A few years ago, I wrote a blog about why enterprises don’t care about the 10,000 worst passwords. The reason is simple. Not a single one of those passwords met typical length and complexity requirements. That means that an employee can use the same password everywhere and it probably isn’t their corporate password. If it is, at least they may be using better passwords elsewhere too. However, that’s no consolation when a password is phished or leaked in data breaches.
Welcome to the 8.4 billion password dump! WOW!!! But what does it mean? No really, numbers are data, but it takes analysis to turn data into information. Let’s start with what that number means. Incidentally, the TEDx talk I’m about to link to is a must see if you are going to give a TED talk. It’s all about nothing. For now, skip to to 2:20 into this video for the relevant part.
The dumped passwords are in plain text. This means that the likelihood is that they are quite old. Most sites have moved on to encrypting passwords, but even at that, as we learned from LinkedIn, bad hashing is essentially plain text. At that, once LinkedIn learned of the breach, they forced users to change their passwords. This is a common practice. A few years ago, Comcast denied having been breached, but couldn’t explain how the password that I only used for one account was comprised. Recently an extortion attempt landed in my inbox. The attacker had my email address and my old Comcast password. Comcast had forced me to change the password years ago and so no big deal if it’s in the list. Besides, they’ll never guess I changed the last character from 9 to 8. Hey, nobody said anything about not decrementing passwords 😊
But this dump is unusual in that some passwords were up to 20-characters long. While not conclusive, it would tend to indicate that some passwords were used in corporate environments. Unfortunately, I have found no indication of how fresh any of the passwords are.
Your foe isn’t the 10,000 worst passwords, it is a dump that undoubtedly contains some very strong passwords. 8.4 billion is, after all, greater than or equal to uh-oh. But you can do more than have users change their passwords; you can future-proof against password breaches.
As mentioned before, 8.4 billion is a number. “What does it mean?” is information. What can you do about it is actionable information. So, what’s the call to action? War. A holy war. Bring out the Predator drones, it’s gonna get ugly. It’s the battle of the password manager debate. Password manager? Them’s fightin’ words.
A riddle: If you have one egg and you need to keep it unbroken, how many baskets can you put it in? Yeah, one. You have all of your egg (not eggs) in one basket. That’s essentially the case against password managers. It puts all of your eggs into one basket, but it makes the questionable assumption that there’s more than one egg. Given the scourge of password reuse there may only be one egg; and it’s not even protected by a strong password.
The Case For Password Managers
Password managers simplify the task of creating and using unique passwords for every site; and that’s a big win. Additionally, your basket, I mean password manager, can be secured with the use of an authenticator app. But authenticators are outside the scope of this blog. I’m sure that all of you IT professionals know that “out of scope” is defined as “haven’t got a clue” on page 42 of the IT Professional’s Guide to the Universe. Actually, I do have a clue, but the topic is outside the word count of this blog, so it will be the subject of another blog.
Here’s the catch about password managers. Many users perceive password managers as only being good for automatically filling in usernames and passwords. Not understanding that autofill is the sizzle and not the steak, they get upset when autofill doesn’t work. Autofill doesn’t always work, and as such, users need to be taught that the purpose of a password manager is to be able to create strong, unique passwords for each site. If you have to copy and paste sometimes, then it’s a small price for far stronger security.
Protecting the Password Manager AKA Piglet Knows More About Passwords Than You Do
Let’s talk about the construction of titanium alloy baskets. Here is how you fortify a password manager basket. First of all, you teach users how to create a super strong, and super memorable master password to protect their password manager. That’s another blog, but here’s the synopsis. Be silly. My go to example is “piglet is one cute little dude.” Don’t use that one for a password, but the idea is simple. Create a silly sentence, write it down a few dozen times to make sure it sticks, and destroy the paper. Typing isn’t as good for remembering as writing, so write it down and then destroy the paper, or railroad car you just tagged with your password. Also note the even though the password is all lowercase letters, the length makes it incredibly strong. Silly make it amusing to type in the password.
The second component of the titanium alloy basket is an authenticator app. Even if the master password has been compromised, the authenticator is a super strong second layer of defense. But… you may have to teach users how to use authenticator apps. I resisted authenticator apps for a long time, but Graham Cluley threatened to leak the password to my smart washing machine if I didn’t start using one.
So yeah, having multiple eggs in one hardened basket is 8.4 billion times better than putting one egg into a tissue paper basket.
Randy Abrams
Senior Security Analyst
SecureIQLab