Password security is a growing field and the old conventional wisdom of using a “strong” password and changing it frequently has lead to people using the same “strong” password on many different websites, resulting in their complete identity being hijacked when any one of those sites is compromised.
HaveIBeenPwned (HIBP) is a service that collects data dumps from when websites are hacked and uses the data to provide a service to alert users whenever their accounts are compromised. It’s like a central clearinghouse for account monitoring. Unfortunately, by the time accounts are listed in HIBP it is often years after the account has been hacked and the hackers that originally took the account information have had that entire period to make use of your account details. Many websites store their passwords in plain text, and many of the others that do use password hashing algorithms to store only a mathematical representation of the password and not the password itself neglect to use properly salted hashes, which means that those hashed passwords can often be compared with rainbow tables to effectively convert them to their plain text equivalent. Seeing the passwords that people – still today – continue to use is destroying my hope in humanity. For example, “123456” is used by almost 1% of business professionals for their online social interactions. Dead serious.
The trends on these exposed passwords show that there are very common patterns and weak password consideration is the rule of the day. Few people, and by few I mean I could probably count them on one hand, actually do passwords right. It’s time to take your own security seriously, because the evidence shows that many of those you do business with do not.
Here’s the Problem
Weak passwords you’ve used on service x (Yahoo, for example) will be dumped along with all the other passwords on that hacked service. Those same weak passwords will be tested on service y and service z. And everywhere else. This process is called “password stuffing.”
If you reuse even part of your passwords then you open yourself up to being targeted either randomly or by evil people you may already know. “Script kiddies” live and die by their ability to make an example out of people who they feel have done them harm. You could also become the victim of automated scanners that consume the usernames and passwords from these dumps then try them on every known system from Facebook to Gmail to email to banking services. The passwords will be munged in order to test similar or stylistically equivalent passwords. For example, of the LinkedIn hack, almost 2.5 million accounts (or about 1.5%) used some variant of the site name in their password. Those same accounts probably use some variation of the site name in most of their passwords. This can safely be assumed to be done everywhere, meaning that if you use “linkedin123456” for LinkedIn, there’s a good chance that your Facebook password is “facebook123456”.
So when over a million people used “123456” as their LinkedIn password, not only did it expose that as a very commonly used password, but it demonstrated that those million-plus email addresses tied to those weak passwords were used by people that didn’t take security seriously. If you use a weak password anywhere, chances are good that you use weak passwords elsewhere, if not everywhere. If something as quick and easy as changing a password isn’t done, then you also probably neglect your hardware and software. You’re using older and insecure programs. You’re exposing all of yourself with a single simple decision that you think will make your life easier.
It doesn’t. Reusing even part of a password only makes life easier for whoever attacks you. They can stay in their momma’s basement and spend all day throwing your account details at different sites until they get in. When they do, it doesn’t hurt them, it hurts you. Two or three hijacked accounts, or variations on your passwords from multiple dumps show how you think, and the style and scope of password complexity you use.
Again referring to the 2012 LinkedIn hack, there were over 26,000 variations of passwords that included “12” or “2012” in the password. From this we can imply that users will seed their passwords with the year they changed it. The same accounts are probably still using the same patterns with “2019” or “2020” today.
“Different” !== Strong
Usually these dumps are sold on the black market or used by the original hacker for a while before they’re inevitably released publicly. The data is out there so it’s necessary to use defensive passwords.
You can’t just change a number at the end of your password and possibly think that it’s going to make a difference in your security. The delay it might impose against an organized attacker is less than a single second. You can’t create a strong password by typing random characters on your keyboard. You just can’t. The predictive value of muscle memory, social and cognitive signals, and even keyboard bias result in a relatively small set of potential values for manually-generated passwords.
1337-sp34k offers no additional protection.
Using a strong password is no longer a suggestion. To be secure in the current world you must use a strong, unique, randomly-generated password for any and all sites and services. Failing to do so will result in that password being used as the seed to corrupt your digital life later on. Maybe not today, maybe not tomorrow, but soon, and for the rest of eternity.
The rules used to be pretty simple, but were still never observed:
- DO NOT use a series of numbers and a word or two. (123badpassword)
- DO NOT use a word or two and a series of numbers. (badpassword123)
- DO NOT use a word with numbers breaking it up. (1bad2password3)
- DO NOT use the site name or URL as any part of the password. (mylinkedinpassword)
- DO NOT use keyboard sequences like “qwerty” or “123456”.
- DO NOT use any word or name related to you or your life (pets, family, friends, musicians).
- DO NOT use dates or other simple patterns.
Unfortunately, these rules are still ignored, and even if they were followed to a T, these rules are no longer sufficient for creating a passwords or passphrases manually. Today, any password you can remember is not a good password. It’s time you put the effort into proper password management.
Fortunately, the new rules are actually simpler:
But my browser remembers my passwords!
All modern browsers (Chrome, Firefox, Edge, Safari) have password management built-in. You can use that in order to generate strong passwords and, while short, they’ll be unique for each site. Unfortunately, since these passwords are stored in the browser they can be extracted by any malicious software that manages to make it onto the device or compromise your browser Sync account, where password managers generally use much stronger encryption.
Websites are still catching up to the reality of password managers
Long passwords, 300 characters or more, are not a problem for your password manager, but they’re probably a problem for the site. BofA limits your password to 20 characters. Yahoo limits your password to 128 characters. Facebook allows much longer passwords, but only requires 6 characters and character case isn’t treated as significant so entropy is significantly reduced, especially for shorter passwords.
Some websites and app logins don’t allow you to copy & paste in the password field which means that they often don’t play well with password managers. Others (like AT&T and Yahoo) refuse to allow certain characters in passwords, so randomly generated passwords have to be manually munged instead of allowing them to be truly random.
Nevertheless, failing to use a password manager means that you’re not using random passwords at all, and are likely reusing passwords to your own peril.
The solution is to get a password manager now and immediately start working to migrate your accounts to it. Almost every password manager today offers password analysis to warn you of weak, reused, and known compromised passwords so you can prioritize changing the passwords for those accounts.
What’s your favorite password manager?