Love them or loath them, they are a lynchpin of our modern online life. We have all heard the endless messages, from work, school, associations or government that says, “choose your passwords wisely” or more likely “pick a password so complicated that you will never remember it”. So, let’s peek under the covers of password management.
First, consider what a password does. In its simplest form, a password authenticates a person/user/entity enabling a service or program to determine what level of access can be granted. In war, sentries are set around strategic points and a password, changed at intervals, allows them to challenge whether someone approaching is a friend or foe. When you power on a device, you provide a password that says, “this person is who they say they are, if they are authorised, you can start-up”. When you access online banking or other services, the password validates your identity, and access to any authorised applications and underlying resources can be granted.
Of course, newer devices and services may use biometrics or other methods of authentication but if they fail, in most cases, you will fall back through levels of security to the point where you can enter a password.
If passwords are the keys to identity, then like any set of keys, they become the targets of hackers who want to steal your stuff. You want to keep your passwords safe, so you don’t lose your stuff. Hackers know if they compromise your passwords then they can attack you and any organisations or services you access. Which brings us to the concept of “scope of damage” arising from stolen passwords. Amongst the intensive coverage of the Uber hack Lapsus$ claimed a contractor’s password was sold on the dark web. This provides a perfect example of the “downstream threat” posed by exploitation of an individual’s password: Consider:
“The hacker claims that after they had obtained the employee’s password, they repeatedly triggered push notifications in an authentication app — then sent a WhatsApp message claiming to be from Uber’s IT department instructing the employee to confirm that the login attempt was legitimate.
This gave them access to a VPN through which they could connect to Uber’s corporate intranet and, from there, scan the network for sensitive files and applications that would not be accessible from a connection outside of the VPN. In a PowerShell script (which is used to automate tasks on Windows machines), they reportedly found an admin password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company.“
So, what lessons can we take forward about passwords and password management?
First, we have the standard mantra that passwords should be long, complex and not easily guessed based on what people can easily learn about you (or find in other ways). Consider another recent incident:
"The criminals then say they accessed the most sensitive parts of IHG's computer system after finding login details for the company's internal password vault. ‘The username and password to the vault was available to all employees, so 200,000 staff could see. And the password was extremely weak’. Surprisingly, the password was Qwerty1234, which regularly appears on lists of most commonly used passwords worldwide.”
The Holiday Inn hack shows how important it is that passwords be unique and complex. While a complex password might have helped, a single password that is shared amongst 200K employees is ripe for attack.
Second, MFA (Multi Factor Authentication) while good, is not completely bullet-proof. MFA needs to be fit for the purpose for which it is used. Deciding which method of MFA is a start. However, the configuration of the MFA utility itself is important. The new attack method of “MFA Bombing” where an attacker will repeatedly try and get the user to authenticate a request by sending lots of MFA prompts until someone finally gives in and responds to stop the pestering, can potentially be nobbled by setting MFA request limits.
Third, passwords should not be reused. Each site/application/service that you use should have a unique password which fits the criteria of the first lesson above.
There are lots of suggested techniques for creating complex passwords. Everything from taking the first letter of each word in a sentence to create a memorable password, to using 3 random words together to form a password. In each case, there are substitutions that can be made to meet password composition rules, but problems arise when you consider how many applications/sites/services you use on a daily basis that require a unique password. Most people need anywhere between 5 and 20 passwords for everything they do in a given week. That may increase to 50+ for others who lead a more complicated online existence.
If you are looking for further ideas on passwords, Altus digital’s Cyber Security experts have published recommendations at: https://www.altus.co.uk/services/digital/cyber-security
The ability to create individual passwords of sufficient complexity for a myriad of sites brings us to password management. Writing passwords down creates the risk of someone finding the list (online or in the real world) and therefore is not a great option. Storing passwords in browser memory is somewhat better, but there are risks associated with device and malware breaches potentially exposing credentials.
Password managers range in complexity from simple to robust and in price from open source (free) to commercially licensed (potentially expensive). While they are an investment in time and perhaps money, they do have an added advantages of helping with the generation of long, complex passwords, securely storing usernames associated with passwords and perhaps overlooked but increasingly important, the ability to store the url for each service/application/website to ensure that when you start your session, you are using a trusted link and aren’t running the risk of accessing evil twins or site forwarders.
Do you want to avoid being a victim of the next “Uber” style attack? Do you know which credentials, associated with your employees, may be “out in the wild” providing a threat vector for a hacker?
Altus Ltd understands that the quality of risk analysis improves when multiple perspectives are brought to bear. We routinely join in collaborative dialogues with organisations across our marketplace to analyse and test Cyber Postures and provide roadmaps to improvement. Our Threat Intelligence service leverages decades of financial services expertise creating Playbooks which can help you test real life scenarios and determine the effectiveness of your Cyber policies.
Our goal is to support organisations at any and all stages of their Cyber journey. Let us enhance your perspectives by reaching out to us at: email@example.com