Passwords have been the preferred method of authenticating users since the earliest days of the Internet, and they continue to be used to this day to authenticate users. The security issues are well known, but few people consider the privacy pitfalls.
Our most private digital data are protected by passwords, yet people are generally lacking in the skills needed to use passwords effectively. This is due partly to the ever growing number of websites we need to access with credentials, and partly due to the need to use increasingly complex passwords.
Password cracking using common programs is amazingly easy for bad passwords. A best practice is to check a password you’re about to use against a database of compromised passwords, because these lists of common, cracked passwords are often used to try to guess yours – but we’re getting ahead of ourselves.
You’ve probably heard that it is a bad idea to reuse passwords before, but we are repeating it here because it is critically important. In his book, “Future Crimes”, author Mark Goodwin says that 75% of people use the same password for multiple accounts, and 30% use the same password for all websites.
Reusing passwords is problematic because criminals know that the most effective way to monetize lists of passwords from a breach is to try them on other sites. These are known as “credential stuffing” attacks, and they occur more often as more old passwords become available. So if the credentials for your local book club website are compromised and sold on the dark web, they will be tried on Facebook, Bank of America, Gmail, eTrade, Ebay and many other major websites.
Password reuse is dangerous not only because it can lead to compromise of your accounts on financial sites, social media sites, email accounts and more, costing you money and reputation, and requiring time and effort to remedy. It is also dangerous because with the information gathered from a few key websites, criminals can conduct identity theft.
Slightly altered passwords are rarely any better than reusing the same password, since people tend to use predictable patterns to change weak passwords. For example, changing a weak password like “rover2” to “rover3”, or “winter18” to “spring19” can be guessed easily, and an adversary who has the original weak password will likely guess the altered version. This is largely due to automation.
Think of password reuse as if you were reusing a physical key for many locks. Imagine that the same key opened the front door to your house, and your car door, and your office, and your bank deposit box or safe, and a bicycle padlock and so on. If someone took your key, they could access all of those – you would have a single point of failure that could have disastrous consequences.
Short passwords and simple passwords are bad because they can easily be guessed by an automated attack. Using a common word, for example, is trivially found using a simple dictionary attack; where the attacker simply tries every word in a dictionary file. Using short passwords leaves you vulnerable to brute force attacks where an attacker literally tries every possible combination. Todays computers can literally try billions of password possibilities, and specialized rigs setup for this purpose can churn through amazing numbers of guesses.
Another awful practice is not changing passwords when there is a breach involving a website you use. Once a password is compromised you should never use it again. Sites like haveibeenpwned.com let you check to see if an account of yours has been involved in a breach, and if you find that one of your accounts was involved you should change passwords as soon as possible.
Insecure storage of passwords is a common problem as well. People often store passwords in places where adversaries can easily find them. This includes physical storage in predictable places like using posit notes on or around your computer.
Storing passwords in plain text files on your computer is a bad idea as well, since any malware you happen to get, and perhaps even software like your antivirus program might find it. Sometimes systems have cloud backup service enabled, and your passwords could end up stored in the cloud unencrypted.
Another common password problem is insecure sharing. Sharing passwords is never a great idea, but there are circumstances that encourage this risky behavior. Some websites don’t easily accommodate a couple accessing a shared account with two distinct sets of credentials, for example. If you must share credentials, be sure to share in a safe manner – never send passwords in plaintext by email or text message for example.
If you liked this post stay tuned, because there is plenty more to say about the topic. Password managers, password cracking, the importance of using multi-factor authentication all come to mind as good followup topics.