Cybersecurity - Login - Username - Password - Biometrics - Password Manager

Why You Need a Password Manager

Intro

Many in the security community predict that passwords are on their way out. We believe it’s conservative to assume that they’ll be critical to your security for many years to come. According to Verizon’s 2022 Data Breach Investigations Report, 80% of data breaches from web application attacks are attributed to stolen credentials. It’s safe to suggest that stronger passwords and better password practices would go along way in this regard. Of course, multifactor authentication can help, but we’ll focus on password practices in this post.

With the dozens, or even hundreds of credentials that many of us manage, it’s no longer feasible to create and manage secure passwords without a password manager. Not only are we maintaining more credentials than ever (bank accounts, social media, email, Wi-Fi, disk encryption, etc.), password-cracking capabilities are likely many times more advanced than you realize.

For the managers and business owners out there, take note. Employees can often implement poorer password practices in the workplace than they do at home. The issue here is if one of their personal accounts gets hacked, they’ve got a big problem on their hands. However, if one of their work accounts gets hacked, that’s their employer’s problem. Many fail to realize that their entire business could be destroyed by a bad password, phishing email, etc. You need to take this seriously.

Podcast

1
00:00:00,000 –> 00:00:13,200
Welcome to the Bigger Insights Privacy and Security podcast.

2
00:00:13,200 –> 00:00:18,600
In this episode, we’re going to be talking about password managers and why you need one.

3
00:00:18,600 –> 00:00:22,880
We wrote an article about this on our website, biggerinsights.com.

4
00:00:22,880 –> 00:00:27,200
If you go there, click the little search icon, type in password managers,

5
00:00:27,200 –> 00:00:28,920
it should show up.

6
00:00:28,920 –> 00:00:34,360
And in that article, there are links and pictures and examples and things like that that are

7
00:00:34,360 –> 00:00:38,360
kind of difficult to communicate through audio.

8
00:00:38,360 –> 00:00:41,040
So if you’re interested, go check that out.

9
00:00:41,040 –> 00:00:45,160
Some experts talk about passwords being on their way out.

10
00:00:45,160 –> 00:00:51,520
There are a lot of limitations to passwords and basically how people use and manage them.

11
00:00:51,520 –> 00:00:56,600
However, we still think that they’re very important and they’re going to play an important

12
00:00:56,600 –> 00:00:59,480
role in people’s lives for many years to come.

13
00:00:59,480 –> 00:01:06,280
I don’t know about you guys, but last time I checked, I have about 450 unique sets of

14
00:01:06,280 –> 00:01:09,400
credentials that I’ve managed over the years.

15
00:01:09,400 –> 00:01:14,080
Some of those have since been closed, but it’s still quite a bit to manage.

16
00:01:14,080 –> 00:01:20,040
And you know, I acknowledge that the average person probably doesn’t have that many, but

17
00:01:20,040 –> 00:01:23,760
you probably have more credentials than you realize.

18
00:01:23,760 –> 00:01:30,000
If you actually sit down sometime and list out all of your email accounts, social media,

19
00:01:30,000 –> 00:01:36,160
online shopping, school accounts, government accounts, work accounts…

20
00:01:36,160 –> 00:01:37,560
It’s a lot.

21
00:01:37,560 –> 00:01:43,680
And if you’re not using a password manager, my question for you is, what are you using?

22
00:01:43,680 –> 00:01:49,520
From our research and experience, chances are what you’re doing is using really insecure

23
00:01:49,520 –> 00:01:57,480
passwords or reusing them over and over or storing them in a really insecure manner,

24
00:01:57,480 –> 00:02:04,480
like in a text file or an Excel file on your desktop or in Dropbox or something like that.

25
00:02:04,480 –> 00:02:12,240
So before we talk about what exactly a password manager is, we’re going to spend quite a bit

26
00:02:12,240 –> 00:02:18,840
of time talking about why they’re important and why your passwords are probably a lot

27
00:02:18,840 –> 00:02:21,920
more vulnerable than you think that they are.

28
00:02:21,920 –> 00:02:28,120
So every year Verizon does what they call a data breach investigations report.

29
00:02:28,120 –> 00:02:29,480
You can look it up and read them.

