Thursday, December 26, 2024

A recipe for failure: Predictably poor passwords

Security professionals advise to never use ‘beef stew’ as a password. It just isn’t stroganoff.
Passwords are the bane of everyone’s lives, but let’s face it – we all need them. And they aren’t going away as fast as Microsoft may want them to. For the time being, we will continue to depend on them for the unforeseeable future. You may have 50, 100, or even 200 online accounts but how many passwords do you have? Are they all unique? Well, here is one anecdote suggesting that people still only use the same few personalized passwords for all of their accounts.
I recently went to a conference hosted by a wealth management firm where they had invited me to present on cybersecurity. There were over 50 people in attendance and when I mentioned passwords, they did what so many people do when I mention the subject – they started looking around the room avoiding eye contact hoping not to be picked on. I quickly realized their body language was telling me they had poor password hygiene, so I decided to dig a little deeper and I asked them questions about their password management with some interesting responses.
I first asked if anyone used a password manager. One member of the audience put his hand up and said it was only because he had heard one of my talks in the past (I felt so humbled!). So, 98% of the people in the room did not use a password manager or have a system in place to take care of their accounts. I then asked them how they managed their online accounts and some owned up to using the same three or four passwords and many said these passwords included personal information such as special dates or names that meant something to them (wow, yes this was a facepalm moment where I really really tried to remain calm).

Recommended:  Safari 15 Vulnerability Allows Cross-Site Tracking of Users


I decided to conduct a little experiment on the fly with one of the delegates. I have always found real life experiments to work wonders when ‘in the moment’ because if they work, it gets the audience members doing their homework before they go to bed that night.
With his permission, this particular gentleman allowed me to proceed, and I quickly found him on Facebook. I located all his public content and made a list on the whiteboard of the possible passwords that I imagined he could be using. I jotted down places of interest, pets’ names, children’s names, dates of interest, sports teams, books, music… all the classic possibilities. I had about 20 different words and numbers in a list. This was the shocking part where I felt like I had located buried treasure.
As he picked his jaw up off the floor, he not only said that I had found one of his passwords, but I found iterations of three of his four passwords he “uses for everything”. I later found out that the iterations were in fact missing a capital letter at the beginning and a number at the end (typical, hey?!). This number was always the same – the date of the month he was born. The crowd were perplexed that I had cracked his passwords. I was not. This is standard behavior and cybercriminals know it.
So it begs the question why anyone, especially with access to a huge amount of wealth, data and livelihoods, would still choose to use a password that is weak – on so many levels.
What is the future of the password? Are we able to truly go where humans haven’t properly ventured yet and attempt a true passwordless society? Or do you think, like me, that passwords and passphrases actually have a place in cyber-society and, when used well, they are actually a bonus. Unlike biometrics, there is no limit to how many you can have, plus you can store your passwords in a password manager and have it generate one for you. Furthermore, when used with multi-factor authentication such as an authenticator app or security key, the entry to an account is seamless and extremely easy for even the most entry-level user. I’ve even got my parents, in their mid-70s, using password managers alongside phone-based authenticator apps for all their accounts that support it – and they can’t stop telling me how easy it is!
One breach is enough to give a hacker access to all your accounts if you recycle passwords, so you may want to keep your passwords in a safe place. Many people already use Apple’s Keychain password manager or just save them in their browser. However, should your laptop or computer ever get stolen, and it is not full-disk encrypted, the potential hacker will still be able to be granted access with the computer even without seeing what the password is. Therefore, a third-party, cross-device password manager may be more beneficial.
Another top tip to keep your data safe and away from prying eyes or data breaches is by using a feature on Apple devices where it lets you hide your email address from other parties. ‘Sign In With Apple’ lets you anonymize your email address when logging into services that support the feature. In fact, more recently there has been an upgrade where iCloud users can make use of the feature called ‘Hide My Email’. This does exactly what it says by letting you generate a single-use address that forwards incoming emails to your real account. This way, if the data is ever compromised, your email address will remain safe!

Recommended:  U.S. Cybersecurity Agency, CISA, Publishes List of Free Security Tools and Services

source

Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security