Password Security and how to not get pwned online

A place to discuss online security
Post Reply
User avatar
grumpygrower
Posts: 58
Joined: Mon Sep 09, 2019 7:18 pm
Has thanked: 32 times
Been thanked: 43 times
Status: Online

Password Security and how to not get pwned online

Post by grumpygrower » Wed Sep 11, 2019 10:03 pm

Password security is at the front line when trying to protect yourself online. When people think about password security, they normally think of long a complicated password. Test this out for yourself by asking your friends to write down what they think a secure password is and I guarantee that most of them will do the usual mess of alphanumeric characters with a sprinkle of special characters to make it extra difficult. Now, that might be a secure password, remembering it becomes difficult for starters. Then entering it into anything you need to log into is also a pain. If security becomes inconvenient then it gives you the incentive to drop your guard for convenience. Hackers rely on this to crack your passwords. There’s another way of thinking about the problem though. I will explain later but first, let’s take a quick look at how someone might obtain your password in a encrypted form.

Websites all over the internet are targeted by hackers 24/7. It doesn’t take long for someone to find your site and start hacking away. Website owners will have you believe they take your security very seriously and do everything to protect their site but trust me, that’s not always the case. On top of that, hackers find bugs and loopholes in software daily. When these are discovered, they are called 0day bugs. Hackers, find these and then keep them quiet while they use them to extract data, then sell them on the dark web for crypto currency. It’s at that point they normally go public and fixes are rolled out. On top of that, there are a plethora of tools that are free and allows hackers to quickly scan websites looking for holes in the software, making it easier for the average geek able to hack some quite complex services. And that’s just the small time guys, if we’re talking about three letter agencies, they have a whole load of tools at their disposal. What I’m trying to get across is, you’re never secure online. Let's take this forum, it's based on PHPBB. Now check this list of previous discovered vulnerabilities. Most of those were a 0day at some point. Hopefully Admin won't be upset I used this BB for an example :)

With all the laws now like GDPR, companies have to be compliant. Long gone are the days of credit card information and clear text passwords being stored in a database. Considering that, once they’re in, they normally go for usernames and passwords. Passwords are normally stored using some sort of cryptography. Due to the number of data leaks, most software enforces that the password is stored encrypted. That’s doesn’t stop the hackers though. They have many options available to turn that encrypted hash into a clear text string. They can use GPU’s (graphics cards) to run sophisticated attacks against the encryption and run brute-force attacks against the data. This can be done offline and with the right equipment and determination, you’d be surprised how many they manage to crack. If you’re a gamer, you may know what a Nvidia GTX 1080 graphics card is. Using that GPU with Hashcat, an attacker can try 4300000000 passwords a second against SHA-256! Team that up with a decent password list and fuzzer and you’d be surprised how many passwords they can crack.

Those credentials are then sold to others or used in credential stuffing attacks across the globe. Credential stuffing is where they fire thousands of usernames and passwords at websites (normally retail) and if you have an account on another site with the same password, they can log in as you there too. This is why it’s really important to use different passwords for different things. Anyway, I’ve waffled on enough about how someone might attack and do nefarious things. Please remember, this is a dulled down, simplified version just to explain to non-technical folk how an attack might go down in the wild. There are many ways to get pwned.

Password entropy

Passwords don’t have to be difficult to be secure! What a human would consider a secure password, a computer would not. XKCD has an excellent cartoon illustration about this.

Image

There’s a easy formula I like to use that creates great passwords that are easy to remember. I’m giving away my secrets now but I don’t mind if it helps protect just one person. Choose a random phrase that consists of 2 to 6 words. Let’s say something like “oldmothergoosedancesstrange”. Please don’t use this as your password !! :D I also like to choose one out of place word but let’s keep things simple. Next, I add some randomness like so; “0ldMoth3rgoosedancesstran£e”. That password is 27 characters long, has upper and lower case characters as well as numbers and a special character and it’s easy to remember! Try one yourself, you’d be surprised how well this works, even for a stoner :)

As a side note, if you do plan to change your password, why not see if your password has already been hacked by going to this site and typing it in. DON’T DO THIS TO PASSWORDS IN USE! They’re probably not even storing the passwords you enter but you can never be sure.

