Episode_14_Password_Basics

Ep14 Hello and welcome to episode 14 of the Sudo Social Club. I’m Edward Miro and in this week’s episode I’m gonna go over the basics of passwords.

The Sudo Social Club is a podcast and YouTube channel centered around cyber security awareness, IT security training, hacking capture the flags, wargames, and crypto challenges. Check us out at https://www.sudosocialclub.com where there are links to the YouTube video, audio only and a feed of all my past episodes for you to use anytime you need it. If anyone has any feedback or recommendations on how I can improve the channel please leave a comment or email me at sudosocialclub@protonmail.com. Thanks for tuning in, now let’s begin:

One of the first things most people think about when it comes to cyber security is their password. We all know that passwords are to our online accounts what keys are for our locks. Would you use the same key for your house, your car, your office and your safety deposit box? And if you did, what would happen if a bad guy could get a copy? They’d have access to everything. With so much of our personal, confidential, financial and medical information accessible from our various accounts what can we do to make things as safe as possible?

I feel it’s important for all users to have at least a general understanding of the technical side of passwords to at least demonstrate WHY password length and complexity is important and WHY they need to be different on all your sites.

Let’s say you go on a website that has the ability to create an account. When you chose the password you use for that site, very generally speaking, your web browser takes what you typed in, uses a math formula, otherwise know as an algorithm, and turns your password into what’s called a hash.

Imagine I gave you a secret pin of “1234”. I need to tell you the pin when we meet up so you’ll know it’s me, but if I’m afraid someone might be listening I will encypt it using a basic algorithm. Let’s sat my algorithm is “n * 2”. I’ll take the secret code “1234”, multiple each number by 2, then tell you the pin is 2468, and you’ll know what it really is because we pre decided what algorithm we were going to use. Websites do this with your browser too only in much more complicated ways.

Websites also store the hashed version of your password on their server so when you login, you type your password into your browser, it gets hashed and then sent to the server when it gets compared to the stored copy. They don’t need to store your clear text password and you don’t need to send it in the clear.

So the first problem is that websites get hacked and stored hashes get leaked. If your password is weak or short, it’s pretty trivial for password crackers to reverse engineer your password from the hash. If you have a long and complex password it can be basically impossible to crack.

So if you followed my advice in one of the last episodes and checked https://haveibeenpwned.com, you might see that you were involved in a breach. I have, most of us have. That means if you use a weak password for that site, it was probably easy to crack. If you use the same password on all your sites, the attackers will use ‘credential stuffing’ and try your password on other sites just to see if you used them there too. Even worse some sites have been found to not even bother hashing passwords and storing our credentials in clear text.

So you need to use complex and long passwords and they need to be different. Okay so I feel pretty good about that explanation so let’s move on to my recommendations and if we need to revist this in the future we can so feel free to send me any feedback.

Also I name a few specific services/apps, but that shouldn’t imply I think they are the best option for everyone, only myself.

For me personally I employ and advise a three faceted approach:

  1. Complex passwords
  2. Unique passwords
  3. Two-step authentication (where available)

Clearly the solution is to use a unique password for each account and make them complicated enough that an attacker couldn’t guess it or crack it in an amount of time that would be actionable. One problem this presents to general users is the inconvenience and difficulty in remembering these passwords or storing them in a secure way.

My recommendation is to use a password manager such as LastPass. Applications like LastPass give you the ability to store all passwords in your encrypted “vault” and then request them through browser add-ons or it’s standalone program. They also have built in features that allow you to generate secure passwords at any length or complexity.

When using a password manager, all you have to remember is your master password. When you sign in, the manager can then decrypt all your saved passwords and let you use them. When I sign up for a website I use LastPass to generate the longest and most complex password supported by the site. It gets stored in my vault safely for later use.

There are various options online to choose from and I suggest you do some research and try a few different ones to see what is comfortable for you. One thing to consider when using a password manager is that the master password is your single point of failure and should be a long and complex password that you don’t use ANYWHERE else.

Also if you’re a business owner you should know they have enterprise options for many password managers and you can setup your users with accounts and share passwords with them that they can use but can’t see, easy to setup and revoke access, etc.

Moving on.

If you’re wondering how to come up with a secure password that you can remember for that master password there are various strategies online, but I follow this:

Take a poem, song lyrics or phrase that is easy for you to remember.

For this example I’ll use the phrase: “The stars at night are big and bright. Deep in the heart of Texas.”

Then I take the first letters from each word:

TsanababdithoT

Then swap out the vowels for some numbers/special characters:

T5@n@b@bd1th0T

I checked that password on Dashlane’s https://howsecureismypassword.net and got the following results:

It would take a computer about 204 million years to crack your password

And that’s just an example of a very secure password that I thought up in just a few seconds that I probably won’t ever be able to forget it.

Another very important recommendation I want to touch on in this episode is using two-step authentication. I use it for all accounts that offer it and it’s very easy to set-up and use. It works in tandem with an application on my mobile device called Google Authenticator and it’s available for Android and IOS. After you install the app, you access the security settings for the account you want to protect and register it with your device.

What it does is provide a “second” password when logging it that is only used one time. When you log in, the site will prompt for the two-step authentication code, you then open the Google Authenticator app and the code for the session will be listed. The codes are only available for a short time and are constantly changing.

A few closing thoughts:

Some information security professionals see a password manager as insecure due to it being a single point of failure. I can understand this and would respond that although this might be true, having a complex master password (mine is 25 characters) and using the manager in conjunction with two-step authentication makes it a pretty safe and solid system. And even if there is a breach, none of my passwords are the same and changing them is incredibly fast and easy with a manager.

Also, I usually don’t recommend keeping hard copies of passwords, but if you can guarantee the physical security of your password list, this in my opinion is preferable to using the same, insecure password for all your accounts.

Alright. If you like this week’s episode and want to help support this channel please subscribe to the podcast through whatever podcatcher you found me through and please subscribe to the YouTube channel. Links to everything on https://www.sudosocialclub.com, and if you want to help the channel grow please share on your social media. Once again I’m Edward Miro and you can contact me at sudosocialclub@protonmail.com with any comments, questions, corrections or feedback including ideas for future episodes. Thanks for checking out the Sudo Social Club. Have a great week!

Links:

https://haveibeenpwned.com
https://howsecureismypassword.net
https://www.lastpass.com
https://twofactorauth.org
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
https://apps.apple.com/us/app/google-authenticator/id388497605

Written on July 14, 2019