Other Ways To Connect

Friday, October 18, 2013

Remembrance of Passwords Past

The weakest point of security in most systems is when you log in.  If the attacker can convince the system he is you, then fancy encryption and cryptography doesn't help.  

The act of proving your identity to the system is called authentication.  On most web-based systems authentication is performed by submitting a password.  Today passwords are a necessary evil, and we have discussed them in a couple articles in the past year: Password Frustration and  Password Perils.

Are you who you say you are?  Prove it to me!

The problem with passwords  

The tricky thing about passwords is they need to be hard for others to guess and easy for you to remember.  So there is a tension between complexity and randomness.  Your child's name is easy to remember, but also easy to guess for anyone who knows you.  Also any regular word is likely to be checked by an attacker with an automatic password checking script.

As a trade off you end up with a somewhat random password.  But your bank has different password requirements than your credit card company, and they both want you to change your password every 6 months.  So now you are tracking many passwords that change over time.

Remembering passwords 

In Password Frustration, Terri discusses her experience using LastPass to store all of your passwords encrypted and unlocked by a single password, but even a low tech paper-only password list can work.  This is my mother's solution.  In her home office she has a notebook that has a list of all of her accounts and the associated passwords.  A simple and effective solution.

Of course, there are downsides to a paper password list.  If an attacker gets your list, then he is in.  This is a problem if you are worried about people in your family breaking into your accounts.  But if you are worried about the far off Romanian hacker, then a paper list of passwords in your house is pretty safe (as long as there isn't a fire or a flood).

Resetting passwords 

Ultimately though, most of us will forget passwords and will need to get our passwords reset.  This password reset process is the other major weak link in most systems.  It is very vulnerable to social engineering or just a bit of research about your target.

The service provider wants to make resetting passwords easy for their customers.  After all, they want to keep you happy and using their service as much as possible.  But a good service provider will protect their customers from others trying to take over their accounts at the cost of some short term inconvenience.

Most services will reset your password if you can answer some security questions.  Sounds great.  No one should know the answers except the customer.  In general this may be true, but not if you are well known to your attacker.  An extreme example is a famous person like Sarah Palin.  An attacker was able to reset her yahoo email account password (and thus access her email) during the 2008 presidential campaign by researching the answers to her security questions (such as her high school and her birth date).

But even a regular person can have their account taken over through social engineering an organization's customer service.  Last summer tech reporter, Matt Honan, had his digital life erased in the course of a couple hours.  The key to the attack was getting customer service at Apple and Amazon to reset a password and give them some key bits of information.  Honan had "daisy-chained" his accounts, so getting into the amazon account meant that the attacker could use that account to get into other accounts (e.g. Apple then Google then Twitter).  Most of us have some daisy-chained accounts these days.  For example, many services will allow you to register with your Facebook ID.  If your Facebook account is compromised, those other accounts that use the Facebook ID are also compromised.

That is scary stuff.  What can you do about it?  Give up the Internet and hide in a cave?  Probably not.  Here are some things you can do to protect yourself.  
  • First, set your security questions on your online services, but think about your answers.  If the answer is something that is widely known or could be easily looked up (e.g. What is your wedding date?), come up with a scheme for adjusting your answer that you will remember (e.g. add 10 years to the date).
  • Second, review the password reset policies of your online services.  Read about their policies, or call customer service and see what data they need from you to perform actions or give you sensitive information about your account.  If it seemed too easy to access information, reconsider using that service.
  • Third, be careful of "daisy-chaining" your accounts.  This was what made the attack on Matt Honan so devastating. Once the attackers reset one account password,  they were into his other accounts as well. This daisy-chaining is very convenient (fewer passwords to remember) but as with most things in security has its risks.
In security, as in much of life, there are no easy answers.  The best thing you can do is be vigilant about where your data is and who has access to it.  Make the tradeoff between security and availability that works best for you and your family.
Show Comments: OR