Many times have I been personal party to a vehement discussion about password security. The general consensus is, is that they're outdated, and a replacement needs to be found because passwords are bad! Personally, I think that's total poppycock. Passwords are not outdated, however, the mentality surrounding them definitely is.
Currently, the world wide media is an uproar over an event, currently labeled as "The Fappening." A crude but arguablly appropriate title to a massive breach in security affecting high profile celeberties such as Jennifer Lawrence, Kate Upton, Avil Lavigne, Lea Michael, and McKayla Maroney. "The Fappening" is simply the exploitation of passwords to gain access to iCloud (cloud backup service specific to apple devices) in which important information such as pictures of an unsavory nature were stolen and distributed.
While I cannot personally comprehend how horrible something so invasive can be to a person, as nothing like this has ever happened to me, I'm dumbfounded how the world wide media can sit around and villainize both the cloud, and passwords for the leak. When something as terrible as an automobile accident occurs, you don't blame the vehicle, you blame the behavior of the driver which resulted in the accident. (drunk driving, reckless driving, etc) In the same regard, you don't blame the cloud infrastructure--or the system of security surrounding the leak (specifically passwords)--to villainize technology. Especially so when the leak was due to bad passwords and not a breach of secuirty.
Passwords! Or at the very least how we think of them. A particular XKCD comic comes to mind:
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
Nothing could be closer to home right now. With event's such as these I try to be as sympathetic as possible, however, as adults we must all step up to the plate and take responsibility for the part we play in our own downfall. Indicative of this particular incident, bad passwords.
It has been a time honored tradition for me--as a technology enthusiast--to correct untruths about technology to the best of my ability. As such it's important to remember that we all, as humans, are all fighting human nature. While we're all basically good people there are those of us who are not. It's just simple numbers. Additionally, most of us aren't as smart as we lead others to believe--I know I'm not. Combined, however, these two aspects of human nature churn into a deadly concoction of untruths and bad behavior. Anyone remember the article about how you can charge your iPhone with your microwave?
Ignorance, in its true definition is very relevant here. (not in a bad way) Modern people depend on technology for just about every single aspect of their life--from important phone calls to getting money to and from their bank--and are seriously miss- and under informed when it comes to technology and how to protect themselves against breaches in security. Even more unsettling is the mentality that has propagated in our culture about protecting yourself from inherent danger.
We all seek, as people, to proactively increase the quality of life that we have for both us and our loved ones--and technology can help--but when it comes to protecting that quality of life, it seems that many people stop half way. It's almost enough to make you cry when you hear about the single mom who had her accounts drained because she did some miscellaneous online shopping one day--or about the cancer patient whose identity was stolen and might be unable to get the financial backing required to pay for his medication. All of these things can be stopped with just a little bit of know-how.
As with most things, the first step to protecting yourself is by becoming informed. The kicker, however, is the material to get informed is--most of the time with technology--almost unreadable to the common layman as they include very abstract and difficult to understand concepts such as entropy, minute details of the OSI model (specifically the network layer), cyber espionage, and others. Normally with difficult subject matter we see a decrease in interest, which is entirely understandable. However, by doing so you're leaving yourself wide open to potential life altering attacks.
Password and account security is arguably one of the most deranged and difficult parts of being included in the online community, however, there are a ton of tools that different services and websites give us to protect ourselves. Simple fact of the matter is far too many people simply choose to not use these tools. They opt out, because they're fundamentally insane. Some of these tools are so very important in this day and age, to cite a few 2FA (two factor/step authentication), application specific passwords, device registration. Others, however, are really broken, such as email based 2FA and account recovery questions.
Two factor authentication is a necessity in today's rat-race. In its essence, 2FA seeks to empower an account holder by giving them an extra layer of security (in addition to a normal password) to keep potential malicious third parties out of their accounts. 2FA is a layer of security which can be both software, or hardware implemented. An example of software based 2FA are services such as Authy which in my opinion is the best implemented 2FA service available today.
It's totally free and is a cinch to setup; simply download the iOS or Android application to your phone, setup your account, and connect your services. Upon login, you'll be required to open your application and enter a 5-9 digit post-password password to actually enter your account. It's like having a key which has two parts, and both are required to access an account. I mean, in the movies you don't see the Americans protecting their nuclear secrets by a simple password, do you? NO! Because it'd be insane not to have another layer of security!
Pioneered by Google application specific passwords are truly amazing.
When generated, they can be used to connect other services and devices to your Google account without revealing your actual Google password. They also come in handy when a service or website you'd like to use isn't compatible with 2FA. Much to my amazement, not many online services have security protocols like application specific passwords. However, if you find yourself in a situation to use them it would be in your best interest to do so.
Device registration is a terribly unused security measure. Whenever a new device is connected with your account it triggers some form of additional security measure. Maybe an SMS message with a code (SMS based 2FA), or a standard software based 2FA. Some websites and services have even gotten fancy by adding account specific graphics to identify potential phishing attempts, usually referred to as a "trusted image" and has some personal connection to the account holder. One thing to keep in mind is that checking an email to approve new device logins, or security questions are not secure as they are time honored proof-of-failure practices.
