The key takeaway from passwords is that you should prefer longer passwords. The usual recommendation is a minimum of 15 characters. You also shouldn’t reuse passwords across sites. If you reuse your password in multiple sites and it leaks or is cracked, what's stopping the attackers logging in to other sites with the same password?
You might want to sign up for notifications of leaked credentials at https://haveibeenpwned.com/. If a leak containing your email is detected on the internet there’s a good chance you’ll get a notification and will be able to change your password before it gets abused.
How to make remembering unique passwords easier
Remembering a lot of unique passwords is hard. Many who use unique passwords store them in notes either digitally, in a notebook or on a piece of paper. If someone was to get access to the notes, they’d be able to log in to all the sites you have stored. How would you go about preventing them?
Password managers
Password managers are software that remember your passwords and other secrets for you. They usually encrypt all the data you store in them, allowing only you to use the stored data. The security of password managers depends, as we'll see in a later chapter, on the key and not on the algorithm used. In other words, if you lost access to the database containing all your encrypted passwords, no one else would be able to access them without the key.
Memorising a long key is impossible, so you can use a master password to decrypt the key itself, which is then used to decrypt the data. In essence, the key is as secure as your master password. This is a concession to usability at the expense of full security. A master password is easier to remember than a long key full of random bits. A master password should be very secure however, so it should be long and hard, if not impossible, to guess. Some password managers have other means of recovering your account, but be careful if that recovery information is stored out of your control as that means that anyone who has access to that recovery data can decrypt your passwords.
Password managers also help you with having functions that can generate secure passwords for your use. Many password managers also show you the relative security of the password using something resembling the entropy calculation we saw earlier. Almost all password managers have optional browser plugins allowing you to automatically fill login information on the websites you visit. Most also work cross-platform so you can use the same app on your computers, tablets and mobile phones.
A useful feature found in some password managers is notifying you of password leaks on sites you use. When you receive the notification, the password manager can help you to change your password to a new one, preventing the attackers from logging in with the possibly leaked credentials.
When choosing a password manager, you should pay attention to where and how the password database and encryption keys are stored. Some password managers allow you to store the passwords in a local database. This means that you’re the only one who has access to the database file. Depending on the software, you might be able to synchronise the database between computers and your other devices via different services like Dropbox or iCloud. Some password managers store the database on their servers. Here, the key thing affecting security is to understand how the encryption and encryption keys are handled. Some services need to store the master encryption key in their servers, but this also gives them the possibility of decrypting the password database. Other services, such as 1Password, store the password database either in a location of your own choosing (standalone version) or on their servers (subscription version). In all cases though, you’re the only one who has the master encryption key.
You might have noticed that using a password manager creates an “all eggs in the same basket” situation. If an attacker gets access to your password database and can decrypt it, you’ll lose all your passwords at the same time. However, using a password manager generally has a lot more positive sides against the risk of losing all passwords at the same time. It allows you to securely store unique and long passwords that would be almost impossible to remember. Losing one password via a website hack will not risk the other logins as you’re not reusing the same password. To protect your database, use a good and long master password. You can even use a passphrase (or a series of several non-related words) to make it even longer!
If you’re worried about someone getting their hands on your credentials, you can usually use additional protection, such as multi-factor authentication.
Multi-factor authentication
Multi-factor authentication, or MFA, is when a user authenticates to a service using more than one factor. These factors are usually defined as:
something you know (knowledge, such as a password)
something you have (a possession, like your mobile phone or a physical token)
something you are (so-called “inherence”, like your fingerprint or retina)
The most common way multi-factor authentication is used is called two-factor authentication (or two-factor verification). An example of a two-factor authentication, or 2FA is payment by credit card. In a credit card payment, you use something you have (the credit card) and something you know (your PIN code) to authorise the payment.
A username and a password together are still only one factor. They’re both in the category of “something you know”. Some sites still use security questions as an additional factor, especially for password recovery, but that’s still just one token in the same group. Worse still, the answers to those security questions are usually really easy to find on the internet.
