Input: Safer Password Practices

Credits CC, Carol, Megan Last Updated 2015-05

In this Input, participants and trainers will together review the implications of a compromised password, how they are commonly compromised, and how to create stronger passwords and develop better password habits.

ADIDS Element

Input

Parent Topic(s)

Creating and Managing Strong Passwords

Duration

30-45 minutes

Have feedback on this content? Does something need updating?

Leave a note anywhere on this page - look for the Hypothes.is toolbar in the upper right-hand corner.

Have content you'd like to share with other trainers?

Email us at levelup@riseup.net (GPG public key here) or read our guide on Contributing to LevelUp.

 

Materials to Prepare

  • Have a current list of the the most common passwords ready to share - example from 2015
  • Whiteboard or flipchart paper, and markers to take notes. Don’t erase anything from this exercise if using whiteboard, so participants can refer to the outputs during the Deepening session
Trainer’s Note

The definition of what makes a strong password “strong” changes constantly, as craking (or “brute-forcing”) longer and more complex passwords becomes easier and cheaper. As such, trainers need to alter their approaches accordingly, keeping in mind to mention this to participants as a means of explaining the important of regular changes to user passwords. In addition, trainers will differ on what they consider the best parameters for a strong password, which may deviate from the advice given in this Input.

It’s highly advisable to avoid using any sort of “online password generator,” since these can be sites that simply document the passwords that users generate. Similarly, be sure to recommend to participants to not enter any of their actual passwords into online sites that promise to “test the strength of your password” for similar reasons.

Input Content

Because passwords can sometimes be a boring topic to cover, and can easily become a lecture-dominated session, it is important to solicit responses with questions to participants, and to take notes as discussion progresses. Encourage further discussion by sharing any talking points you consider crucial, that aren’t generated via participant input.

Step 1: Why are Passwords Important?

  • Passwords provide access to a number of crucial important accounts such as email, banking accounts, social networking sites, etc.
  • These accounts often contain sensitive information, and also allow us to “be ourselves”, permitting organic interaction with others using various digital services - this might entail sending a social networking message, sending an email, making an online purchase, etc.
  • They may also allow us to appear to be others - anyone with access to an account password can, in effect, act online as if they were the account owner.
  • Passwords also provide access to a number of other things - Wi-Fi access points, unlocking mobile devices, logging-in to computers, decrypting of devices, files and more.

Step 2: What Can Happen if Your Password is Compromised?

  • Important information or files could be stolen (copied) or deleted; if they are stolen, you may or may not realize it immediately. This could be anything from sensitve documents and files, to address book contacts and email messages.
  • Money and other funds could be stolen or spent, via access to credit cards or bank accounts.
  • Email or social media accounts could be used to send spam, or used to impersonate you or your friends, family, and colleagues.
  • Account access could be held in exchange for a form of “ransom” - this could include money, access to contacts, or access to other accounts.
  • Someone with a password could use this access to monitor communications and activities without your knowledge.
  • Access to your email could set off a “domino effect” where it is used to reset passwords to other accounts by requesting password reset links, eventually locking you out of many other accounts if the password remains unchanged.

Step 3: How Are Passwords Commonly Compromised?

  • When they are shared with others, or stored in an easily discoverable way - a commonly seen example is a computer login password written on a post-it note, and then stuck onto the same computer or nearby.
  • When someone witnesses a password being entered on your screen and writes it down, or remembers it.
  • If using an email client without SSL session-wide, only at the login page, this leaves passwords and other information vulnerable as they are visible by anyone with access to the connection after logging in.
  • A device is physically accessed, and passwords are able to obtained through “Save My Password” or “Remember Me” settings saved on websites via a browser - this is especially possible if full-disk encryption isn’t used on a device.
  • Malware, such as a keylogger which can document every keystroke on a device and send it to a waiting third-party, can reveal not just passwords but potentially a great deal more personal or sensitive information.

Social Engineering

Social Engineering is a tactic frequently to exploit human vulnerabilities, which typically involves impersonating a user to a company to have your password reset, as seen in this example case. - Phishing and spear-phishing are common examples of social engineering. - Resetting a password by correctly answering the “privacy questions” for an account, using personal information available online, is another example. - This is how a number of celebrities and other high-profile accounts have been “hacked” in recent years, but not only celebrities have information about personal “answers” available online.

False Account Alerts

Sometimes users receive notifications, from social media sites or other online services, alerting “You’ve had your account hacked” or “Someone may be attempting to access your account” - these can mean a number of things: - Sometimes it’s completely out of a user’s control, and a service or a company has been compromised with your username, password, and (sometimes) other information falling into the wrong hands (this has happened with LinkedIn and Twitter, most notably). - Another possibility is that the email is not actually from the site or service it claims to be, but rather is a phishing or spear-phishing attempt, where a third-party creates an email that looks exactly like one that might be sent by a website asking users to “reset” their passwords - in reality, the current password entered will be captured and then used to access your accounts. - It can also mean that you’ve been specifically targeted, and someone with enough incentive and resources wants access to your account enough to try to break into them, or hire someone to do so.

Brute-Forcing

People trying to brute-force passwords use a number of tools to attempt to access many passwords at once, or just one, as opposed to using social engineering or a phishing attempt to trick users into revealing them. There are two important tools frequently used for this purpose: - Word lists or Dictionaries, which are used to create guesses based on words commonly used in passwords, which make brute-forcing more efficient. Even worse, these lists are commonly available for free, or sold online. - Computing power, which can be harnessed in order to run as many guesses per second as possible - as computer processing power improves and the cost becomes cheaper, effective passwords need to become longer and complex in different ways.

