By Al Hartmann

Teaching Cybersecurity to Our Kids Part 3 – Passwords

In part 1 of this series about teaching cybersecurity to our next generation, our kids, we started discussing ways to help school-age children raise their cybersecurity IQ. In part 2 of this series, we covered the basics of how to scrutinize email and maintain good email security. Today, we’ll continue with a conversation on passwords, or “the P word”.

If the word “password” causes any of the following involuntary reactions, congratulations, you are a normal human being.

  • nausea
  • loss of vision
  • exasperation
  • hyper-ventilation
  • ALT+F4 or CMD+Q (close application key shortcuts)

In fact, I recommend that we use this as a ‘Turing Test’ to differentiate ‘Blade Runner’ androids from us meat sacks. Unfortunately, passwords are a vital part of keeping safe online.

Change is Good
As painful as it is, we have to change our passwords regularly. Many companies enforce this policy every 6 months. You should aim to change passwords once per year.

Hmm… searches the web for ‘National change your password day’… Yep, already exists. It’s February 1st.

Worst Passwords

Before considering what makes a good password, we should consider some bad ones. The TeamsID lists for 2016 and 2017 list the most common passwords for sale on the internet (about 5 million). Passwords like ‘12345’, ‘password’, ‘qwerty’, ‘admin’, ‘password1’, and ‘football’ fall in the top 25. They are based on common patterns or words with very little randomness. Password cracking dictionaries, known as rainbow tables, may contain many millions of the most likely passwords, and essentially all short passwords, where the definition of “short” grows each year.

Crafting a Good Password

The best password is a long, random string of characters of all types (numbers, upper and lowercase letters, symbols). Good luck trying to remember those for every website you have an account with! Using a password manager can help with that, but you still need at least one good, memorable password for the password manager itself.

There are several techniques people use, such as making Making Compound Passwords.

Or, you could join names with an older unrelated word or name and add some spice, such as:

Bieber!=Quasimod0

You can take a phrase or music lyric, using a mix of words and first-letters, then adding some symbols and numbers.

"I'd rather be a comma than a full stop." - Coldplay
1RatherBa,tafs

Since both of these examples contain context from our lives (athletes, actors, musicians and we admire), they have an inherent weakness. Anyone who can see your social media feed knows who you are a big fan of, so keep that in mind… avoid using references to things that you have been vocal about.

Challenge : Play 20 Questions

Think of a password that you currently use or have used in the past that is not very strong. Play a game of 20 questions with your child to how close they can get to discovering it. First, tell them approximately when you created the password, which gives them a context clue about your life and interests at that time. After they have grilled you, flip the script and ask them 20 questions about their password. Chances are, you both will want to change your password after this exercise. Example questions: – Is it related to X (a sports, celebrity, or music group)? Yes/No – Does it include a number? Yes/No – Etc

‘Security’ Questions

Most websites now ask that you provide answers to a few ‘security’ questions. In the case where you forget your password, or are locked out of your account, these questions can be used to verify your identity. These are usually very personal to you, and if someone were to get a hold of the answers used for one site, they would probably work for other sites you are registered with.
Here’s the deal… you don’t actually need to provide real answers. Any answer will do. These are especially fun when you get the chance to give them over the phone to an employee of your bank. If you use a password manager, you can write these answers or hints in the ‘notes’ field. Examples: – What is your father’s middle name? avocado toast – In what city did you meet your spouse? captain caveman – Favorite pet’s name? parmesan cheese

Password Reuse

If you aren’t using a password manager (which we’ll get to), you may be tempted to reuse passwords on multiple sites. This is like opening all the watertight doors on a ship sailing through an iceberg field. Then if there is a hull breach, all compartments flood and the ship sinks. Dumb. Miscreants on the dark web purchase pairs of user id’s and hashed passwords by the millions from previous site breaches, rent botnets to do the crunching, and crack 80-90 percent of the passwords overnight. Then they employ botnets again to go around to the most popular websites and try your user id (usually an email address) and cracked password. It has become such a common underworld practice, that the majority of popular site login attempts are made by bots trying to break into your accounts.

Password reuse cracking by botnets succeeds often enough for this to be a lucrative criminal enterprise. Especially if they can crack your email account itself, then they have struck the mother lode! Searching your email folders for sites where you have accounts takes only seconds. Even if you did create unique passwords for those other online accounts, they simply visit the site and request a password reset, which password reset link they then intercept from your email account. This is child’s play for an accomplished hacker team, eager to make you into a poster child for lax password security.

