Why Your Passwords Suck

TOM: Alrighty then. I’m Tom Kirkham. I’m CEO and Founder of IronTech Security, and I do these every Tuesday. What “these” are, are Deeper Dive Quicklooks. Many of you may have seen one of our bigger presentations. They’re usually about an hour, sometimes a little bit more. They go over sometimes. But it’s about the whole cybersecurity world and how big this whole industry is.

In these Deeper Dive Quicklooks, we usually spend 20-30 minutes going through certain elements or just a part of the entire issues and problems and really increasing not only all of the things you need to be aware of that are out there, but how you can fight back. Every one of them, I think, you’re going to leave with actionable things that you can actually use. You don’t have to call us or anything like that.

I think the next to last slide will go over that. I think you’ll find some very interesting things in that last slide. Some of your guinea pigs with the next to last slide. But don’t worry, there’s no personal information being divulged. But you know what it is? It is related – when was it when we actually went on the Dark Web? When was that, a couple of weeks ago, Kindsey, or 3 weeks ago?

KINDSEY: About 3, I think.

TOM: Right. We did one of these Deeper Dives 2 or 3 weeks ago, and we actually went on the Dark Web and showed how easy it was to buy software tools to breach websites, to buy databases containing personal information. I’m trying to think of what else is relevant to this. But it was obviously easy to do. It’s a bare minimum of technical skills necessary. If you know how to get on the Dark Web, you can make one more step over to being a criminal.

While I’m thinking about this, I do need to mention that the #1 concern everybody has to worry about now is ransomware, and just in the last month or so, North Korea has upped their game in numbers of attacks, and the maliciousness and viciousness that they do. They are not hesitating to not only encrypt your data on your network and extort a ransomware from you, but if you don’t pay the ransom, they’re going to extort money from you to not release the information publicly. And depending on what that information is, they’re probably just going to sell it to somebody else. Sell it to a criminal organization or another nation-state to do what they will.

But remember that a lot of the things that drive the nation-state of North Korea are about capturing U.S. dollars, because they desperately need it. Not so much Iran and some of the other nation-state threats, but especially North Korea, and they’ve dramatically upped their game. So just be aware of that. Be ever vigilant. That’s all I can say. Always be vigilant, especially dealing with emails. That’s the #1 vector for ransomware. Do not open an attachment unless you’re certain it’s safe to.

So let’s talk about why your passwords suck. The first thing we’re going to talk about – what are the threats around, what are the issues with having poor password hygiene?

There’s databases out there that contain your login credentials. We’ve all seen the big ones on CNN. Facebook suffered a breach a year or two ago. 300 million email addresses and passwords got out in the wild. Those are for sale on the Dark Web. 300 million. There’s other ones. Yahoo is notorious. I cringe if I ever have to go to a Yahoo site. If you’re using Yahoo or AOL as an email, that’s notorious for being a breach. I really recommend you change and get off that platform. Get on iCloud or Gmail. Just get off the platform, that’s all I can say. Switch everything over. I know it’s a hassle, but you need to do that.

Another issue that surrounds this – and you’ll see how all this comes together in later slides – you’ve got to worry about phishing and social engineering attacks; keyloggers, browser injectors, and other malwares; password attacks; and Wi-Fi monitoring. With Wi-Fi monitoring, if you go into a public Wi-Fi like McDonald’s or a hotel lobby, you’ve got to use a VPN. There’s dozens of them advertised out there. My personal favorite is PIA, but I know one of the guys in the office uses NordVPN. That’s a good one also.

But the main thing is to encrypt all the data between your computer and the hotel network and beyond, because otherwise somebody can sit in the middle, imitate the hotel Wi-Fi – and there’s no way you would know, by the way – and intercept all your traffic. If that connection is not encrypted, they can gather your credentials right there.

Then, once they steal your credentials – and the most common way is still going to be going on the Dark Web and just buying a database of a million or 100 million or whatever. There’s a price related to it, of course. Depends on the type of data to how expensive it is. If you’ve got passwords, it’s worth a lot more money than just email and maybe personal financial information or your physical address, your home address, whether you’re a homeowner. Really, the ones that are worth the most are username, password.