Multi-factor authentication is used to add additional security to your authentication. You might have seen breaches to websites you use and heard that usernames and passwords have leaked on the internet. If you are not using multi-factor authentication or its more common variant, two-factor authentication (2FA), anyone with access to those credentials can use them to access the account. If you have reused the password in multiple services, all of them are susceptible to misuse by anyone who has access to the credentials. However, if you have enabled 2FA in the services you use, the attacker would also need to have access to the second factor to be able to access your account.
Common second factors include:
SMS (you need to have access to the phone in order to log in);
one-time-passwords (OTP), either using an app or a physical token like an RSA key (a small device that generates one-time passwords);
security keys, for example a Yubikey or Google’s Titan key;
push notifications (for example, used through the Google app or Authenticator by Microsoft);
fingerprint or face recognition.
Be careful with SMS
While SMS is still the most commonly used additional factor, it is susceptible to abuse. Many different attacks can be used to forgo the security gained by using SMS. Additionally, criminals have used tricks that coax the users to enter their one-time password codes as answers to unexpected requests, thus allowing the attacker to use that code in their attack.
This social engineering attack can take the form of an SMS telling you that your account is under attack and you need to enter the one-time password to allow the service to verify the attacker is not you. Another strategy that is used fairly often is to call you as a representative of your bank or another institute you trust asking you to confirm your identity through a one-time password request. They then try a login to your account and forward the one-time password request to you. The attacker can seem trustworthy as they can warn you against giving your credentials to anyone (they already have them!). Remember- any legitimate bank, government, or official institution will never ask you for your password or pin number.
Another token provider that is used often is an authenticator app. There are multiple apps that provide the same service, so you can pick which one you want to use. Most of the apps are multi-platform and can be used in most mobile phones and computers. The most commonly used authenticator apps are Google Authenticator, Authy and Microsoft Authenticator but there are many more available. Often the authenticator app needs a seed value from the server to be able to generate the one-time password for you. The most common way nowadays is to scan a QR code with your mobile phone’s camera. The time-based seed code will usually regenerate in 30 seconds. The code also has a small timeframe within which it will work, usually around one minute.
Security keys
A security key is the most secure of the previously mentioned factors in multi-factor authentication. Their use is a bit more involved than an authenticator app, but they are also more secure. If you lose your phone with the authenticator app, you might lose all the information that protects your accounts. With a security key, you have a separate physical device which is needed in addition to your credentials, so losing just the device with the passwords doesn’t mean someone can log in to your account. It’s considered good practice to keep a duplicate security key in a safe place in case you lose or break your primary key. Security keys usually have an additional step to protect the data within them. Usually there’s a button you need to press before the secret can be used. This prevents malware in your computer from reading the secure token unless there’s a physical action.
Passwordless logins
There are lots of weaknesses with the use of passwords. For instance, users prefer memorable and weak passwords and they have to be stored somewhere, usually not in a safe place. Once they leak, the login information can be misused, even on other sites in the case of reused passwords. Rainbow tables and brute forcing will become more usable in the future with the advent of ever faster computers, advances in understanding of algorithms and quantum computing. Passwordless logins aim to change this by using private-public key encryption. With this method, the private key is not passed to the server and in such cases the loss of the public key stored in the server will not allow anyone except the owner of the private key to log in to the user's account. Microsoft’s Windows Hello authentication is an example of a passwordless login.
Windows Hello can be used by different methods, from a PIN code to fingerprint or even face recognition. The initial authentication happens locally on your computer and is never transferred to the server. Instead, the PIN code or fingerprint is used behind the scenes to authorise a cryptographical exchange between your computer and the server, which in the end grants you access to the computer.
Passwordless vs multi-factor authentication
Passwordless login can be confused with multi-factor authentication, as the end user experience can be quite similar. With passwordless authentication, the system usually asks for some identifying information such as the username or an email address. Authentication can happen via multiple different factors that are shared with multi-factor authentication. The difference is that passwordless authentication doesn’t require you to remember a shared secret with the server such as a password. Even if you use a PIN code, which would be a terrible password, the PIN code is not transmitted to the server but is instead used to enable the cryptographical authentication locally on your computer.
Sign up to solve exercises
After completing chapter 2, you should be able to:
understand what kind of data should be protected and what is okay to leave open
explain where and how you leave traces of data, and what it is used for
understand how to find your rights and responsibilities around the use of data
have a basic understanding of how to create a good password and strengthen your login security across your online accounts