30
00:02:29,480 –> 00:02:31,600
They’re actually pretty interesting.

31
00:02:31,600 –> 00:02:40,000
So in 2022, they concluded that about 80% of data breaches in web applications were

32
00:02:40,000 –> 00:02:43,120
more or less due to stolen credentials.

33
00:02:43,120 –> 00:02:50,960
Now there’s a lot of detail and nuance in there, but one of the key takeaways is a huge

34
00:02:50,960 –> 00:02:59,240
amount of the problems that we have in cybersecurity world are due to weak passwords, reused passwords

35
00:02:59,240 –> 00:03:02,200
and poorly stored passwords.

36
00:03:02,200 –> 00:03:07,720
So that sounds kind of depressing, but at the same time, that means that we have a lot

37
00:03:07,720 –> 00:03:16,000
of low hanging fruit here, where if we can teach people how to use and store strong passwords,

38
00:03:16,000 –> 00:03:18,600
then we can really do a lot of good.

39
00:03:18,600 –> 00:03:23,160
Along those lines, there are a couple of key things to keep in mind.

40
00:03:23,160 –> 00:03:28,600
One is that a compromised password can ruin your life, it can ruin your life, it can ruin

41
00:03:28,600 –> 00:03:30,440
your business.

42
00:03:30,440 –> 00:03:38,240
And I think one of the most important things that people are missing is that is incredibly

43
00:03:38,240 –> 00:03:42,640
easy to crack the average person’s password.

44
00:03:42,640 –> 00:03:48,600
So before we go on, let’s talk a little bit about passwords in general.

45
00:03:48,600 –> 00:03:55,640
So generally speaking, passwords are used for third-party access.

46
00:03:55,640 –> 00:04:01,800
So when you go online and you create an account somewhere and you set a password, most of

47
00:04:01,800 –> 00:04:05,560
the time that’s just used for accessing your account.

48
00:04:05,560 –> 00:04:08,120
It’s not end-to-end encrypted (E2EE).

49
00:04:08,120 –> 00:04:14,040
And what’s important about that is we believe that a lot of people have a false sense of

50
00:04:14,040 –> 00:04:22,280
security because they think to themselves, well, when I sat down and I created my password,

51
00:04:22,280 –> 00:04:26,320
nobody saw me type that in, nobody knows what my password is.

52
00:04:26,320 –> 00:04:33,960
Therefore, my password is secure, my account secure, my data secure, and that’s generally

53
00:04:33,960 –> 00:04:35,840
not the case.

54
00:04:35,840 –> 00:04:41,180
If your password is not being used to encrypt your data, it’s just used to prevent somebody

55
00:04:41,180 –> 00:04:43,320
from signing into your account.

56
00:04:43,320 –> 00:04:48,480
What that means is that, first of all, your password is being stored.

57
00:04:48,480 –> 00:04:55,120
So if you go to a Fecesbook and you make an account, they store a hashed version of

58
00:04:55,120 –> 00:04:56,760
your password.

59
00:04:56,760 –> 00:04:59,320
And there’s a couple of issues with that.

60
00:04:59,320 –> 00:05:03,360
One is you don’t know how they’re hashing and storing your password.

61
00:05:03,360 –> 00:05:08,280
It’s possible that they’re not hashing it at all and just storing it in plain text.

62
00:05:08,280 –> 00:05:13,920
And the other issue is they don’t need to know what your password is to access your

63
00:05:13,920 –> 00:05:14,920
data.

64
00:05:14,920 –> 00:05:19,640
Now, this is a little bit more of a privacy concern than it is a security concern.

65
00:05:19,640 –> 00:05:25,960
But when you store data in most third-party services, they don’t use your keys to encrypt

66
00:05:25,960 –> 00:05:26,960
your data.

67
00:05:26,960 –> 00:05:28,160
They use their keys.

68
00:05:28,160 –> 00:05:33,880
So not only can they access your data anytime they want for any reason they want without

69
00:05:33,880 –> 00:05:38,360
knowing your password, but the fact that they’re storing your password makes it vulnerable

70
00:05:38,360 –> 00:05:40,560
to a data breach.

