440
edits
Passwords: Difference between revisions
removing {{TOC right}}
No edit summary |
(removing {{TOC right}}) |
||
| (13 intermediate revisions by the same user not shown) | |||
Line 1:
{{Blockquote
|text=I think the best advice here is to shift you thinking from passwords to passphrases.
Line 6 ⟶ 4:
|source= via [https://www.youtube.com/watch?v=yzGzB-yYKcc Last Week Tonight with John Oliver]
}}
[[File:Hacking password illustration.jpg|thumb]]
If you've been on the internet for any meaningful amount of time, then it is very likely that passwords are a bane of your existence. It seems that every website and service wants you to register an account, even for most inane things, and a large reason for that is the ability to log your activity against your account, to make the service more attractive for advertisers.
Line 12 ⟶ 11:
There is, but it will involve a change to some of your habits.
<br>
{{ombox | image=[[Image:JS Icon Edit.svg|80px]] | text =
'''Main takeaways'''
* Do not reuse passwords.
* Choose better passwords.
** Long, but memorable and easy to type, is better than complex.
** Use at least 8 characters.
* Use a password manager, such as [https://bitwarden.com/products/ Bitwarden].
}}
<br>
===Why password reuse is a problem===
{{further|topic=Wikipedia|w:credential stuffing}}
You might be wondering why is reusing passwords such a problem. Surely, there is no problem since you keep the password secret, and it's not like the websites you use can tell the passwords are being reused.
Line 18 ⟶ 31:
The solution to this is to use a unique password for every website you use. In that case, a criminal attempting to perform credential stuffing will get nowhere since they only know the password to the account that was hacked.
=Easy wins=
==Choosing better passwords==
Line 26 ⟶ 40:
* '''avoid using common words, phrases and characters combinations''' - you are not the only person to think it's really clever to make your password the word 'password', you are not the only person who's frustrated so using 'ihatepasswords' helps you blow off some steam, you are not the only person who's dog is called Max, you are not the first person to notice that characters QWERTY sit analogise each other on a standard keyboard; hackers know all those tricks and will use them against you in a [[w:dictionary attack|dictionary attack]].
** see [[w:List of the most common passwords|List of the most common passwords]]
* '''do not use any bit of information which you've posted online before''' - while you may not be surprised that a site called {{SITENAME}} advocates not posting stuff about yourself online in the first place, if you've already done that, none of the info should be used in a password. Do not include your birthday, your home town, your favourite team which you post about all the time. Hackers may use
* '''don't needlessly change good passwords''' - once you take the advice from this guide, and established better password practices, don't needlessly change good passwords that haven't been compromised. Research shows that people who are forced to change passwords forget them more often, and almost always change them to weaker password to make them more memorable. Commit to remembering one, or few really good password (more on that in password manager section) rather than remembering many terrible ones.
===Use a system===
Line 50 ⟶ 64:
==Sign up for breach alerts==
Security researcher [[w:Troy Hunt|Troy Hunt]] maintains a [[w:Have I Been Pwned?|website which compiles data from known public breaches]] and makes it easy for you to search for your email address (or phone number) among this data. This will give you an idea about how many of the accounts you've used in the past got hacked, as it is safe to assume that if your get any hits here, the username and password for the given account at the time of breach is now public.<br>
You may
=A step further=
==Use a password manager==
Line 58 ⟶ 72:
For this to work, the most of the effort comes at the account creation time. If you're creating a new account, instead of reusing a password, you need to open the vault, create an entry for the new account, generate the password and make sure it's saved.<br>
This sounds annoying, but it is better to think about it in the terms of transferring effort. If you use a password manager, and you put in the effort, you are guaranteeing yourself a seamless experience for the foreseeable future. If you reuse a password, you will find yourself wondering what the password is and
===
====Choosing the password manager====▼
Broadly speaking, there are two types of password managers; online/cloud password managers and offline/local password manager.<br>
With an online/cloud password manager, your passwords are stored on an online server accessible from any device where you have an internet connection and a web browser.<br>
Line 66 ⟶ 79:
For people who are new to password managers, we generally recommend sticking to online/cloud due to ease of use and convenience.