Check your email here (safe)
Check your password here (Unsafe!)

Password managers

Password managers make it very easy to use different, strong passwords for all your accounts. I highly recommend you use one. Some free, good ones are KeePass and GNU Pass if you’re on Linux.KeePass is probably the easiest to setup and use. GNU Pass requires you know a little about GNUPG and GPG. KeePass also has some cool plug-ins like browser plug-ins that will automatically fill in your login details etc. Makes being secure a doddle right? Then, using the password guide above, create one master password for use with keepass.

MFA/2FA and security keys

Multi factor authentication is a great way to add an additional layer of security to your valuable accounts. All it really means is that you use more than one method to authenticate to a service. There are several methods used like email/SMS based authentication, services like DUO that offers a number of methods to authenticate and one-time passwords. Let’s discuss the later!

Time based one-time passwords

These normally come in the form of an application that you install on your phone. They use network time and a bit of maths to generate one time passwords that can be used to identify you. These are cryptographically secure so can’t be reversed easily. One you’ve probably heard of is google authenticator. There are others available and all use the same cryptography under the hood.

Hardware authentication devices

These normally come as a card or USB key but do come in many forms. Some talk over blue-tooth and others can talk NFC and USB. I’m only going to cover one here and that’s Yubikey. You can do some research to find others. Yubikey is a hardware authentication device that can talk in several protocols. HOTP, TOTP, U2F are the main ones but it can also store GPG and all sorts of cleaver tricks. They come in USB form and have a touch button that you have to press to authenticate yourself. Lots of sites are now supporting U2F via the Fido2 protocol. Check them out here

I hope you enjoyed this article and have learnt something. If you have questions, or want to know more on one or more of the subjects I’ve touched on above here, please reach out here. Here are a couple of YouTube videos from Computerphile explaining some of the topics here.

Password Cracking


2FA/MFA


Password managers


Password entropy


And as always, stay safe!
These users thanked the author grumpygrower for the post (total 3):
Bulls (Thu Sep 12, 2019 11:26 am) • jimmi2scoops (Thu Sep 12, 2019 12:10 pm) • Nanook of the north (Thu Sep 12, 2019 12:14 pm)

ad
User avatar
Bulls
Coco Grower
Posts: 6137
Joined: Tue Oct 10, 2017 5:39 am
Location: Gagliari
Has thanked: 3356 times
Been thanked: 6148 times
Status: Offline

Re: Password Security and how to not get pwned online

Post by Bulls » Thu Sep 12, 2019 11:38 am

Mate that's an amazing write up! I've actually read it all, and learned lots. Luckily i've always used a combination of unrelated words mixed with special symbol and numbers. Words I've chosen are usually ones I've got in my head from the childhood, which guarantees me I'd never forget them if I remember them now 20 years later lol. Thank you for that article mate.
These users thanked the author Bulls for the post:
grumpygrower (Thu Sep 12, 2019 10:12 pm)

User avatar
ReeferSpin
Posts: 188
Joined: Thu Jun 06, 2019 10:20 am
Has thanked: 124 times
Been thanked: 131 times
Contact:
Status: Offline

Re: Password Security and how to not get pwned online

Post by ReeferSpin » Thu Sep 12, 2019 11:51 am

excellent write up mate, I use that XKCD cartoon to explain password security here at work :)

they have a password generator which I use too: https://xkpasswd.net

agree on KeePass too, I use it, i wouldn't use an online password manager.

I've implemented 2fa on various production systems, and your points are spot on, thanks for taking the time mate.

really useful stuff, cheers grumpy!
These users thanked the author ReeferSpin for the post:
grumpygrower (Thu Sep 12, 2019 10:12 pm)

Post Reply

Return to “Online Security”