71
00:05:40,560 –> 00:05:46,000
So when we talk about password hashing, what we’re referring to is your passwords start

72
00:05:46,000 –> 00:05:50,480
in plain text, and then they run through a one-way hash function.

73
00:05:50,480 –> 00:05:57,840
And what this does is it converts your plain text password into a string of characters

74
00:05:57,840 –> 00:06:03,680
that make it difficult for someone to figure out what the original plain text password

75
00:06:03,680 –> 00:06:04,680
was.

76
00:06:04,680 –> 00:06:10,760
Now, any legitimate service should be hashing and salting your password.

77
00:06:10,760 –> 00:06:15,640
But every once in a while, we do find one that’s not doing that, either not doing it

78
00:06:15,640 –> 00:06:21,320
at all or using a really weak hashing function, which makes your passwords vulnerable to being

79
00:06:21,320 –> 00:06:23,000
cracked.

80
00:06:23,000 –> 00:06:30,080
So another thing that a piece of software or a service should be doing to try to prevent

81
00:06:30,080 –> 00:06:34,320
people from cracking your password is rate limiting.

82
00:06:34,320 –> 00:06:41,240
So if you go to, you know, Fecesbook or Google or whatever, and you type in someone’s username

83
00:06:41,240 –> 00:06:46,680
and try to start guessing their password, you’re going to run into rate limiting.

84
00:06:46,680 –> 00:06:51,160
So after a few failed attempts, they might start to slow you down.

85
00:06:51,160 –> 00:06:56,160
They might tell you to, you know, try again in 10 minutes or block your connection or

86
00:06:56,160 –> 00:06:57,960
something like that.

87
00:06:57,960 –> 00:07:06,360
So that’s great, but between the rate limiting and hashing and all these other techniques,

88
00:07:06,360 –> 00:07:11,360
you know, we’re concerned that these give people a false sense of security.

89
00:07:11,360 –> 00:07:17,440
So when you think about somebody trying to break into your accounts or crack your password,

90
00:07:17,440 –> 00:07:19,520
what kind of things come to mind?

91
00:07:19,520 –> 00:07:27,160
I think that what most people are thinking is one person sitting down at their computer

92
00:07:27,160 –> 00:07:34,080
going to fecesbook.com typing in your email address and just guessing passwords over and

93
00:07:34,080 –> 00:07:40,760
over until they get in, but that’s not really how it works.

94
00:07:40,760 –> 00:07:46,800
Typically, passwords are cracked using automated means and in bulk.

95
00:07:46,800 –> 00:07:53,120
So it is possible that someone will sit down and try to guess your passwords, but don’t

96
00:07:53,120 –> 00:07:56,560
let that give you a false sense of security.

97
00:07:56,560 –> 00:08:03,720
Typically what happens is a service provider gets hacked and then somebody will get into

98
00:08:03,720 –> 00:08:09,800
their systems and download all of their database contents.

99
00:08:09,800 –> 00:08:16,160
And what’s in there is, you know, your username, your email address, and what should be in

100
00:08:16,160 –> 00:08:19,600
there is a hashed version of your password.

101
00:08:19,600 –> 00:08:24,720
So once they get all that information, the rate limiting is out the window because now

102
00:08:24,720 –> 00:08:27,280
your* hashed password is on their system.

103
00:08:27,280 –> 00:08:28,840
They don’t have to abide by rate limiting.

104
00:08:28,840 –> 00:08:34,280
They’re now only limited by their CPU or their GPU.

105
00:08:34,280 –> 00:08:40,040
So at that point, the only thing that’s really protecting you is how strong your password

106
00:08:40,040 –> 00:08:43,560
is or how well it’s hashed.

107
00:08:43,560 –> 00:08:49,320
If it’s hashed with a very weak algorithm like MD5 or something, then there’s a good

108
00:08:49,320 –> 00:08:52,360
chance that someone’s going to crack your password.

109
00:08:52,360 –> 00:09:00,440
But beyond just the automated means, I think a lot of people have a false sense of security

110
00:09:00,440 –> 00:09:07,680
about their accounts and data because they think to themselves, well, I’m not Elon Musk.

111
00:09:07,680 –> 00:09:13,720
So why would anybody take the time to try to hack my accounts?

