Number One

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

What comes to mind when you hear ‘Number One’? Perhaps it is a position to be sought after. If you are a Star Trek: Next Generation fan, perhaps you think of the character Will Riker. If you are a Three Dog Night fan (if you know who they, are congratulations on having lived a long time) you may recall that according to them, “one is the loneliest number”.  J.R.R. Tolkien fans may recall that there was ‘one ring to rule them all’. When it comes to passwords are you with Three Dog Night or Tolkien?

Hopefully by now, the basic COVID precautions (mask, distance, hand washing, no large gatherings) have become part of your routine. Looking at statistics we can see that this is a difficult sell for many. Password precautions (length, single-use, complexity/randomness) continue to be a difficult sell as well.

Work From Home Creates More Security Issues

This article cited some issues that arise when WFH (work from home) environments are not under the same control and scrutiny as enterprise environments. The consequences have little to do with the difference between home and work and more to do with the individual’s established password practice.

One example in the article is a WFH employee allowing children to use the work Zoom credentials. The child then uses those credentials (just because they can) to create an online gaming account. If the WFH employee is in the habit of reusing passwords and/or usernames and the gaming account is breached, this exposes business credentials.

As mentioned in the article, the Nintendo breach this year was due in part to people using credentials that had been exposed in other breaches, giving bad guys a way into the network. This issue is further exacerbated by the surge in online shopping as some people look to avoid going out.

This article cites an older survey in the UK with some disappointing results:

• The security awareness campaign, run by the UK government, discovered that 75% of survey respondents were failing to follow best practice guidelines when creating complex passwords for new and existing accounts.
• More than 1 in 3 (35%) of those questioned said they struggle to remember strong passwords, which is unsurprising given that the average Briton now has 19 of them to remember.

How Many Passwords Do You Have?

Since 2014 when the above article was published, the number of passwords for the average user has not decreased. This article from 2017 states that the “Average Business User Has 191 Passwords”. My wife and I use a password manager for our online activity and my manager has 253 entries in it. (We are on the Three Dog Night side of passwords)

Credential reuse facilitates credential stuffing attacks. This is an attack where the bad guys take the exposed data from other breaches and just pump those credentials into another site under the assumption that someone will have reused credentials, and they will be right.

But wait, you might say. If the WFH person is using work credentials, won’t they have been forced to use a long complex password by the corporate policy? The simple answer is, maybe. Let’s assume they are in the habit of using long complex passwords. Let’s pretend the policy is as follows: 14 characters, upper and lower case required, at least one number, and one special character. Using that policy we construct this password: C0ronaV1rus!!!. It meets all the criteria but is hardly a secure password. Substituting a number for a letter (zero for letter O, number 1 for letter L, etc.) is accounted for when running password crackers. Common phrases, sports teams, city names, and other objects (football, baseball, etc.) and their combinations all go into a dictionary for testing by the bad guys. In fact even this string: Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn would be in the bad guys’ dictionary. It is a well-known quote from H. P. Lovecraft’s The Call of Cthulhu and thus is included as a potential password.

With the billions of records available on the dark web for any bad actor to utilize, the Tolkien approach “One ring (password) to rule them all” would be disastrous for individuals and businesses. Even the standard length/complexity rules don’t provide as much protection as you might think as illustrated above.

One Account, One Password

So how do we follow the Three Dog Night password rule? Each password is used only one time. With all that is being done online, especially with the increasing cross-over between home and business online activity, unique passwords are increasingly important. One account, one password has to become the ‘new normal’ for online security. Of course, having different weak passwords for all your accounts won’t be as helpful as it could be. If you are choosing a different weak password for each account, you are not much better off that using one password for all your accounts. Dictionary attacks (using common words from the dictionary) can be done very quickly with today’s hardware. Even if you include the number-letter substitution variations, password crackers can make short work of weak passwords.

The mantra for passwords needs to be: unique, long (12-14 characters, this year), and random. Throwing in complexity doesn’t hurt. From what I have seen length will trump complexity but that may change. Currently if you had 18 lower case letters, you would be better off than an 8 character complex password. Time will tell if that holds true.

So get a password manager. If you are running a business, don’t rely on the standard password policy to teach your employees how to make good passwords. Audit your passwords to make sure weak ones are not being used, at least where you have some control. Unfortunately, security takes some effort. We learned to wear seat belts. Most of us are learning to wear masks. We can learn to make good passwords.  If you need help with your security, give the Ashton team a call at 216 397-4080.