Why I Love Password Managers

Tanya waving

** This article is for beginners in security or other IT folk, not experts. 😀

Passwords are awful. The software security industry expects us to remember 100+ passwords, that are complex (variations of upper & lowercase, numbers and special characters), that are supposed to be changed every 3 months, with each one being unique. Obviously this is impossible for most people, and for those whom it is possible, why would they want to waste all of that brain power on something that is, essentially, meaningless?

Comic illustrating the need for password security.
I love XKCD and so should you: https://xkcd.com/936/

That’s right, the password itself means nothing. The purpose of the password is to authenticate the user; to prove that *you* are the real, authentic, you. Not another person with the same name or birthday, but the person who owns the account that is being logged into. The person who’s money is in that bank account. The person who tweets all those tweets.

I realize that the security industry is wise to this issue, and NIST has updated it’s password advice, but that still leaves many applications doing things the old way and programmers continuing to implement the old security advice. The result is password reuse; people using the same password over and over, for most or all of their accounts. Last month I heard a speaker that claimed the most common password has changed from “Password1” to “Autumn2018”, “Winter2019” and so on, for every third month. Tragic.

The reason this is a problem is that once one account is breached, or a password stolen, that email & password combo (known as credentials) is likely to work in many, many other places. “Credential stuffing” is the term for when criminals or other bad actors steal many credentials and use scripts to try them all against a larger site, with malicious intent. These attacks are often wildly successful, which makes password reuse very scary from a defender’s perspective.

At least 1% of what I know comes from XKCD: https://xkcd.com/792/

This is where password managers come in. Password managers allow users to generate long and complex passwords, as long and complex as the software will allow. It remembers all of them, keeping them in an encrypted vault. When users go to log into something they either press a button on the browser to have them do it all for them, or they open the password manager, enter the one single password they need to know, and access all of their secrets.

Password managers can protect you against several types of attacks:

  • Password reuse attack (if all of your passwords are different, if one account is breached, the rest are fine)
  • Phishing attacks that target your accounts using URLs that are similar to ones you already use. When you go to the fake URL your password manager will not recognize it, and this should tip you off that you are under attack
  • Brute force attacks; if you are always using very long and complex passwords (because you don’t need to remember them), it would take forever for a brute force attack to uncover your password.

Below is a non-exhaustive list of password managers. Some are free, some are not. Either way, go get one so you can stop wasting brain power on boring things like remembering your passwords.

If you work in an IT environment, you absolutely must have a password manager. I strongly suggest that anyone who uses a computer regularly and has multiple passwords to remember to get one, even if you don’t consider yourself tech savvy. Put every single password in there, change all the passwords you used to have to long randomly-generated ones, and ensure the password you use for your password manager is a passphrase that is an entire sentence (such as: “I work with Cloud Defense and I like them a lot!” or “Tanya Janca is my favourite blog writer and her jokes are never self-deprecating”).

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Multi-Factor Authentication (MFA)

** This article is for beginners in security or other IT folk, not security experts. 😀

Recently you may have noticed me calling out several Canadian banks for not allowing users to add multi-factor authentication (MFA) to their online banking accounts. This blog post will detail what I mean by this, why it’s important, and why I’m pushing for it.

Update: you can follow community activities online on this topic with the hashtag #MFAally.

Me, hassling a Canadian Bank about their lack of MFA. They have since implemented MFA!

Two-factor or multi-factor authentication (2FA or MFA) means using more than one factor to prove that you are the real, authentic, you. A “factor” of authentication is a method of proving who you are, to a computer. Currently there are only 3 types: something you have, something you are and something you know.

  • Something you have could be a phone, computer, token, or your badge for work. Something that should only ever be in your possession.
“Something you have” can be your laptop, phone, a token that generates codes, your badge, and more.
  • Something you are could be your finger print, an iris scan, your gait (the way you walk), or your DNA. Something that is physically unique to you.
“Something you are” can be your fingerprint, an iris scan, the gait of your walk, your DNA, and more.
  • Something you know could be a password, a passphrase, a pattern or a combination of several pieces of information (often referred to as “Security Questions”) such as your mother’s maiden name, your data of birth and your social insurance number. The idea is that it is only something that YOU would know.

When we log into accounts online with only a username and password, we are only using one “factor” of authentication, and that is less secure than using 2 or more factors. Many times accounts that are broken into or data is stolen, it is often due to someone using only one factor.

When passwords are breached, users that have a second factor of authentication are still protected. When someone tries to brute force a system or account that has MFA enabled, even if they eventually get the password, they won’t have the second factor in order to get in. Using a second factor makes your online accounts significantly more difficult to break into.

Microsoft Authenticator app

When Cloud Shell logged me out on stage (how embarrassing!) at MSIgniteTheTour in Hong Kong this past winter, I used my username and password (2 things that I know, meaning two of the SAME factor), plus the Microsoft Authenticator app (something I had), on my phone (something else that I had), which asked for my finger print (something that I am). That means I logged back in using all three factors of authentication. Even though I know it inadvertently made a great demo of the Microsoft products I was using, getting logged out mid-demo was embarrassing…

Demo-failure aside, let’s talk about what MFA is, what it is not, and why it is so important.

Examples of MFA

Multi-Factor: Entering your username and password, then having to use a second device or physical token to receive a code to authenticate. The username and password are one factor (something you know) and using a second device is the second factor (something you have).

Not multi-factor: a username AND a password. This is two examples of the SAME factor; they are both something that you know. Multi-factor authentication means that you have more than one of the different types of factors of authentication, not one or more of the same type.

Not multi-factor: using a username and password, and then answering security questions. These are two of the *same* fact, something you know.

My attempt to demonstrate “Something you know”

Many in our industry are in disagreement as to whether or not using your phone to receive an SMS (text message) with a pin is a “good” implementation of MFA, as there are known security flaws within the SMS protocol and some implementations of it. My (potentially unpopular) opinion is that I would rather have a pretty-darn-good second factor of authentication rather than only one factor, and that if this is the trade off (convenience versus perfect security) to convince the average user to adopt 2FA, I’m in favour of using SMS as a second factor.

The number one piece of security advice that Azure Security Center gives anyone and everyone is to enable multi-factor authentication on all of your subscriptions; protecting the keys to your (cloud) kingdom is paramount. In fact, enabling multi-factor auth (MFA or 2FA for short) is industry best practice, and is constantly prescribed by security professionals to technical and non-technical people alike for all of their important accounts. Yet strangely, less than 10% of accounts on Google and other popular platforms have 2FA enabled. Why?

I suspect that the reason is 2 fold; 1) it’s not always convenient and 2) the public simply does not understand the risk. And while most of us are not in a position to change #1, every one of us can work on changing #2.

I’d like to appeal to you, dear reader, to try to explain MFA to someone in your life, at work or at home, and ask them to enable it on their important accounts. I’d also like to ask you to enable 2FA for yourself, both at home and at work, if you haven’t already. It might save you or someone you love from some serious heartache.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!