24th January 2023
These days the number of passwords we need to keep track of seems to increase almost every time we go online. There will be a new service, or a company that we’ve previously used will have implemented some new online portal or app, and we have to manage yet another password.
The days of using simple passwords, or one password for everything should be gone, but many people still do this. On a personal level this is risky, but in business it is even more important to get away from the habit of using one password for everything as there is much more at stake.
Having a good company password policy is very important. The reasons for not using the same password for all things might seem obvious to some, but the fact that it still happens suggests it’s not obvious to all.
The main reason for it is that once a password is compromised on one system, that set of credentials, often an email/password pair, can be tried on other systems and chances are most or all of your accounts will then be vulnerable.
We have seen an effort from banks and bigger companies online to implement other layers of security, such as two-factor authentication (2FA) where any attempt to log in initiates some other communication, an email or SMS to verify it is really you.
Often when you set up an account now there will be specific requirements to (hopefully) ensure a secure password is chosen. We’ve all seen it… between 8 and 20 characters, upper and lower case, with at least 1 number and one “special” character, that kind of thing.
Keeping track of all these passwords can become cumbersome, and so a new type of service was born… password management. These are companies that store your passwords in their (allegedly) secure cloud-systems, with a master password and other layers of security intended to make your stored passwords available only to you.
Some users swear by these kinds of systems, and there are quite a few now. Unfortunately there is no silver bullet, no magically impenetrable system that is 100% secure, and password management services are no exception. You may have heard about data breaches of big companies, sometimes they make the nine o’clock news, but often they don’t. This is where “hackers” manage to access and often take a copy of databases that they should not be able to access, and customer data makes its way onto the internet, often for sale.
Recently this happened to a well-known password management company. It happens a lot. Really, it happens to lots of companies, all the time. The thing is, it has been considered extremely bad practice to store passwords in a readable, plain-text format for many years. Unfortunately there are still companies that do, but even those that don’t, and hash/salt their stored passwords, can still end up leaking data that can end up becoming a problem for its customers.
In fairness, many breaches of big companies involve phishing or other forms of social engineering, but the outcome for the average user is the same, and can cause issues beyond the specific company involved in the breach.
As we are hoping to avoid tech jargon on here, I’ll just explain a couple of those terms.
phishing
This is when an email or some other communication is sent to a person, masquerading as a company, usually with some kind of call-to-action to log in to your account to fix something. What happens is that clicking the call-to-action link or button takes you to a fake version of the company website and when you do log in, the fake site simply captures your login credentials and they can be used on the real website.
People are becoming more aware of these fake emails and websites, but they are still effective and are becoming more sophisticated and convincing.
hash
To hash a value in computing terms is to use an algorithm (there are many) to turn a piece of readable text into something unique that bears no obvious resemblance to the original. Encryption is one method of doing this, but encryption is a two-way process, i.e. you can encrypt something, and then decrypt it to restore it to its original readable form. Hashing is a one-way process, there is no way to decrypt a hashed value.
On the surface that might seem like an entirely pointless thing to do, but there are a number of important uses in modern computing and cryptography for such a process. One of those uses is in password storage. I will give you an example as to how it works, and why it’s important.
Say we’re signing up to a new online service. We give them our email address, and they also ask for a password. We supply the following password…
829b24rF8e*y69<N
If the service stored that password, as is (plain-text), in their database and the database was stolen via some kind of breach, all someone needs to do is look in the database, find the entry we just created and they would have our email address and that password. This can and does still happen, though thankfully less often than it used to, but you don’t have any real way of knowing when you sign up how security conscious and competent their developers were/are. If we used that password on many sites, that email/password pair can just be tried on popular websites and if we had an account there, they are in.
If however, the password has been hashed, using the SHA256 hashing algorithm for example, the password above would look like this…
c6c567903c752faacc34a4bb207d94d0fcca41e8f9867cc469b24238d891062b
…and due to the one-way nature of hashing, there is no way to “decrypt” that to figure out the original password. How this works in practice is that when you go to log in, the password you entered is hashed using the same algorithm, and as the hash generated is unique (to a computationally specific degree) for every input, it is then compared with the stored hashed password, and if it matches then the password you just entered to log in must be the same as the one you entered when you set up the account
However, just as some systems are vulnerable to what’s known as a “brute-force” attack, where an automated process of trying thousands or even millions of passwords per second to eventually hit on the right combination is used, there are databases of lookup tables of known hashed values, so looking up a hash will then tell you the original value. This is not the same as decrypting, but for commonly used passwords it can be effective.
One way of mitigating that is to use a salt which is something referred to earlier and we’ll now explain…
salt
A salt in cryptography and password storage, is a random value that is added to a password before it is hashed. By doing that, it ensures even if two users have the same password, or one user is using the same password on lots of sites, when they are hashed and stored in the database they are different, which means using lookup tables will not help. The following image should illustrate…
Now it should be a bit clearer as to why using the same password everywhere is a bad idea. More and more of the bigger companies are using better internal data security practices, but they are still vulnerable to social engineering and that is how many of the more elaborate breaches are initiated. Not to mention there are millions and millions of smaller websites that have memberships to sign up to, or sell things that we often need to set up an account for.
There were 4,145 publicly disclosed breaches that exposed over 22 billion records in 2021 alone according to securitymagazine.com, and many of those include some of the biggest names in tech. This only serves to underscore the importance of good password policies and practices, especially in business.
Password policies can also include regularly changing passwords, using services to manage and store passwords etc. As we have seen, some of the biggest breaches included a password management service that was not entirely forthcoming initially about the scope and seriousness of the breach. That’s not to say no-one should use them, there are many options and commercial password managers are just one.
There are also open source password managers that you can run yourself, which allows to avail your business of the advantages and convenience a password manager can offer, and when set up correctly can reduce the chances of being compromised due to a third-party falling victim to an elaborate scheme. KeePassXC is one good open source option that uses industry standard encryption, is multi-platform and due to its source code being publicly available lends itself to being more secure than many proprietary offerings simply because there are more eyes on it, actively looking for security issues and fixing them.
This is not an advert for KeePassXC, or any other service. There are many options out there that are worth investigating if you’re looking to improve your business password management, and there has never been a better time to start than now.