written by
David Germany

Authentication Habits: Why? Oh, Why is your Password, "password?"

7 min read
Exploiting poor authentication

Salutations everyone! In a previous blog I briefly mentioned how we are creatures of habit. We prefer convenience over security. And that is partly why so many attackers are relying on us to set up poor authentication such as using a weak password.

Today we are going to discuss why it is integral to have complex passwords in order to protect and preserve the integrity of our account/s. Please understand, this is not shame party. On the contrary, this is an acknowledgement of guilt. Our goal is to help you stay protected. With that said, if your password is password, for goodness sake, change it now!

Passwords are used for authentication; to prove that we are who we claim to be. Although stronger forms of authentication have been developed (i.e. biometrics or RFID badges), the most common credentials we are asked to authenticate with is a username and password.

Why you want to change your password on a consistent basis

There are a myriad of reasons you want to change your password/s. But here are just a few:

Accessibility to your data

Imagine for a moment, a bad guy (or gal) is able to log into your account. They can see EVERYTHING you see. Do you have personal files you don’t want exposed? Personal pictures of little Billy taking his first steps? Or a video of Sally's first words? Or more adult unmentionables? Do you have work data that can potentially damage your company if leaked? This thought alone should scare you into setting up a stronger password.

Ability to hijack your account

Hackers/attackers can take control of your account, send out malicious e-mails, send out your personal info, even post/edit random content all under your name; with your reputation at stake. Attackers can essentially can kick you out of your own accounts and make it extremely hard to take control back of the account.

Advancement of sophisticated tools - Even a kid can do it

In the primitive days of computing and the world wide web, it took a programmer with a wealth of knowledge several hours, even weeks to crack passwords or create code to conduct a successful attack. Those days are gone. With the advent of new technology, a teenager with no programming knowledge can run automated tools and conduct successful attacks.

Capitalizing on poor authentication

People tend to use the same password for more than one account. If I use the same password for my facebook account as I do my Outlook account, I'm in a bigger world of hurt by widening the attackers capability to wreak more havoc. Well, what if I used the same account credentials to login to my computer or cell phone? Or the same password for my Starbucks account? Not only can the attacker see my files and saved videos or send out malicious emails in my name. The attacker can enjoy a nice latte and destroy my reputation, while I foot the bill for that expensive cup of coffee.

Examples of popular passwords for 2016 – 2017

Using weak or common passwords for authentication purposes is not a new phenomenon. According to a survey conducted by Splash Data (a password manager and digital vault company), here were the top 15 most popular passwords of 2016 and 2017. Notice the disturbing pattern of recycled passwords.

From SplashData’s top 25 worst passwords in 2017 From 2016

  1. 123456
  2. password
  3. 12345678    
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein  
  8. 1234567
  9. football
  10. iloveyou
  11. admin
  12. welcome
  13. monkey
  14. login
  15. abc123   

From SplashData’s top 25 worst passwords in 2017

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin

Source: https://www.csoonline.com/article/3244004/security/top-25-worst-most-insecure-passwords-used-in-2017.html

See also https://keepersecurity.com/blog/2017/01/13/most-common-passwords-of-2016-research-study/

I think my password was stolen? How did they do it?

There are several methods attackers use to retrieve passwords. Here are just a few of their tactics:

Attackers prey on human kindness.

Oftentimes, an attacker will act like a victim in the hopes that someone will fall for it. For example, an assailant may call a business office and say they have a big job or deadline approaching but forgot their password to log in. The victim (or target), feeling sorry for the assailant, will be more inclined provide the password or whatever other information the attacker requests. Attackers seek to find a way to get the victim to empathize and with them. In doing so, this lets the targets guard down.

Attackers have an array of tools.

Even if an attacker never contacts you directly (social engineering), they can still get your password using password cracking software such as Cain and Abel or John the Ripper. These tools use algorithms that are designed to recover weak passwords. The weaker the password, the faster it can be retrieved.

