Passwords – they are a bane of our online existence, a necessary evil of connectivity to keep the bad guys out and allow us access to our most treasured (literally and figuratively) possessions. That’s one reason why many people assume once they’ve used a password to protect something that it’s safe and secure. But is it? Passwords are a weaker defense than you might believe—but there are ways to strengthen them.
The use of passwords to protect items of value has a long history. During the time of Ancient Rome, sentries of the watch would challenge people entering a restricted area and require them to provide a “watchword” before they could gain access to the area. In a similar fashion, our online assets are protected by requiring a user to identify him or herself with a username and password to enter a restricted website.
In honor of World Password Day on May 5, let’s look at a scenario that depicts the steps involved in gaining access to a protected space. Let’s imagine that one person is on the outside of a party at a very exclusive Game of Thrones-themed cigar bar and the other is on the inside. The cigar bar is protected by a locked door that the person on the inside will open only for people on an approved list. Here’s how the conversation might go:
Outside Person: Knock knock!
Inside Person: “Who’s there?”
Outside Person: “Jon Snow. I’m on the list.”
Inside Person: (sees Jon Snow’s name on list) “Come in, Jon Snow.” Opens door
Simple enough. The person on the inside will only open the door if the person on the outside identifies as Jon Snow. Great, right?
Nope. Say, for example, a passerby heard Jon Snow talking about this exclusive party and said only certain people were allowed in. It wouldn’t take much work to talk with Jon, learn his name, and if you were clever, the location and time of the fancy cigar party to use that information to impersonate him. With this knowledge, you have assumed Jon Snow’s identity and can access the party.
Real World Scenario: the very common and very bad practice of leaving passwords on sticky notes around your computer screen, on your computer’s desktop, or other location that is not protected. Anyone with access to these credentials IS you, as most times the other side (your bank, your email account, your wifi) can’t tell the difference between you and an imposter entering credentials.
Takeaway: don’t leave passwords in unprotected spaces. Remember them, or better yet, use separate ones for separate services (more on making this easier later on).
Now imagine another scenario at the same club, but with someone guarding the door who’s more paranoid about letting the wrong person in. The same conversation would occur, but with an added caveat: the guard would ask for a phrase only Jon Snow would know before he would be let in, which would authenticate John’s identity. See below:
Knock knock!
“Who’s there?”
“Jon Snow. I’m on the list.”
Inside Person sees Jon Snow’s name on list. But does he know the entry phrase? “What’s the secret phrase?”
“Winter is coming.”
Opens door
This is a small step forward in ensuring Jon gets to enjoy a cigar at his favorite spot. It is, however, not a strong and secure solution, as someone with interest in gaining entry to this club could chat Jon up, discover that he loves Game of Thrones (and cigar bars associated with it), and could guess that his secret phrase would be one of the most widely-known ones associated with the series. That famous phrase is the single factor of authentication needed to bypass the door.
Real World Scenario: this can be seen in social engineering attacks targeting less-savvy users of technology, who may associate a password (or the service it protects) with something they enjoy. For example, a fantasy football fan’s password might be “DaBears!” In addition, the dislike of long or hard-to-remember passwords may prompt people to use the same password for multiple services, further weakening its ability to secure other information (once an attacker knows credentials for one service, they’d know them for all your services).
Takeaway: don’t multi-purpose your passwords, and try to use passwords that are not related to the service you’re using.
One final scenario for the cigar bar. The newest guard is so paranoid of the wrong people gaining entry that in addition to needing their name on the list plus a password phrase, the guard sends a text to the member’s phone after they’ve given the guard the password. If a member replies to the text properly, they’re allowed entry.
Knock knock!
“Who’s there?”
“Jon Snow. I’m on the list.”
“What’s the secret phrase?”
“Winter is coming.”
Inside Person pushes button that sends a text to Jon Snow’s phone, saying, “Jon, reply to this text with the code JOFFREY to gain access. This code expires in one minute.”
Snow replies to the text with the correct code.
Inside Person opens door
Real World: Now we’re on the right path! What’s being described is multi-factor authentication, where multiple means are used to verify that the person attempting to gain access is who they say they are, both through something they have (in the example, Jon Snow’s phone with the text), and something they know (the famous phrase). Real-world examples of this can be found in secure building entry systems where both a badge and PIN are needed to open a door, corporate environments with more mature cybersecurity policies that require employees to take a second action after providing a password in order to access critical information, as well as more and more websites such as Gmail/Facebook, etc. (but you may have to opt-in for these). Systems like these are harder for adversaries to break into, because if they’re missing one of the authentication factors (name, password, or code), they can’t get in.
Takeaway: multi-factor authentication is the most secure way to protect your confidential information and critical assets. Companies should consider employing multi-factor authentication controls around privileged access and remote access to sensitive data and critical systems. Individuals should take advantage of multi-factor authentication wherever it’s offered. For many popular sites, it just needs to be turned on.
Takeaway: If you have trouble remembering passwords, you can use password managers. These programs (LastPass, KeePass, SecretServer, and others) manage your credentials for multiple website logins by storing them on your computer or smartphone in an encrypted database so they’re not in the open. A master password is required to use these programs. You can generate random, long, and hard-to-guess credentials with these programs and use different ones for different websites. With a password manager, you can take those stickies down from your monitor and rest assured the passwords are available when you need them.
The moral of the Jon Snow story? We live in interesting times. Our data is at once more accessible than ever, AND increasingly at risk to access by groups who wish to use it to ends unknown. Protect what you possess and don’t rely on the weak protections of simple passwords alone to guard what you hold dear.