Remember, as you’ve heard me say 100 times, they attack at volume and at scale, and automatically. So by using credential stuffing, they’re going to take this stolen database and set up software to automatically try different websites out to see if that set of credentials will work somewhere else.

As an example, if you use the same set of credentials on Facebook as you do on your Amazon account, they’re going to find it. There’s been a recent survey that found out that using a million record database, as an example, that they bought off the Dark Web – and remember, this is done at scale; this is not a single human being sitting there and manually testing credentials. They can work with a million record database and test it against other sites because it’s all automated. It’s all a computer program. They make it simulate a human entering the credentials in. And all the time, they’re drinking coffee and watching television.

So what research indicated, using a million records bought off the Dark Web, the criminals are successful in finding matches of between 0.1% and 2%. Let’s just say it’s 1%. At 1% matches and a million records, that means they’re going to find 10,000 other websites that the same set of credentials work on. You use a set of credentials for Facebook, same set of credentials work for Amazon, same set of credentials work for, I don’t know, GrubHub. So now they’ve got access to 3 of your accounts.

If it’s email, you’ve got even a bigger problem, because what is the way almost in every instance – how do you reset passwords? It goes through email. If they’ve got access to your email, chances are they can get into your banking institution, your credit cards, all of this stuff, because email is really the keys to the kingdom in most places. Just imagine, 10,000 accounts on Amazon. You can do a lot of damage with that. And once again, it’s done at scale. Just don’t forget that. It’s automated.

Just to review, why do most people’s passwords suck? They’re reusing credentials. They’ve got very poor passwords. I meant to put a list in here of the 20 most common passwords, but you guys have probably seen it. I think #1 right now is “password.” If you’re using “qwerty,” that’s a common password. They use dictionary-based attacks if they don’t have a set of credentials. In fact, depending on what site they’re attacking, they’ll try a set of known good credentials for another site first, and then if that doesn’t work, they may then do a dictionary-based attack.

So if it’s a pet’s name or any type of word that’s available in the dictionary, they’re going to crack it. Like I said, depending on what they’re attacking, because it’s really hard to go up against Amazon and use that method. But if it’s maybe a company portal of some sort, and on the database, they know where you work and how long you’ve worked there, there’s a chance that they may use that information. Or they’ll sell it to another group that specializes in just exactly that type of attack. They may sell that database to a group that says, “All we want are people that work in this industry, of this company size.” Then they can do some direct social engineering or dictionary attacks against the company’s portal.

Another reason that passwords suck, often, is no one has a system to create secure passwords, and no system to create unique credentials. So not only do they have to be secure passwords, but they’ve got to be unique.

And then finally, it’s a very low use of MFA. That stands for – oh wait, we’re going to get to that. Sorry, I got ahead of myself. It stands for multi-factor authentication, but we’ve got another slide on that coming up.

So what are the solutions? Never use the same credential set on multiple websites. I think I’ve stressed that enough. Don’t use poor passwords. Do use a cloud-based password manager like 1Password – which is my favorite, by far. LastPass is very popular. I’ve used them both, and I used LastPass for a long time, but I think 1Password is better. And finally, use MFA whenever possible.

What is multi-factor authentication? You’ve probably got some experience with this. It is any third piece of credential that you’re required to enter to get you to log in. It’s usually got a time base. Sometimes it’s 5 minutes, sometimes it’s 30 seconds. Just depends on what it is. But it’s that third piece. Your banking typically uses little hardware dongles where you punch a button and it gives you a 6-digit number or whatever. Most of the banks are switching over to software-based, using an app that you put on your phone. So then you just pick your phone up and hit the button and it’ll show you the code.

A lot of them are pushing out text messages. I’m trying to think – there’s somebody that I use that pushes a text message. Oh, PayPal. PayPal pushes out a text message. But it doesn’t matter as long as it’s multi-factor, 3 different factors. My bank on one of my portals that I log into actually uses 4 factors. And sometimes you hear this as 2FA or 2-factor authentication. They’re both multi-factor.