[[File:Bitwarden Desktop MacOS.png|thumb|Bitwarden application on [[MacOS]]]]
Bitwarden is our password manager of choice for most use cases. It is [[concept:free software|free software]] with open source client and server licensed under [[w:GNU GPLv3|GNU GPLv3]] and [[w:GNU Affero General Public License|AGP]]. It has passed two independent audits, has a [https://hackerone.com/bitwarden bug bounty program] and can be [https://bitwarden.com/help/hosting/ self-hosted] if you're inclined to do so. On the usability side, it has apps for all major operating systems and extensions for all major browsers. The free plan is fairly generous and usable.
If you're leaning more towards the offline/local side of things, Keepass is a great choice. You can manage your password vault however you like, and access it with myriad of open source clients. The .kbdx file database can be opened by a number of different programs (but only if you supply a valid password, of course). A list of all the tools which can use .kbdx file format [https://github.com/lgg/awesome-keepass can be found here].
If above recommendations don't work for you, don't get too bent out of shape over the password manager choice. If a different one seems more attractive to you, generally, go for it as long as the company/service is mainstream and reputable. Password managers are
==Use two/multi factor authentication==
Two factor (or multi factor) authentication (2FA) is simply requiring something else, in addition to a password, to allow you to log into the website or a service. If you've ever received a number code from your bank or from Twitter via SMS, then congratulations, you're already using 2FA! But there's more to it.<br>
A factor of authentication is essentially the type of evidence you can provide a system to prove who are who you say you are. Speaking very broadly, security professionals generally recognise 4 different factors of authentication:
* '''knowledge''', that is, ''''something you know'''' - information only you would know
** this covers your everyday password
* '''possession''', that is, ''''something you have'''' - proof that you are in possession of something only you would have
** [[File:Twitter 2FA Finnish.png|thumb|Twitter code. In Finnish no less.]]this is what happens when you get that temporary code via SMS; it proves you posses the SIM card tied to the phone number at that moment
* '''biometric''', that is, ''''something you are'''' - proof of unique characteristics that only you posses
** this is your fingerprint, your retina scan, or even behavioural characteristics such as style of typing or walking gait<ref>yes, it is possible to identify you by your walking gait. See: https://apnews.com/article/bf75dd1c26c947b7826d270a16e2658a</ref>
* '''location''', that is, ''''where you are''''<ref>some experts don't accept this as being one of the factors, and instead say that location is just a mashup of possession and biometric; you cannot be located directly without having a device on you (something you have) and you cannot make meaningful conclusions unless you analyse user's behaviour (something you are)</ref> - proof that you're where you would be expected to be
** if you've ever received an email from some service telling you that you've logged in from your city or town, then you've seen location based authentication
Biggest, and most obvious benefit of 2FA is that it can lessen or remove the danger of using passwords incorrectly. When you actively use 2FA with all the accounts that support 2FA, it is much harder to hack you since the hacker needs to defeat all the different authentication methods. This means that in some situations, '''even if your password is compromised, your account may still remain safe'''.
Let's see how we can use these 'multiple factors' in practice.
==Knowledge==
Rest of this page is about passwords, so we won't worry about that here. Instead, let's address secret questions.
===Secret questions===
Many online services may ask you to provide a secret question and answer combination. The most common and infamous one is asking you your mother's maiden name. There are a couple problems with this.<br> Firstly, secret question/answer combo is 'something you know', same as your password, which means that it is vulnerable to the same attacks and issues that passwords have. If your device is infected by a keylogger, and the hacker gets your password, they may very well keylog your secret question answer. It's no protection.<br>Secondly, information like your mother's maiden name is not something only you would know; your immediate family does. It is also not information that is commonly regarded as secret. It is in fact public, the hacker could just look up public birth records, or census, or christening records or indeed, just find it on Facebook.
We recommend you don't answer secret questions truthfully, but regard them as secondary passwords. Fill them with random text generated by your password manager, and record them in the password manager. If you need to use it, you can still use it, but nobody can guess the random string your used as your 'answer'.