Attackers will resort to scare tactics.

Oftentimes, attackers will use a position of power (claim to be law enforcement, supervisor, IT admin, or other) in an attempt to scare the victim into providing their password. For example, an attacker may do a little recon to find out the name of a manager, then call the company claiming to be the manager and demand a password reset or that a password be provided. The victim, not wanting any trouble will be more inclined to not ask questions or bother to verify or authenticate who the person on the phone is and just grant the request.

Attackers seek out your sticky notes.

When do you ever see sticky notes? What do they hold? You usually see sticky notes on desks at work. They tend to hold important information. Notes, to-do lists, passwords, and etc. Attackers know sticky notes hold valuable information and these notes are usually present when a new employee is hired or a password has been changed and hasn’t been remembered yet. These little bright colored pieces of paper may just hold a treasure trove of information for an attacker to exploit. And don’t bother hiding them under your keyboard. Attackers know to look there as well.

What should I do?

Now that I have thoroughly scared you, here are some steps you can do to protect the integrity of your account.

  1. Use passphrases instead of passwords. The longer your password is, the harder it is for attackers to disseminate what it is. Example of a common password: 123456. Example of a passphrase: Usunkmybattleship.
  2. Use special characters and symbols (aka Leet speak). Using uppercase along with lowercase letters, symbols and numbers exponentially help make it more difficult for attackers and their tools to crack your password. As an example, instead of using the word password, try P@$swOrd. Or instead of a passphrase like iloveyou, try !l0v3Y0u.
  3. Create a password in another language. The majority of password cracking tools use algorithms that are easily able to detect English words. This is not the same for other languages. The odds of cracking the password letmein, is exponentially higher than its Spanish equivalent, dejameentrar. Or its German equivalent which is Lassmichrein.
  4. Use 2 Factor (2FA) or Multi-factor authentication. If multi-factor authentication is in place, the password itself is useless to the attacker, because they will be prompted to verify by other means they likely do not have (i.e. cell phone number, pin code or other).
  5. Use password generators/storage tools to create and manage your passwords for you. Instead of creating passwords, you can use password generators that can create a password for you. You can also utilize a password storage application to store all your passwords for you in a centralized location. 1Passsword and True Key are two examples of password managers.
  6. Do NOT use the same password for more than one account. It can potentially open the floodgates for an attacker to cause more damage.

How often should I change my password?

You should change your password at the first sign of suspicious activity (i.e. random files on your desktop, antivirus disabled, or add-ins in your browser that you never set up). Otherwise, passwords should be changed on a regular basis. Even if you haven’t been compromised. Remember, strong credentials will not stop an attacker, but it can slow them down to the point they will to give up and find easier victims.

Disclaimer

It should be noted that changing your password alone, is not an effective security measure. Rather, it should be implemented as part of other established security such as Anti-Virus, firewall/s, effective user access controls (UAC), encryption for data at rest and in transit, logging applications and a myriad of other tools.

Remember, complex passwords/credentials do not render an attackers’ tools or methodologies useless. But it takes several more resources, more hours, and more effort that attackers do not want to spend. Finally, if you need assistance or advice, don't hesitate to contact us.

Citations

Singh, M., Dutta, T., (2018). The Most Common Passwords Of 2018 Might Surprise You. [online] Tech Viral. Retrieved from https://techviral.net/common-passwords-might-surprise/  [Accessed 21 Aug. 2018].

Smith. “Top 25 Worst, Most Insecure Passwords Used in 2017.” CSO Online, InfoWorld, 19 Dec. 2017. Retrieved from www.csoonline.com/article/3244004/security/top-25-worst-most-insecure-passwords-used-in-2017.html.

“What the Most Common Passwords of 2016 List Reveals [Research Study] – Keeper Blog.” Keeper® Password Manager & Digital Vault, 18 Jan. 2017, Retrieved from https://keepersecurity.com/blog/2017/01/13/most-common-passwords-of-2016-research-study/