Stop it. Email based 2FA is broken. If you don't protect your email address--and it somehow gets compromised--but try to use email based 2FA on your bank website, what's the point? Where's the extra security? All's the cracker had to do was check your email. Big whoop! So with bad password conventions (same password for both your email and bank, which is far too common) and a compromised email account, the attacker has already gained access to your financial information. Depending on the bank, they may gain enough information to open a line of credit in your name, all because you practice poor password conventions. Other 2FA methods via software tokens, such as Authy, are much more secure. Not only are new devices required to be approved by previously approved devices but all seed tokens are fully encrypted with a backup password.
So let's say we setup Authy for our Gmail account. The login process will be much the same:
- Login with your normal username and password
- Confronted with 2FA verification screen
- Open Authy, enter backup password (if timed out) and retrieve code
- Enter code for access to your account
Obviously, at this point it's easy to see that if an attacker doesn't have your phone, or access to your Authy account, they're pretty much stuck in the mud.
Oh good God, no. Account recovery questions are nothing but a terrible joke. It's beyond stupid to even implement them. Especially for persons of known interest (which is what spawned this article, remember?). Nothing is more embarrassing than having unsavory pictures leaked from your account because your recovery question was "your high school mascot" and all that information is readily available on your Wiki page. Regardless, the less external identifying information an account has, the better the security will be.
So again we find ourselves here; in the wake of one of the biggest celebrity leaks in history. What does the news do? They villainize the Cloud citing how insecure it is. I mean, who would want backup private and sensitive information to a infrastructure neutral backup service, right? Oh wait, people actually pay for stuff like that [Dropbox | Box | Google Drive]. Sarcasm aside, you cannot villainize a product or service for the ignorance of its users. iCloud has software based 2FA built in! With it enabled, it would be very doubtful that these cracker(s) would have been able to retrieve such sensitive information--however, that's not even the main point. The actual point, is the singular point of failure, were insecure passwords. At this point it's not difficult to see why there are so many misconceptions about security when it comes to the general population.
Passwords have been and will always continue to be the bane of your existence. They're a necessary evil that everyone must accustom themselves to as a cultural standard convention. I personally believe this begins with changing the mentality surrounding them--the mentality that it's difficult to create secure passwords, or that if you have a secure password, it's difficult to remember. Normally, I suggest an individual develop three groups of working passwords.
| Group | Description |
|---|---|
| Simple | non essential accounts such as forum accounts with no personal information |
| Social | essential accounts with personal information, such as Facebook, Twitter |
| Secure | Banking, Student Loans, etc |
Before we get started with some examples, I'll start out by saying that the word entropy is simply used to describe the randomness of something. Its literal meaning is "chaos". The higher the entropy, the harder the password is for a machine to guess and the longer it will take. So let's give it a try!
| Group | Word(s) | Number(s) | Character(s) |
|---|---|---|---|
| Simple | Dog | 12 | _#! |
| Social | Fa, Dog | 12 | _#! |
| Secure | Ally, Remote, Banana | 25, 89 | _#! |
Ok, cool! So now we've got our basic template for secure and easy to remember passwords. Basically, what we've done is chose some simple words, some numbers and special characters. Now we just need to arrange them.
| Group | Password | Entropy |
|---|---|---|
| Simple | _Dog12#! | 51 |
| Social | Fa_Dog12#! | 63 |
| Secure | Ally_Remote#!25Banana89 | 146 |
So above, I have a simple password, a password for my facebook, and then a password for my bank. Within the passwords I have identifiers which will allow me to increase entropy, and make them very easy to remember. (for social and secure tiers). Starting with social, you can see that the password is prefixed with Fa_, this is because I intend to use it for facebook. In its essence, it's no more difficult to remember than our simple password (we're just prefixing it with Fa). You can do this for any social network and if one is compromised your others will be safe. For twitter, as an example, you could use Tw_Dog12#!. Common entropy for a secure password is right around ~45. Anything lower is unacceptable. Simple right?
Now for something not so simple--our secure password. We're protecting not just personal information with this password, but also financial data, and maybe even something as secure as your social security number. We want to be sure that we're doing a good job of securing that information. So we'll choose two relatively random words and an identifier. I've chosen "Ally", "Remote", and "Banana". Pretty common and easy to remember words. (for clarification, Ally is the name of my bank) Since Ally is the name of my bank, and will be used as the identifier, it makes sense that it would go first, separated by special characters or numbers. Commonly, when it comes to passwords, because of attacks such as dictionary attacks it's common convention to not use common words, which eventually lead to passwords such as Yfkp'8/esL. Very secure, but who the heck is gonna remember that! Even so, because we separate each common word by even more entropy it increases instead of decreases the gaping chances that our password will be guessed by any automated process. It's also important to realize how strong the entropy is with a value of 146 a whole 3.24 times stronger than the current acceptable "standard."
Before the fappening happened, a post on 4chan said that someone had stolen an iPhone from Weinstein, the movie mogul.