There’s the logos for each of those if you want to look it up after the webinar, but like I said, Google Authenticator – it’s very common and it’s a good tool. 1Password also does MFA. With 1Password, not only do you have the creation of the complex password, but it also stores it and you get to the point where you don’t even care what your password is because it’s always available in 1Password. But you can also put that MFA in there.

Any site that supports Google Authenticator is also compatible with 1Password, and others too, like Authie. I didn’t throw the logo up there. In fact, I haven’t seen any MFA tool that’s not compatible with Google Authenticator. So just because it says Google Authenticator, doesn’t mean you can’t use something else with it. And 1Password is brilliant in the way they allow you to automatically enter those 3 sets of credentials.

Duo is a unique one. If the website or the application supports Duo, Duo will actually push a notification to your phone, and all you do is push a big green button that says “OK.” It’s really, really neat. You can use Duo as an MFA tool, but it doesn’t do password management. So for MFA, I would rather use 1Password, and then use Duo only on the places that support Duo.

Don’t forget, just about any website of any size supports MFA – Amazon, Facebook. Your bank account should, your online access from your bank should. But they make it optional, so you may have to log in and look at your profile settings or security settings and then turn it on, and then it’ll prompt you to scan this barcode, typically. If you’ve got the 1Password app on there, you just scan it into 1Password and then it saves it and creates it on the fly.

Now, what makes MFA so cool from a security perspective is let’s say you’re watching CNN and they report that Hilton.com just revealed that they’ve lost 500,000 Hilton Honor members’ credentials. They’ve just been breached. Well, I’m a Hilton Honors member, so I’d go, “Uh-oh, I’ve got to fix that right away.” Let’s just pretend I reuse my credentials. I don’t, at all, but let’s just pretend. “Oh gosh, now it’s panic mode. I’ve got to change that password and username on all the other sites that I’ve used the same credentials in.”

But if I’ve practiced and made 100% sure that all my credentials are unique and I’ve turned on MFA, I’m not in a big hurry to change my Hilton password. Because I know that without MFA, even if they’ve got the username and the password, they can’t log into that account. And because it’s unique, they’re not going to be able to use it anywhere else. It makes it useless, having a unique set of credentials everywhere else.

So 2 things to take away: always have unique credentials for every single login you have, and use MFA wherever possible. And the best way to do both of those things is a password management tool like 1Password.

Anyone have any questions? Because I can tell you what I hear sometimes. No? I find that hard to believe.

Here’s what I hear. We went through this 3, 4, 5 years ago in the company. Actually, longer ago than that, but anyway. “It’s a hassle. I’ve got to use a password manager. It’s clunky. It’s time-consuming. It’s a pain.” If you really dedicate yourself and you really understand how important it is to use a password manager, you find it just becoming one of those things that you do, like putting your seatbelt on. It’s just something that’s part of normal practice. You have to do these things to protect yourself personally, to protect who you work for, protect your family. It’s just a thing you have to do these days. Unique credentials and MFA wherever possible, and the only way to do it practically is with a password management tool like LastPass or 1Password.

And that’s the second one I was going to bring up. “What if 1Password gets breached? Password managers sound dangerous.” They do, and there is an outside chance that one could get breached. However, I don’t want to get into the technical details too much, but most of these password management tools never have unencrypted data at rest. What that means is it’d be very, very difficult to just do a data breach like Facebook and get credential sets.

They’ve also got a number of other safeguards, but perhaps the most obvious thing you have to remember is that they’re in the security business. It would absolutely ruin a password manager company if they got breached with credentials. I was using LastPass when they suspected a breach, and they sent out email after email, doing a post mortem and running down the security story and figuring out exactly what they got to, where they got to, and they in detail described what played out, what level they got to, what all they do and are doing if needed to address the situation. That’s their business. That’s all they do, for the most part.

So in the absence of using a password manager, I dare say that you’re more at risk because you’re not going to create complex, unique sets of credentials. And if you think you can just by putting a notepad on it, then you’ve got the whole worry about what happens if your password notepad falls out of your pocket in Walmart?

The bottom line is – and I’ve thought about this for 20 years, and I reevaluate this from time to time – but the bottom line is, the risk of a password manager being breached and causing damage compared to any other method is almost infinitesimal. You’re much more likely to create an unsecure environment by not using a password manager.

