The Problem with Passwords

Weak passwords present the simplest exploit method for hackers.

Passwords were introduced in the 1960s as a way for users to hide files and programs they were working on from others using the same computer.

The inventor of the computer password, Dr Fernando Corbato, said “putting a password on for each individual user as a lock seemed like a very straightforward solution”. However, this solution was designed in the 1960s when computers were confined to a location and isolated from the world. 50 years later they present one of the easiest and most persistent methods of attack in the modern data-driven world.

The Problem:

Your password is as strong as the weakest placed you stored it, regardless of its complexity.

The website haveibeenpwned.com states, there have been approximately 10.6 billion compromised accounts. This means there are now substantially more compromised email accounts than people living in the world. To add further, these are just accounts from data breaches known to the public. As a result, it is almost certain if you have been using an email address for a period of time, it has been involved in a data breach.

The data exposed from these breaches can include, name, email address, address, phone number and, in most cases, your password. There are websites that will reveal the first few characters of the password and full copies of the data breaches can be obtained relatively easily. (For confidentiality, I will not share links to these websites in this article).

Discovered email addresses and passwords can be tried against popular services, such as Microsoft 365, Apple, Amazon, Google, Facebook, Instagram etc. This technique is known in the information security industry as “Credential Stuffing”. At the start of March 2021, Npower suffered abuse of their service from a credential stuffing attack. This in turn, exposed their customers bank details.

Therefore, the question to ask is, if someone got hold of you or your colleagues email address and password, what other services could they access and what could they do?

The table below highlights some of services that can be accessed and just some of the potential attacks that could occur:

For every example in the table, there has been a high-profile case of this attack used against businesses and individuals over the years. The Celebgate hacking of 2014, was based around phishing and password reuse, while Uber exposed the information of 2.7m UK customers because their developers reused passwords on other services. Nevertheless, the problem continues as one of the simplest and lucrative attacks out there.

Finally, another problem that arises is that most people have one email account that controls them all. Therefore, if an attacker was able to access just your main email address, they could begin resetting your password to all other services. This emphasises the need for a strong and unique passwords on all your accounts.

Protecting your accounts:

There are 2 straighforward ways for protecting your accounts - two-factor authenctication and using a password manager.

Two-factor authentication (2FA) provides a way of double checking who you are when accessing a service. First, a user will enter a username and password but rather than getting immediate access, they will be required to provide another piece of information to verify who they are. This is typically achieved by entering a code from an app on your phone.

In January 2021, The Verge released this article about how to setup 2FA on popular services. Most main stream websites now offer 2FA. This can, usually, be found in the security settings on their website.

The best password is the password you do not know. It is estimated that the avergae computer user now has over 100 accounts. Password managers allow you to create a unique and complex passwords for every website you visit. This takes away the need to remember your passwords and the tempatation to keep reusing your own "secure" password.

There are many password managers available, such as LastPass or 1password (to name a couple). These help generate and store unique passwords for every website and can work across all of your devices.

The advantage of a password manager is that if you are involved in a data breach, then only the password to that website would need changing as soon as possible. If you have 2FA enabled, the attacker would be unable to access your account without the additional information.

Once you have a password manager setup, the best approach is to change the password and enable 2FA the next time you logon to a service. This way you will secure your most frequently used accounts. Overtime a short period of time, you will have unique and complex passwords to all your websites.