Summer Project: Manage Your Passwords

Summer Project: Manage Your Passwords

Another day, another hack! It seems like every week we learn of a new large scale data breach. The story is becoming fairly routine – a reputable company’s servers are compromised and the bad guys sell the database of user credentials online. Usually we find out that the vulnerability which allowed the attack to succeed was fairly basic. It’s really disheartening to learn that a respectable company, for one reason or another, did not apply good security policies. The only silver lining is that these days security firms and service providers are also obtaining the stolen data and then scanning the records to see if their own users are showing up in the databases.

I’m writing this blog post because my turn finally came around, and I learned of it by an email from Pandora, the popular streaming radio service. In an email that was short and sweet, Pandora politely informed me that my username was found in a database of user credentials that was breached several years ago, and that the stolen database was recently posted on the web. The email concluded by urging me to change my Pandora password immediately. Changing my Pandora password now is a fine idea, but it does nothing about the “several years” during which my username (and presumably a hashed version of my password) was in the hands of hackers.

As I sat and thought about this situation (which basically ruined my next after-lunch latté), I came to the conclusion that now is a fine time for me to start using a password manager for my personal online accounts. Here at Certify, we use the revered KeePass open source password manager, but I had not yet made the jump to using it at home. Sure, I have always created strong passwords and used variations of them depending on how sensitive each site is. But ultimately this scheme winds up reusing passwords a lot, simply because remembering a secure variation for each site is too burdensome. I gulped down the rest of my latté (which is definitely the wrong way to drink a latté) and I actually got excited about this new challenge.

So I did the necessary research and found the pros and cons of the top five password manager services. One of the more enjoyable blog articles I found was this one by LifeHacker. In short, the top five options are LastPass, Dashlane, KeePass, 1Password and RoboForm. Your decision of which to use will boil down to your desired mix of ease-of-use versus security. The top five systems all do a fine job at security, but the most hardcore (and perhaps jaded) system administrators and security geeks will probably push that slider all the way to the “secure” side and gladly sacrifice usability. This approach will probably lead such folks to select KeePass. The dogmatist in me understands this, but the pragmatist in me knows that if usability is lacking, I won’t end up using it for my personal accounts.

So I chose one of the password managers from the list of the top five, paid for the premium service, and got to work. Caveat emptor: if you are going to follow me on this journey, you’d better plan on setting aside at least eight hours of focused time, and break it up over a week or so, because this can be quite a project. The top password managers do a marvelous job with usability, but there is a small learning curve with each of them. I won’t tell you which password manager I chose, and I also won’t tell you whether I chose to store my data locally or in the cloud. Those are personal decisions that you will have to make on your own! But I will tell you this – once I got to work loading up all my frequently used and sensitive accounts, I was astounded at how many there were. Before starting this exercise, I thought I had somewhere around 20 or 30 accounts that I needed to manage. Now that I have been working on this for a solid week, I am up to 86 accounts and continue to remember more each day.

Once set up with a password manager, the process works like this: I remember a site that is not yet managed, and browse to it. I try to log in and probably cannot remember my (old, crappy) password, so I use the site’s email or text message password reset option. As I am setting my password, I use the password manager’s browser extension to create a cryptographically strong new password for this site. A strong password generated for me might look like this: Z!2iQrctErq&, which is much stronger than my old passwords were, and most likely much stronger than your passwords are today. The browser extension automatically saves the username and password to my password vault, making all of it available with a simple click the next time I visit this site. I can even have multiple accounts for each site, and choose which one I want to use when logging in. This process winds up taking a few minutes, but it is incredibly gratifying!

Now that I have gone through this experience, it appears to me that modern internet users who do not use a password manager are like tourists in Manhattan’s Lower East Side with $100 bills hanging out of every pocket. It doesn’t have to be this way, however, because the modern crop of password managers do a marvelous job of blending usability and security. Features such as browser integration, mobile access, multifactor authentication, secure hashing algorithms, emergency family contacts and sharing groups are ubiquitous among the top providers. These providers have analyzed all the current information security best practices in use by leading technology companies, and have made them available to average internet users in a freemium model. You may not have all the technology super powers necessary to outsmart the world’s greatest hackers, but you will be far ahead of the pack. A fun way to rationalize this is that when a bear is chasing you, you don’t need to outrun the bear – you only need to be faster than the slowest of your fellow campers.

As I talked about my journey into the world of password managers, some of my friends expressed skepticism, asking questions that they thought would burst my bubble. The most common question was, “Oh sure, but what happens when the service provider gets hacked and the bad guys get all your passwords at once?” That’s a great question, and there is a really great answer!

It turns out that in 2015, LastPass was hacked. You can read the details of the attack as reported by Sophos, and I recommend that you do so. To summarize, hackers obtained LastPass’s database of master usernames and hashed passwords. But LastPass used a really solid implementation of something called PBKDF2 (Password-Based Key Derivation Function 2), and this meant that the bad guys would have to spend years trying to crack the hashed passwords that they had obtained. LastPass knows that the database of master passwords is the crown jewels of their business model, and they acted quickly. As soon as they were aware of this breach, LastPass informed their customers of the situation and simply asked them to change their master password. And just like that, by users changing a single password, the bad guys were holding onto meaningless data. Any LastPass user who regularly changes their master password would have been protected even without notification from LastPass. Furthermore, LastPass users with multifactor authentication enabled would have been safe even if the hackers had obtained their master passwords in plaintext!

(a few tech bits… LastPass hashes its master passwords using HMAC-SHA-256 with 100,000 iterations, so a brute force attack is going to take a loooong time. Users who reset their master password annually should be just fine! Furthermore, password managers make it just as easy to use random, unique, cryptographically strong passwords for every site. So if Joe’s Bait and Tackle gets their ecommerce site hacked and it turns out they were storing your password in plaintext, the attacker will be limited to buying hooks and swivels because that password was unique to your account with Joe’s Bait and Tackle!)

This exercise has allowed me sleep better, and I enjoy my lattés more now. It has also given me much gratification as I reflect on all the layers of security that we have implemented here at Certify – multifactor authentication, internet fingerprinting, PBKDF2, AES-256, key custodian policies, and so much more. I share all of this with copious transparency in the hope that readers will step up their own personal internet security, and also to help assure our customers that Certify is on the right path.