You know the drill. You visit a new site to either buy something to gain access to some information. You cannot do either until you create an account. You have hundreds of these and there is no chance you can remember your password. So, you enter the same email address and password you use everywhere. You are human and just want to make your life easier. We are all guilty of this.
A few months go by and then you start getting messages from your customers and friends;
“Are you ok?”
“Is this a scam?”
“Have you been hacked?”
Your email account has just been compromised and some annoying scumbag is using your account to sending Phishing emails, SPAM, or worse. 😣
You’ve been hacked!
Technically, you haven’t been hacked. You just left your keys lying around and someone used them to gain access to your systems. That email and password combination you’ve been using everywhere have made it easy for anyone to gain access to your data. And the bad guys have used these keys in a credential stuffing attack.
Passwords Are Protected Right?
Before we get to the point where your email account was compromised, we need to understand passwords and how they are used and stored.
We use passwords to protect our information and systems. The idea is that only YOU know the password. And for obvious reasons, so do the systems you are trying to access. That’s where the problem starts.
Software developers, used to store these passwords in plain text or human readable form. But if the user data was ever accessed, it was easy for those passwords to be found. They stopped doing that and started using password hashes (Key derivation function – Wikipedia) to protect these passwords to make it harder to extract these passwords.
I say harder because it is still fairly easy for most passwords to be brute-forced (aka guess) as most of our passwords are easy for us to remember. Most home computers can test millions of passwords a second.
Your passwords are protected, kind of, but if you use the same one and the password hash is “guessed”, it might as well be in plain text.
The Bad Guys™ Know People Are Lazy
The problem is that as humans we all struggle to remember our passwords. If we are lucky, we can remember 4 or 5, but most of us struggle to remember just 1. And the Bad Guys™ know it. They use the data breached from these obscure sites to build big lists of email and password combinations. Occasionally, a really big system is breached, and the user data is extracted to create a massive list of known email and password combinations.
It is hard to remember a single complex password. Remembering hundreds is impossible.
These lists are then sold or traded on the Dark web – Wikipedia. Now the Really Bad Guys™ use these lists to test accounts on the well-known platforms: Google, Microsoft, Apple, Facebook, LinkedIn, and more. When they find a match…BINGO!
These attacks are known as Credential stuffing – Wikipedia. And if your email is compromised then every other service is now at risk thanks to the most common forgotten password workflow. Yes, you are emailed a special link to reset your password, and the hacker now has access to your emails. Game-over.
Passwords Are Dead
Passwords have served us well, but they no longer matter and cannot keep us safe. At least if we must rely sole on our grey-matter. And if we use the same password everywhere, we may as not bother using them. And if you think forcing people to change their passwords regularly will help, you are just making the problem worse. And the reason is that people are lazy. If they are forced to change their password, they will just increment the number on the end and keep using the same password. The Bad Guys™ know this too.
To solve this problem, we can use a Password manager – Wikipedia that securely store your passwords and generates a unique, random one (16 character or more) for every service you use. This is not perfect as now you have a single place that gives and attacker access to everything. But with the right level of extra security, they are better than nothing.
A password alone is no longer enough to keep your information secure!
Passwords alone are no longer enough. That’s why many systems now use Multi-factor authentication – Wikipedia (those random codes or app on your smartphone) to provide an extra layer of protection. This means that when your password is compromised, you still have some protection. Yet even this assumes that the system you are accessing itself is secure. Gaining access to someone’s information does not always require a password and you can even open the door to let the Bad Guys™ in yourself (see: Phishing – Wikipedia).
Security Is Hard
The truth is—security is hard. For every flaw or weakness that is plugged, patched, or removed, another one is found. Regardless of how many layers of protection we wrap around our things of value, someone will find a way to get to it. And then if we need to use that thing every day the mechanisms used to protect it get in the way. So, we need to strike a balance between security and usability.
Security is about balancing risk with ease of use. And both are wrong.
Your password doesn’t matter. It just needs to be complex and unique for every system. You won’t remember those passwords, but you don’t have to thanks to password managers. You just need to remember one password to give you access to the rest.
And for those really important systems you need access to, enable MFA (those silly codes on that smartphone app). That way you are making it harder for the Bad Guys™.
Thanks for reading.
PS. If you watch to learn more about security and data breaches visit Have I Been Pwned: Check if your email has been compromised in a data breach
