Passwords - Managing the Chaos

Passwords are something that we all have and cannot avoid if we have a digital life. Every device we own and work with asks for one such as our laptops, phones, and tablets. Nearly every website we visit demands we create one. At work, you have, not only your computer, but business applications, network devices, and a myriad of other systems/applications that require passwords. Passwords are the virtual keys we need to unlock and secure everything we own and use in our virtual lives. We need them.

Unfortunately, it's also because of their widespread use we hate them. The average person has nearly 30 logins to keep track of. I have over 50 that I use and that doesn't include what I have at work. Because of this growth, many have gotten sloppy and use the same password over and over for multiple services. Many times they will use simple dictionary based words or names of children, birthdates, or other things that are easy for attackers to find and research from their victim's social media posts. But who can blame them when they have so many accounts?

Unfortunately many have learned the hard way why this is a major mistake. About every day we learn that accounts are "hacked" or a company is breached. Add this to the common practice of reusing simple passwords across accounts you can imagine how large of an issue this can be.

Trying to find a Solution

Because of these issues, many have tried touting that a passwordless world would be more secure. They have looked to alternative solutions such as biometrics (fingerprint readers or eye scanners), face recognition, access tokens, or other far more complex systems to replace password-based authentication. However, all of these cost far more to implement due to special hardware, software, and/or licensing requirements. It's because of these issues adoption of these technologies are limited.

Another way websites have tried to solve this issue is by setting up single authentication. We see "Login with $socialmedia Account" everywhere. However, there are issues and concerns with this too. For example, if you log in with your social media account, should it be compromised, you now have multiple systems the attacker can exploit. The other issue is most of these sites want you to use your social media so they have access to your account and what you post leading to privacy concerns. With this in mind, I strongly recommend you review your accounts and what apps have access to them annually and remove anything you don't use or are unfamiliar with.

Lets face it, password-based authentication isn't going away. It's very simple system to implement because its a core feature of every OS and application system. However the question still remains, how do we manage all these accounts in a secure way?

Password Managers

Password Managers are applications that make managing accounts easy. They provide an easy to manage way to assign randomly generated, complex, and strong passwords for your accounts. They also make it easy to share passwords with IT teams, your family, etc. They do all this securely because they keep all your credentials encrypted. Essentially making it so you only have to remember a single password that in turn unlocks access to all your accounts.

While the mentality of "I don't want all my eggs in one basket" may be going off in your head right now, keep in mind this password manager is something you want to add additional layers of security to. We will be talking about that in our next section. For now, keep in mind that with all the accounts we have to manage both personally and professionally Password Managers are a requirement. Because you can have them assign unique random passwords to each account you have then should a website or application become compromised then its isolated to just that one service.

If you don't have a Password Manager I strongly encourage you to find one that works for you. There are many to choose from both paid for commercial and OpenSource free solutions. It doesn't matter what solution you want to go with, just find one.

Enable Two Factor Authentication (2FA)

Many vendors now support what is called Two Factor Authentication or 2FA for short. This is a simple system that greatly increases the security of your accounts. After you type in your password the application or service will ask for an additional form of proof you are actually you. This may be in the form of an SMS message, application popup on your phone/tablet, email, or the use of hardware such as a smart card or Yubikey. This way should someone get your password then they still wouldn't be able to access your account because they would need additional proof they are you.

Don't wait, enable 2FA immediately. Especially on your important accounts such as your personal email, financial, Password Manager, shopping, social media, and all other sites that are critical or may have a sensitive or financial impact to you should they be compromised. Many vendors now support 2FA and can provide you different 2FA options that you can choose from.

An important note on 2FA that you need to be aware of. I don't encourage you to use 2FA using SMS. This is because your cell phone number can easily be spoofed or stolen.

Passwords that Make Sense

Passwords do not need to be difficult. In the past, it was always recommended to use alphanumeric with special characters and to keep it relatively short so you can remember it and to change it regularly. The bad part about that is, these passwords are a pain to remember. Ask anyone working helpdesk and you will quickly find the #1 ticket request they get is for password resets.

The best passwords are both long and easy to remember. I usually recommend phrases or random words that you can easily associate together. You never want to use anything such as birthdays, pet or family member names, or anything else commonly posted to social media because these are easily guessed and found by attackers.

To better understand, I'll let this xkcd comic better explain.