Any other questions? Thanks for that, by the way. I hear that a lot. And I wondered about it a long time myself. “What happens if LastPass gets breached?” Incidentally, I don’t think any of them that I’ve seen – I don’t know of any of them that have actually had a damaging breach. Certainly not in the last 10 years.

So if there’s not any other questions, I’m going to go to this and we’re going to talk about a little experiment that I did. I looked at the registration list for this webinar and tested most of the emails for each of you.

Attendee #1 had 6 breached sites, including 1 of those that was known to contain passwords. What they do is go out and scan the Dark Web. That’s all they need, just your email address. It’s public information. And anybody can get this. It’s not like I did something evil or anything like that. If you go to haveibeenpwned.com, without the “a” – and that’s what I used to do this – you’ll see what the site is and what kind of information they have about you, and whether or not they have the password.

Attendee #2 was great. They only had 1 breached site.

#3, there was 10 breached sites, which included credit status, income level, net worth, and financial investments.

#4 had 2 breached sites, and one of them, myfitnesspal.com, included the password. So whoever you are, if you’ve been on myfitnesspal.com – even if it’s 3 years ago – I can’t remember when the breach occurred. I think about 2 or 3 years ago. If you don’t use unique credentials, or this password and email combination matches up with any other account, you’ve got to change them all.

#5 had 7 breached sites. 3 of those had passwords.

And finally, the last one that I checked, there was 10 breached sites with various forms of personal identification information. These are all things like street address. Some of the others also had financial information. Phone number in some of them. The company you work for, perhaps your income. But this one also had 5 of the breaches contained passwords.

So if you go to haveibeenpwned – and I encourage everybody to go to that site. All you’ve got to put in there is your email. It’s not a good complete scan. It costs real money to do in-depth scans. But at least it’ll give you an idea. We’ve actually done one that had a million. If I do one of my old email addresses that I still have an alias for against it, there’s like 20 something.

I will say about half of you that went into this webinar were clean. But remember, you’re only checking one place. The check that we use for clients – I don’t know if they use this particular database. Most of them offer subscriptions. I’m not sure I would worry about that too much. You should be able to get that with your security awareness training package. I know that’s the way we do that. But there’s a lot of ways to do it.

But that gives you – this is what I call an eye-opening event. Once you do it yourself especially. And you can put your Gmail address. I know some of you in the webinar have the company email in there, but use your personal email as well and check it. Do both of them and make sure you’ve got it in there.

All right, I’ve got a question here. I want to answer that live. “How do you cancel an old email address?”

Some of the email providers allow you to remove it, but if we’re talking about credential reuse, whether it’s an old email address or not, that’s not the problem. The question is, did you use that old email address on websites and then reuse a password? Even if it’s an old email that you no longer use, that’s irrelevant. What websites was it used to get the login set up, and what password did you use? In the case of reused passwords, if you use that old email address and then a password that you used all the time 10 years ago – this wasn’t a big problem 10 years ago. That’s why I’ve got so many.

But if you use that old email address with a password that’s your pet’s name with “123” on it or whatever, and you use that on a whole bunch of other sites, that’s the issue when it comes to security. That’s the thing you have to deal with. So test all your old email. In fact, test all email addresses that you’ve ever had to make sure that it’s not part of a data breach. I think you may be surprised. Especially if you use that old email address to log in. So be sure and check that as well.

As far as cancelling it, just quit using it. The websites, I think some of them have ways to activate the account or delete the account after a period of time. Just depends on what it is. You’ll have to look at the actual email provider for that.

Any other questions? All right. I’m going to wrap it up. Kept it at 30 minutes. Just as a reminder, we’ll be happy to answer any questions or concerns about your network or security. Just give us a call. We’ve still got available a 30-day trial of our security awareness training. You can reach us through email at sales@irontechsecurity.com.

What’s the topic for next webinar, Kindsey?

KINDSEY: It is “Privacy = Security.”

TOM: Oh, that’s directly related to this one. We’re going to talk about privacy and security and why they’re both equally important, and why you’ve got to do one with the other one. Hope to see you next week, and thanks for taking time out of your day for going over this credential security.