By Christian Waters, Director, Delivery at TrueNorth
Password management, and the communication of new passwords, is something we consistently see people struggling with. Here we discuss some common pitfalls and give some tips on how to do this securely and with a minimum of fuss.
“One password to rule them all”
Password managers are essential tools for modern working. We have all heard of (and seen) the Post-It note on the monitor, but with the rapid growth of online services it is unclear whether monitors are getting bigger at the same rate that the number of passwords you need to remember increases!
Password managers eliminate the need to remember dozens of passwords, reduce the risk of storing these in an insecure way, and remove the temptation to re-use passwords. In the first few years of TrueNorth, we used a simple local password manager, KeePass. This stored all its secrets in a single encrypted file that could be accessed with a master secret, and this file was stored on a shared network area that we all had access to. I am still a great fan of KeePass and I use it to store all my personal passwords in a single file on my OneDrive account. This can then be accessed wherever I am, including from my phone. Some of the features that I particularly appreciate:
- Open source (and free!)
- Apps for Windows, iPhone and Android
- Can store metadata and files as well as usernames and passwords
- Customisable generation of new passwords
- Single file of your passwords that is under your full control.
As we started to expand, we realised that this was a solution that doesn’t scale because it doesn’t address the following questions:
- Who CAN access a password?
- Who HAS accessed a password?
As an IT business we manage hundreds of passwords, some of which are the ‘keys to the kingdom’ for our customers – highly privileged admin accounts for various services and infrastructure. We have a professional responsibility to keep these secure from external threats, but also to ensure that only staff with a need for that password have access to it. Ultimately, we decided that an online password manager was required and after creating trials for several products we opted for 1Password. This was not a perfect solution but it came the closest to meeting our needs.
“Keep it secret. Keep it safe.”
A second consideration with passwords is: how do you communicate them securely? This is something that we consistently see people get wrong, so let’s look at some common, and not so common methods:
- Email the username, password, details of what it is for, a number to ring if you have any problems etc. – NEVER DO THIS
- A surprisingly common method that makes me wince every time I see it. Possession of this single email gives a bad actor everything thing they need to access the system. Emails are also archived, so deleting this email doesn’t really get rid of it, you would be amazed how many copies of this email will be recoverable from a compromised system. Sending these details by IM, WhatsApp, SMS etc. is slightly better but not much.
- Two channel communication, e.g. SMS and email – ACCEPTABLE
- Here the username is sent via one method (e.g. email) and the password is sent by another (e.g. SMS). All comms are deliberately kept context free, so even with access to one, or even both of the channels, an attacker is left guessing as to what the credentials may be for.
- A potential issue with this is the second channel is often SMS. The temptation is to then use simple passwords, as copy and pasting into texts is not always straightforward.
- Two channel communication using one-time links – RECOMMENDED
- This is our standard method. First the recipient is told the username. Then separately they are sent a one-time link to the password (e.g. via onetimesecret.com). One-time links can be viewed exactly once by the recipient, then they self-destruct. Again, all communications are kept as context-free as possible.
“Who now has the strength to stand against the army of hackers?”
Some final notes on ensuring the actual password itself is secure. It is probably a common misconception that a password must simply be hard to guess, i.e. don’t use your dog’s name or your birthday. Whilst being hard to guess can prevent someone logging in to your account via a public website, most large-scale breaches of passwords rely on hash matching. What happens is typically along the following lines (ignoring a few more technical aspects such as the use of salted values):
- Attacker gains access to the user table in a database.
- This table has the HASH of each user’s password recorded against the username. Hashing is a one-way encryption so the password cannot be recovered directly from the database table, but when a user enters a password, it can be hashed and compared against the stored value.
- Attacker starts generating passwords based on a dictionary, hashing those passwords and comparing these against the hashed value stored for a particular user. Once we have a match, we know what the password is that corresponds to the hashed value.
With modern GPU-accelerated hash attacks, the number of guesses that can be generated is stupendous – depending on the hashing algorithm used this may be billions or even trillions per second.
To put this into context, an 8 character random password, using lower and upper case, numbers and symbols is only 1 billion permutations. This could potentially be cracked in seconds if a weak hash algorithm is used! Even random word combinations (e.g. the classic ‘CorrectHorseBatteryStaple’) may now be vulnerable to brute force attacks.
In July 2015, a group calling itself The Impact Team stole the user data of online dating agency Ashley Madison. Many passwords were hashed using both the relatively strong bcrypt algorithm and the weaker MD5 hash. Attacking the latter algorithm allowed some 11 million plaintext passwords to be recovered.
This underlines the importance of using password managers for secure passwords, as even seemingly complex (and impossible to remember passwords) can be brute forced. All our passwords are generated by 1Password or KeePass and are at least 20 characters long. Unfortunately, when using these for new logins, the following is all too common:
HXwAw0QUEHVVlYvV4FNw does not meet our complexity requirements, please use a combination of numbers, upper and lower case letters, and symbols.
“Step onto the road”
There is much more to discuss around passwords and security, particularly around Two Factor Authentication and hardware tokens, but this article is quite long enough already! Hopefully, you will have gained some insight into some common pitfalls in this area.
Please do get in touch if you need any specific advice on managing your organisation’s passwords, or if you need advice on protecting a user table from the sort of cracking attacks we have discussed here.
Useful links:
https://en.wikipedia.org/wiki/John_the_Ripper
https://specopssoft.com/blog/password-length-best-practices/
And we couldn’t resist purloining a selection of Lord of the Rings quotes:
“One password to rule them all”: The inscription on the One Ring reads, “One ring to rule them all, One ring to find them, One ring to bring them all, And in the darkness bind them”. Click here for the version in Elvish.
“Keep it secret. Keep it safe”, urges Gandalf to Frodo Baggins. The subject is, of course, the One Ring.
“Who now has the strength to stand against the army of hackers?”: Saruman asks in the Two Towers film, “Who now has the strength to stand against the armies of Isengard and Mordor?”
“Step onto the road”, says Bilbo Baggins to Frodo, “and if you don’t keep your feet, there’s no knowing where you might be swept off to.”