Having thoroughly castigated this password reuse laziness, it can be rationalized in some pathological cases. Microsoft researchers have argued that password reuse can be justified on low-risk websites, where one strong password (that you have made the effort to remember) may be preferable to many weak passwords, where you are too lazy, disorganized, or uninformed to use a password manager. For the password manager challenged, they claim, “Password re-use can be part of a coping strategy.” So here is our challenge …

Challenge : Use a Password Manager

I recommend password managers like Lastpass and 1Password to make it easy to create strong passwords for each site, without needing to remember them. You have one memorable, strong ‘master’ password to unlock access to all your passwords. You can then use random or less memorable passwords for each website. You can even share passwords with family members. Some things to keep in mind: – Even these password management companies get hacked. In that case, you have to change your master password, and ideally passwords for sensitive websites. – Change your master password each year.

A few websites still don’t play well with password managers, and you have to resort to copy / paste. Leaving the password in the clipboard makes it available to any running applications. Another good password manager is Keepass, which is open source software, plays well with all my Linux, Windows, macOS, and iOS devices, and it does clear the clipboard after a few seconds as a security precaution. It is also easy to store the encrypted password manager database in a cloud storage account and have it automatically sync across all your devices. Multiple cloud storage accounts can be used to cover separate password manager databases for personal, family, and business password collections.

Web Without Passwords?

A Microsoft Edge blog post touts a web without passwords. Instead, you can use biometrics, a PIN code, or a Fido2 hardware device like YubiKey or Google’s Titan Security Key. While you may argue that a PIN code is pretty much the same as a password, maybe even less secure, it sounds like you would only have a single PIN to identify yourself, and the browser and operating system takes care of the per-website secure key details. This is made possible by a new W3C Web Authentication specification, which as of this writing is almost at the approval stage. Presumably, the password-less model will only work on websites that support this new standard. In any case, this is a very positive step, and major kudos to the people that have been working on the standard over the past few years. Believe me, being part of a standards committee is like driving for Uber as a side gig without pay, and every passenger has a bone to pick with seemingly insignificant details about how you drive, and what route you take. It’s a labor of love because these engineers and product managers feel passionate about making our lives better.

Multifactor Authentication

PINs, passwords, and passphrases may be around for a long time, even though they are highly insecure when compared to stronger authentication methods. There will always be a place for “something you know” as an authentication factor. But wherever possible employ or enable multifactor authentication to buy yourself some additional authentication strength. This is especially imperative for your email accounts, whose compromise could be devastating, subjecting pathetic n00bs to total pwnage (as we noted previously), since email account compromise enables fraudulent password resets on any of your online accounts. My son learned this the hard way, when poor password hygiene (via password reuse, arrgh) resulted in his Uber account being hacked and hundreds of dollars of fraudulent charges. Only then did he finally enable two-factor authentication on his account. Learn from his sad example and turn on multifactor authentication before you get pwned.

Another word of advice here is to use a strong second factor, something stronger than a once NIST-deprecated SMS text message to your cellphone. A stronger second factor could be a FIDO2 security key (already discussed) or a Time-based One-Time Password algorithm (TOTP) app like Microsoft Authenticator or Google Authenticator, both of which reside on my own phone. The weakness with SMS texts is that it is simply too easy for an attacker to hijack your mobile phone account by conning a credulous cell provider rep. And your banking and brokerage accounts make tempting targets for mobile account takeover attacks.

ID-IOT Proof

Arlo security cams, Ring doorbells, and Nest thermostats are some of the more popular devices making up the IOT or Internet of Things. These are convenient devices that perform simple tasks that make life a little bit cooler. At the core, however, they are little more than small computers running Linux or Android operating systems. Computers as we know, require some administration, such as updating the software to patch known vulnerabilities. And in order to configure these sweet marvels of technology, they usually provide a web server requiring username and password. In 2017, the world witnessed the devastating fallout from the Mirai Botnet. Surprise, surprise, most consumers left the devices connected to the internet without changing the default password—“It works! Don’t touch it!”

Extra Credit : How Passwords Get Cracked

  • If you haven’t yet upgraded to Windows 10, read this Wired article on Mimikatz.
  • This NCSC Infographic does a good job summarizing the different ways passwords get compromised.
  • Troy Hunt’s haveibeenpwned.com will let you know if there have been any sightings of accounts related to your email address in known breaches.
  • John the Ripper and THC-Hydra are free tools to crack passwords, and can take advantage of NVidia Gaming cards for impressive processing speed. Penetration testers use these tools as well, just to convince your enterprise to improve password hygiene.
Get the General Here