Passwords once more

 

Image from Pixabay

Last week's Security (b)log titled Passwords – yes, again raised a number of questions worth answering for a wider audience. So here we go, passwords once again!  

A remarkable password system came along, which in weighty language could easily be labeled zero knowledge. If a site asks for a password, the user clicks on “forgot password” every time. Usually the site then sends a recovery message to the e-mail address on file. The link in that email will take him to a page to set a new password. There, the user randomly hits a bunch of keys, making no effort to remember the new password. Because next time he will just do the same thing again. If I could please share my thoughts about this.

My first two thoughts are: “hey, how creative” and “wow, how laborious”. The combination of those two thoughts is: perfectly usable for accounts that you rarely visit. Like when you're ordering a gift from a site you've never been to before and probably won't need to be for a while, but they insist that you create an account. I think it's fine to use this system in that case. But for accounts that you need more often, it seems less useful to me; it’s just too cumbersome to get in. Another tip: you should first type the password in Notepad or in a new Word document and copy it from there to the password fields, as otherwise you will have a challenge to enter the same password in the second password field. Then close the file without saving it. By the way, do you know who is really good at coming up with those kinds of passwords? Password managers… (see below).

This system also makes it clear that it is very important to properly protect your email. After all: if an attacker has access to your mail, he can also click on “forgot password” everywhere and then gain access to all those sites via the recovery message – under your name.

Some people are skeptical about password vaults. Are those apps safe? Wouldn't there be a back door after all? The honest answer: we don't know, at least not with certainty. You see, a password manager is software, and software by default contains errors. Some of those errors affect the security of the product. Moreover, such an app usually does not run in isolation on your device, but synchronizes the data via the cloud, so that you can use your vault on all your devices. In other words, your passwords are usually not on your device, but on a computer somewhere in the world. By sheer accident, I just received an email this morning from LastPass, the password manager I used before. There was "unusual activity" in the cloud service they used. Hackers could view user information. But, they insist, the passwords are encrypted and because you're the only one who knows the key, they're not at risk. They leave it open whether those encrypted passwords have been captured. But I don't believe in deliberately installed back doors, as long as you don't use password managers that come from suspicious countries such as Russia or China. Some products are open source, which gives anyone the opportunity to turn the program inside out (whether that actually happens is another matter). And perhaps a malicious person will find a vulnerability fist.

The mandatory use of a mix of upper and lower case letters, numbers and other characters also raises questions. The most important element of a good password is its length, but the number of characters you can choose from also makes a difference. If you only use lowercase letters, an attacker trying to guess your password has a 1 in 26 chance per character of getting it right. If you also use capital letters, the chance decreases: 1 in 52. If you also add numbers and other characters, the chance of guessing correctly becomes even smaller. This then works nicely into the length of the password: with a password of 3 characters with only lowercase letters, the number of possibilities is 26*26*26 = 17,576. If you also use capital letters, you can already create 52*52*52 = 140,608 different passwords. With password length 8, you go to nearly 209 billion and nearly 53.5 trillion possibilities, respectively. Note that expanding the number of possible characters in this example gives only eight times as many possibilities, while making the password longer gives twelve million times as many possible passwords. That seems crazy, but remember that attackers often put a lot of computers to work to crack passwords. Many hands make light work!

In summary: use long passwords, preferably generated by and stored in a reliable app. And as always: turn on two-factor authentication/two-step verification wherever possible.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• here's what's going on at LastPass.
• the World Cup could easily lead to cyber threats.
• the San Francisco Police Department wants to use deadly robots.
• private data of all members and former members of a Dutch political party have been leaked. [DUTCH]
• Today, TikTok makes your data accessible to employees in China. [DUTCH]
• That can also be explained in a humorous way [DUTCH]
• criminals are still taking advantage of Log4j. [DUTCH]
• Microsoft 365 and GDPR don't go well together. [DUTCH]
• Russian hackers are targeting Dutch gas installations. [DUTCH]
• You can watch Mikko Hyppönen's presentation If it's smart, it's vulnerable.
• there is a privacy aspect to uploading your address book to an online service. [DUTCH]
• the Dutch NCSC can finally share threat information with non-critical companies. [DUTCH]
• some laptop and phone repairers snoop around your device. [DUTCH]
• we need to get an emergency kit in case a cyber-attack paralyzes the country. [DUTCH]