Not only the passwords, but credit cards, passports, security questions, are a few further examples of what some password managers can store. I have heard the argument that storing passwords in one location makes them more vulnerable, however my argument is this:
· Password managers have layered security, a master password, authenticated and registered device, and further security practices. A good service provider also plans for when the device is compromised, by storing all data securely; yes, choosing the right provider is important.
· Longer passwords for all accounts, including random strings you don’t need to remember for security questions, is going to benefit your security posture.
· Ease of use of password managers enhances your relationship with security, meaning you can associate security with a positive feeling and take action. Verses only having the negative reminders of security failure, such as security breach notifications, that often just make us feel hopeless.
To clarify, I am not saying a password manager is the only solution for all situations - some people simply cannot use this for whatever reason. In the case that a software solution isn’t right for you, consider hardware - yes, I mean writing down your passwords. Making an educated decision by reviewing your own personal threat model, and understanding the risks, I don’t see an issue with written down passwords. Consider this, if you are able to safely store a password book, don’t need it to travel back and forth often so the risk of being lost or stolen is reduced, and you do not have a potentially malicious actor with access to your secure storage - then why not? I would not recommend writing down passwords if you are concerned with a flatmate or intimate partner accessing, and I would suggest sticky notes to monitors are not the best solution - but I also realise that secure solutions must vary depending on the person using them.
All this discussion has been on passwords, but what about the first half of the service login details; username and/or email addresses? How many email addresses do you have, do you find it challenging to keep up with? One idea that you might find useful, is creation of alias emails. Companies have used alias for as long as I’ve been working, consider when a merge takes place, and you move from email@companyA.com to email@companyB.com. The old address might still be needed, instead of losing all possible emails, they create a forward to the new mailbox. Do you use Apple iCloud accounts? That provider allows you to create three alias that will forward to one mailbox, even allows you to send out as these alias. You can also use separate mailboxes, by creating a completely separate email for a specific service or group of services. I.e. zoë_social@domain.com or zoë_facebook@domain.com. I personally forward additional mailboxes to a central email account, but with most mail applications, you can be signed into multiple accounts at once as well. Again, consider your situation and choose what works for you.
Why would we need to use unique passwords, further still changing usernames or emails? Have you ever heard of the term Password Spraying? A simplified definition is a script that uses multiple usernames, and either one or small list of common passwords, and attempts to login with each username against that list of passwords. This would not trigger an account lockout, because each username is different, and eventually, someone is going to be using a common password. Using unique, strong passwords against all accounts will make this attack almost impossible against yours. Why separation of usernames/emails? Personally, I have found the longer I have an address and the more associated with it, the faster I become overwhelmed with spam email and even general phishing campaigns. There’s one last consideration, similar to password spraying is an attack called credential stuffing - want to read more, check out the OWASP description: https://www.owasp.org/index.php/Credential_stuffing.
In summary, I’m not saying you must change each and every practice you have for your personal security - I’m also not saying that every solution will work for you. What I am saying is, understand your risks and threats, realise there are attacks that simply aren’t targeted - they are automated using existing public information. If you’re concerned that a breach list contains your email and password(s) you currently use, then take a proactive approach to updating these, and whilst at it, choose something that will actually work for you long term. Security doesn’t have to be a scary and negative thing; it can be solutions that enhance your life; both in ease and confidence in your safety.
Zoë Rose is a highly regarded hands-on cyber security specialist, who helps her clients better identify and manage their vulnerabilities, and embed effective cyber resilience across their organisation. Whilst retaining deep technical expertise, Zoë has extensive experience in designing and executing cyber security awareness programmes to help people become more aware of cyber threats and uplifting critical cyber security processes and ways of working. She also has experience in maximising the value and effectiveness of technical cyber security controls across a variety of programmes and industries.
Rose is a Cisco Champion and certified Splunk Architect, who frequently speaks at conferences. Recognised in the 50 most influential women in cyber security UK, and the PrivSec 200, Rose is quoted in the media, has presented on National News, has been featured in Vogue Magazine, and was the spokesperson for Nationwide’s Over Sharing campaign that had a reach of 306 million citizens. Follow her on Twitter @RoseSecOps