Those that are competent at compromising passwords, such as those using a word list or dictionary attack, will first try these common tactics which, unfortunately, are frequently successful: - Using the most common passwords, used by most people in the world, as entries on their word list. - Customizing their word lists to whomever they are targeting, to include words in their language, relevant places, names, and dates. - Including password guesses that substitute common numbers and symbols for particular letters, such as “0” (zero) as the letter “O”, “4” for the letter “A”, “$” for “S”, etc.

Step 4: How Can We Make Our Passwords Stronger?**

Most of the advice on passwords will have to do with the complexity of characters involved, and how to avoid a combination of words and letters that are easily guessed; however, equally crucial is the length of a password. No matter how complex a password is, if it’s short, it can be guessed in a similarly short period of time regardless of its complexity. Therefore - the longer, the better. - Length: We are still often told that a password needs to have at least 8, but 12 is a strongly suggested minimum, and 20 characters is even better. - Complexity: We are told to use a password that’s alpha-numeric, using upper and lower cases, with special characters. This is one approach for creating a 12 character password. - Change Regularly: Regularly change your passwords, particularly for your most sensitive accounts. Definitely change them if you get an authenticated (not phishing) email telling you that a particular service has had user accounts and passwords compromised. - Think pass-phrase, not password! In the appropriate context, a helpful aid could be [this comic from XKCD] (https://xkcd.com/936/) on Password Strength, to illustrate the true strength of a passphrase versus password.

Creating a Passphrase

Try not using words that are commonly found together. A new trend in password cracking is pulling words that frequently accompany each other, in phrases from wikipedia and other sites (in various languages), and compiling word lists from these for cracking long passphrases.

Another technique is to use a sentence, pulling the first letter from each word in a long phrase or sentence; for example, “Organizing and Leading Trainings is Hard Work, but Worth It!” becomes the pretty difficult to guess “OaLTiHW,bWI!”). Also, typos can be your friend! In a passphrase, if a password dictionary used to guess passwords is using correct spellings, a typo in a word can help reduce the chances of it being guessed.

Again, don’t use the most common passwords, and don’t reuse passwords, especially for your most important accounts - these are the first thing that an adversary will try to use or guess.

Step 5: Why Don’t More People Use Strong Passwords?

Remember that, both in this training session and increasingly in many other resources (and even in the media), users are being told that the best passwords they can create to protect themselves are also the hardest to remember. - The number of passwords that we must regularly maintain is growing quickly, and isn’t showing any sign of slowing down. - We now have so many passwords, and are adding more every day. How are we supposed to remember all of these strong and hard to remember passwords? - When participants raise the point that it quickly becomes “too many to remember!”, then take the opportunity to identify password managers (such as KeePass) as crucial aids that can help support more sustained use of strong passwords. Remind them also that the next portion of this session will cover these helpful tools.

Common Myths and Misconceptions

Use this time to go over with participants some of the most commonly misunderstood advice, and popularly held “myths”, about using strong passwords and managing different user accounts online:

Myth: Account Privacy Questions will keep my password and account totally safe

The personal privacy questions many accounts frequently allow or require users to setup are offered as an alternative means of verifying your identity, and as a way to unlock your account should it be compromised. The types of questions provided are, frequently, ones for which the answers could very easily be guessed; it’s surprising how many correct answers to these questions can be found through a simple Google search. A good workaround, when asked to provide answers to these personal “privacy questions” that are used to authenticate you as well as allow you to reset your password, is to consider not answering them truthfully in a way that you can remember.

Myth: Account Lockouts protect me!

Many systems - primarily online accounts for most average users, along with PIN codes - will lock out after 3+ incorrect login attempts. While this can add some protection for those trying to access your account, this isn’t full protection. If someone wants to gain access to an account badly enough, and has the resources to do so, they might be able to obtain an encrypted version of its password (called a hash), decrypt it offline (by conducting billions of of mathematical comparisons/guesses per hour, depending on the computing power they have available), and then log into this account without getting locked out using a pre-cracked password.

Myth: Using non-English words will make my password secure.

If an adversary has enough of an incentive and the resources to target you for your password to access your accounts, they will probably know quite a bit about you, including what language(s) you speak. When they (or someone they hire) attempts to brute-force your password, they will put words relevant to you in the word list they use to “guess” your password. This is likely to include words in your primary language and words particularly relevant to you, such as names of family members, locations (where you were born, where you’ve lived or traveled), and dates (e.g., your date of birth, when your child was born, when you were married).

Step 6: Closing Remarks and Reminders

Passwords are primarily tools for accessing information, from the point of view of the services you use them for, which is one of the most fundamental properties of information security. This is often confused with authentication - proving that you are indeed the same person who owns the account; because your password can be given or taken and used by someone else, this means they are a weak form of authentication but a relatively stable form of controlling access.

A Note on Two-Factor Authentication

If you or your training participants are individuals at high-risk of being targeted by an adversary with resources, who wants to access accounts and their information, using two-factor authentication for services that offer it is highly recommended. Google, for instance, has stated that the use of two-factor authentication has drastically reduced the number of compromised accounts.

Further services, aside from Gmail and other Google tools, offering two-factor authentication include Facebook, Dropbox, and Twitter. This website, TwoFactorAuth is an excellent tool for looking up accounts and services that currently support two-factor authentication.

It is important to use extreme caution, when using two-factor authentication systems that rely on text messages. Recent research has indicated some popular sites, such as Facebook, being compromised by intercepting the verification codes contained within such text messages (which are not sent in any kind of encrypted format). Additionally, if you travel often and change your phone number when you do, it is important to note you can be locked out of your computer if you are not using an app like Google Authenticator.