Password managers and how you are using them wrong
Anyone that is even semi-competent online knows how difficult it can be to manage passwords. Most people have 15 accounts at a bare minimum online. Managing passwords for many accounts becomes difficult. Generally, people take one of three options to solve this issue:
- Use the same password for most accounts with special ones only for those you deem high priority (like Equifax or your bank). Sadly, this is the most common approach people make. In fact, many ‘security experts’ have been caught with their pants down after several of their accounts were compromised from password reuse.
- Use notepad and save them to your desktop. This is again a bad practice. Notepad, Excel, etc. are not protected in any way and even the newest black hat looks for files that may contain passwords.
- Use a password manager. This is the option I am going to focus on for the next several posts. There are right ways and wrong ways to use password managers. The more features a product has, the more vulnerable it is. That isn’t an opinion, it is simply math. The more features you have, the more features can be exploited to gain access.
Some of the more widely used password managers are:
- RoboForm (https://www.roboform.com)
- LastPass (https://www.lastpass.com)
- OneLogin (https://www.onelogin.com/) (Recently had a breach)
- KeePass (http://keepass.info/)
- 1Password (https://1password.com/)
All of them have their pros and cons, but some offer more protection. In this article, I will be discussing what to do and not do when using a password manager. In future articles, I will discuss the merits of some of the more common password managers above.
Online Synchronization, MFA, and Access
One of the major features most of them offer, is online synchronization. This feature is designed to allow users to sync their passwords to the cloud, and access those passwords from other devices via a web interface. This feature is very handy for accessing passwords while on the go or when setting up a new computer or mobile device. This feature can also be your biggest downfall. You are handing all your credentials off to a third-party. If you fail to properly secure your data or use a provider that does not fully protect your data on their side, you are handing away your money and accounts.
The first step you should take when setting up your account with a password manager, is enabling MFA (multi-factor authentication). By enabling MFA, you are increasing the security of your data by increasing the complexity of steps required to get access to your data. The best providers offer MFA features that combine something you know with something you have (hardware based).
My personal favorite hardware based MFA is YubiKey with OTP (one-time passwords). The use of a YubiKey requires the physical control of a hardware device to provide a one-time password. YubiKeys have a hardware dongle that looks similar to a thumb drive. This device has a button on it that must be physically pressed to generate an OTP for logging in. Instead of just using something you know (username and password), you add the complexity of something you have.
There are many types of MFA products and processes. One of the more common methods used today is SMS or email based codes. When you try to login with the username and password, an email or SMS is sent to you with a four to nine-digit code you must enter before you can login. In recent years, this has become much less secure. There are very widely known vulnerabilities in the SS7 system used for SMS that can allow an attacker to gain access to or intercept the SMS message and get the OTP. Within the last couple of months this has been heavily used by some nation-states to gain access to accounts that would have otherwise been significantly more difficult to access. Email is even worse. All they need is your login credentials to your email and from there, they can access the OTP emailed to you or even initiate password resets for your accounts.
One of the problems I often see, is people that setup a password manager using one of their more common passwords that is used for some of their accounts. This is a huge problem that people tend to ignore. The password may be secure. It may be as secure as you can possibly get with a text-based password, but as soon as you re-use that password, you open yourself up for issues.
Passwords should never be re-used.
Even if it is only used on one other site, if that site becomes compromised or your machine gets compromised while logging in to that site, you are handing over the credentials to every other password you use.
Password Complexity and Incrementing by One
Again, this is a big issue I see some of the most respected security professionals do… Instead of remembering 1000 passwords, you pick a word, add a number and a symbol to the end, and then just increment the number by one every time you have to change your password. For example: password1!, then you have to change it and set it to password2! Do not do this.
The major problem we have here is that website and application developers do not put enough security into their own products. If developed properly, this shouldn’t be possible. There should be simple rules for password resets:
- 3 or more characters in a row should not match a previous password.
- The same password should not be able to be re-used… EVER.
- The password should have complexity indexed. Prevent word1! by forcing a complexity of no more than three characters of one type in a row.
- Force the use of upper, lower, symbols, and numbers.
- Disallow the use of any password that has more than three characters in a row that match the username.
- Disallow the use of any password that re-uses the same character more than twice in a row.
- Force a password change once every 30-45 days.
As a solution provider, developers have a responsibility to insure the security and integrity of the applications they develop. Not enforcing basic security on credentials is like saying “You and your personal information doesn’t matter to me.”
Do not disable logging in each time you open the password manager
Many password managers give you the option of requiring your password manager credentials every time you launch it, or storing them so that you only login once ever X number of hours or days. This is bad practice. Always force a login every time the manager is launched and force a new login every 60 to 240 minutes. Disabling the login requirement is essentially turning off login for your machine. Any compromise to your machine means every credential you have is gone too.
Random letters, numbers, and symbols? No.
For your password manager account, most people use something like a password generator that will generate an eight to 128-character password filled with random numbers and letters. While this might seem like a good idea to protect your credentials… it’s not.
Anything that complex is going to be next to impossible to remember. This leads to laziness and in most cases, people turn off or relax the login requirements so they don’t have to keep keying in a long difficult string.
Instead, for password managers that will allow very long passwords, find a book, choose a paragraph, and memorize it. Something with at least 75-100 characters is perfect. It will have letters that are capitalized, lowercase, punctuation, and if you choose the right paragraph, even numbers. Here is an example password: Act 3, Scene 1: A plague o’ both your houses! They have made worms’ meat of me. I have it, and soundly too. Your houses!
It might seem like this is less secure as the words are most likely in a comprehensive wordlist used for brute forcing, but the length alone makes the password MUCH more secure.
The last of the basic steps you should take, choose a product that allows you to turn on login notifications. Products with this feature are setup to send an SMS and/or email every time someone logs in to your password manager account from the web interface or any client applications. This is a basic feature that will notify you if someone breaches your account. If it is possible to turn on both SMS and email notifications, do it. You may find the notifications annoying if you are logging in, but you will be thankful you have them if someone else logs in without your approval.