==Possession==
===One-time password===
When you receive a message via text/SMS asking you to enter a code into an app or a website, you're using a temporary password of sorts, often called an 'one time password' (OTP). This proves that you're in possession of the device at that particular moment, thus providing another 'factor' of authentication.
Probably the most recognisable temporary password method is receiving an SMS message from your bank or some service like email provider or social media. While this works fine, it fundamentally relies on another service controlling the means of delivery. This is, obviously, your mobile phone provider.
The danger here is that a determined hacker could call up your service provider and convince the minimum-wage support staff to execute a SIM swap attack which allows them to move the phone number to a SIM card they control. While this is not an attack that is easily scalable, there are many cases of this happening.
This is particularly dangerous if you hold a large amount of cryptocurrency or store sensitive information in the cloud protected by such SMS-based authentication since by the time you notice the problem, the hacker has stolen your cryptocurrency or published sensitive info publicly, and there's nothing that can be done to reduce or recover from the damage.<br>Another issue is that a hacker can still phish your one-time password by sending you to a fake website with a fake two factor login window, and then simply passing those valid details to the real service and logging in as you.
That being said, if the particular service offer this as the only multi factor authentication option, you should still use it. You just shouldn't use it over other, better, options.
====Time synchronised one time password====
{{align|right|{{Recommended OTP}}}}
This one works very similarly, except that instead of receiving an SMS, an app uses a previously stored secret hash and current time to calculate a valid one-time password. The service does the same, and since they both base their calculation on the same secret code they know (but an attacker does not), the code matches and login is accepted.
By doing this, you avoid the possibility of having your phone number SIM swapped, although you can still be phished as described above.
===Other implementation===
There are also other ways to implement a possession check, such as a notification on your phone asking you to tap accept the login. This is often used by banks and other valuable services like Google, Facebook or Apple account. Since those are fairly self explanatory, here we will just once again encourage you to use them.
==Biometric==
[[File:IPhone unlocking MacBook Pro with MacID (17199034187).jpg|thumb|iPhones can be used to unlock Macbooks in in the Apple walled garden. Courage.]]
If you have a modern smartphone, then you know what biometric identification is; fingerprint sensor, retina scan, facial recognition.
One major issue here is that biometric authentication cannot be changed if compromised. If a scan of your fingerprint makes its way online, any determined hacker with a fancy 3D printer can print a replica of your fingerprint. This is why biometric authentication should generally not be relied upon for primary authentication.
=Going all the way=
==Going passwordless?==
[[File:YubiKey-4-keychain-and-YubiKey-4-Nano.png|thumb|A FIDO2 compatible [[W:Yubikey|Yubikey]] 5 NFC. It's meant to be used as a key, so why not have it on your keychain?]]
One oasis in the desert of passwords that is the internet is the possibility of being able to one day go completely passwordless. There are efforts afoot which aim to completely replace password based authentication with one passwordless token to rule them all.
[[w:FIDO Alliance|FIDO Alliance]] is a consortium of companies promoting use of [[hardware tokens]] to assist with authentication on the internet using public key cryptography. While this may sound complicated, it basically amounts to a physical key that you can use to 'unlock' your online services just as you would unlock any physical door (but better, since these 'keys' cannot be copied, you can have multiple different ones, and they can be revoked remotely if stolen or lost). The key can be a dedicated USB authetnicator, or a smartphone, or any other device that is closely associated with the user (smartwatch, national ID card, etc)
[[w:WebAuthn|WebAuthn]] is a project to standardise passwordless authentication on the internet ran by the [[w:World Wide Web Consortium|World Wide Web Consortium]].
Together, FIDO Alliance and World Wide Web Consortium are combining their efforts on to bring about passwordless future in the [[w:FIDO2 Project|FIDO2 Project]] which aims to provide a standardised way of authenticating without passwords.
Should you use it? Well, yes, in theory, but the problem is that the support for FIDO2 is very nascent with single digit number of services supporting passwordless authentication. To be quite frank, at this stage of adoption, it is not worth the hassle of buying a compatible device to use it with handful of services that support it. Hopefully, this changes quickly.<br>
The exceptions to this are people who have heightened security requirements such as journalists, system admits or financial directors.
{{Footnotes}}
| |||