Password managers and data breaches

Ben Cromwell

3 min read

If the LinkedIn hack has told us anything, it's some stuff that we already knew.

You can't really on even massive, well known sites to store passwords correctly, or to have been doing so since they started out.

Get your family and friends setup

We as techies have a responsibility to our less technical family members to get them up to speed on password managers. We're all agreed that password managers are the way to go, right?

Password managers are a right faff

Password managers are a pain in the arse to use. They just are. Getting them to behave correctly with all manner of JavaScript-"enhanced" password forms in particular, in addition to working properly on your phone and with all the apps you have... Pain. In. The. Arse.

It's worth it, though

It'd be a much, much bigger pain in the arse to have your Amazon account pinched, your email breached, your PayPal account used to drain your bank account and/or credit card, and so on.

If you think it won't happen to you, then that level of complacency puts you at risk.

Password reuse

Everyone at some point reuses passwords. Even if you're on a password manager now, you may have old accounts lingering around from The Before Time.

Password reuse is the key problem relating to how this LinkedIn breach becomes a wider issue. Once a password you use has been cracked, that email/password combination can be tried out on other key sites to get into your account there too. It's not enough simply to change your password on the breached site.

One-way hashing

Sites that are worth their salt* (so to speak - more on that later) don't store the password you entered as-is (referred to as storing in plain text), they instead calculate a one-way hash. Essentially, by applying a repeatable calculation to the password, they arrive at a secondary string of characters (the hash) that they store in their database instead of the password itself.

The idea is that it is hard (requires a lot of computing power and/or time) to crack the hash and arrive back at the password you entered. To make this process harder, a salt, or additional string of characters, is added to the password before hashing it.

When you login to the site in the future, they recompute the hash (with the salt if they're using one) and compare the hashes to see if they match. If using hashes, the sites do not know your actual password.

There a lot of different hashing algorithms and it turned out LinkedIn admitted that they used to use a relatively weak one, without salts. This means it takes less resources to crack those passwords. Indeed, at this point they have pretty much all been cracked.

Use a password manager

You need for every site you use to have a unique password, so that if they are breached, you have a window of opportunity to change the password before it can be cracked and your account exploited.

They all need to be strong: long, random strings of characters, numbers and (if possible) symbols. There's no way you're going to remember hundreds of such combinations and guess what? They're a pain in the arse to type out, especially on a mobile device.

Enter the password manager. With a strong passphrase for your master password, and Two Factor Authentication (later...) you can be relatively sure your password vault is safely secured.

The password manager does the job of generating and subsequently remembering those hundreds of random strings, so that all you need to do is remember your master password (and not use it on any other site!).

Two factor authentication (2FA)

Most password managers support this and, increasingly, individual sites do too.

With single factor (password) authentication all an attacker needs to know is the password, which they can sometimes obtain from breaches such as LinkedIn's.

2FA means they have to have access to some other token as well. Often, they are One Time Passwords generated by an app on your phone or sent to you by SMS. An attacker now needs not only your password but your phone too.

There are other methods available and you have the option of printing out backup codes that you can use in an emergency. I know someone who has a spare Yubikey (USB device that generates 2FA codes) stashed in a safety deposit box. Just as long as you have a backup you're OK.

To summarise

Password managers are a necessary faff, in today's world of bad security practices and the commoditisation of data breaches due to how easy it is to sell those data dumps and be paid anonymously with cryptocurrency (BitCoin et al).

Get setup. And register your email address at the excellent data breach notification service, https://haveibeenpwned.com/, so that you know as soon as possible if Something Bad Has Happened.

Obligatory XKCD link regarding passphrases: https://xkcd.com/936/

Sign up for more like this.

Enter your email
Subscribe