112
00:09:13,720 –> 00:09:19,320
And what you need to understand about that is a lot of this is not just automated,

113
00:09:19,320 –> 00:09:23,000
it’s not personal, and it’s done in bulk.

114
00:09:23,000 –> 00:09:30,120
So like when LinkedIn got hacked, somebody dumped their database contents and tried to

115
00:09:30,120 –> 00:09:34,080
crack every single account that was in there.

116
00:09:34,080 –> 00:09:39,320
So even if you think that you don’t matter to anybody or nobody knows who you are or

117
00:09:39,320 –> 00:09:42,440
whatever, that has nothing to do with anything.

118
00:09:42,440 –> 00:09:44,440
This is not personal.

119
00:09:44,440 –> 00:09:50,240
So the key takeaway here is to not delude yourself into believing that you’re safe either

120
00:09:50,240 –> 00:09:57,000
because you think nobody on the planet knows your password and nobody would have any reason

121
00:09:57,000 –> 00:09:58,600
to target you individually.

122
00:09:58,600 –> 00:10:00,680
That’s not how this works.

123
00:10:00,680 –> 00:10:05,720
Let’s switch gears to a concrete example to help drive this point home.

124
00:10:05,720 –> 00:10:10,560
So I saw a story a little while ago about a guy in Israel

125
00:10:10,560 –> 00:10:16,040
who just happened to notice that a lot of his friends and neighbors used phone numbers

126
00:10:16,040 –> 00:10:18,960
as their Wi-Fi passwords.

127
00:10:18,960 –> 00:10:25,400
So he was interested in this and wanted to see if this was a common thing or if it was

128
00:10:25,400 –> 00:10:28,000
just an anomaly that he noticed.

129
00:10:28,000 –> 00:10:35,840
So he put a little kit together with a laptop and a cheap Wi-Fi monitoring device, which

130
00:10:35,840 –> 00:10:37,400
you don’t even really need, by the way.

131
00:10:37,400 –> 00:10:44,440
I mean, a lot of Wi-Fi cards in laptops can be operated in monitoring mode, which basically

132
00:10:44,440 –> 00:10:50,120
allows it to listen to and capture any Wi-Fi traffic that’s within range.

133
00:10:50,120 –> 00:10:51,960
But anyway, that’s what he did.

134
00:10:51,960 –> 00:10:59,280
And he walked around a few neighborhoods and ended up picking up about 5,000 Wi-Fi password

135
00:10:59,280 –> 00:11:00,680
hashes.

136
00:11:00,680 –> 00:11:06,000
So he went back home and used his laptop to try to crack them.

137
00:11:06,000 –> 00:11:12,720
And the first thing that he tried was to see how many people were using phone numbers as

138
00:11:12,720 –> 00:11:14,680
their passwords.

139
00:11:14,680 –> 00:11:23,800
Within just a matter of minutes, he was able to crack about 2,200 of the 5,000 Wi-Fi networks

140
00:11:23,800 –> 00:11:27,280
because they were using a phone number as a password.

141
00:11:27,280 –> 00:11:30,000
Now, you should never do that.

142
00:11:30,000 –> 00:11:33,520
A phone number is an incredibly weak password.

143
00:11:33,520 –> 00:11:38,200
You’re almost better off not even having a password at that point because even a modest

144
00:11:38,200 –> 00:11:45,520
computer can crack a 10-digit number as a password in about one to two seconds.

145
00:11:45,520 –> 00:11:48,400
It’s not like this guy was running an HPC or something.

146
00:11:48,400 –> 00:11:51,080
He was on a very modest laptop.

147
00:11:51,080 –> 00:11:56,280
So if you’re using a phone number as your Wi-Fi password, I would pause this podcast

148
00:11:56,280 –> 00:11:59,600
right now and I would change that as soon as possible.

149
00:11:59,600 –> 00:12:04,880
So after that, he ran a dictionary attack, which we’ll talk about in a little bit.

150
00:12:04,880 –> 00:12:07,680
It’s a very simple concept.

151
00:12:07,680 –> 00:12:09,240
Anybody can do it.

152
00:12:09,240 –> 00:12:13,400
And that allowed him to crack 900 additional passwords.

153
00:12:13,400 –> 00:12:24,400
So by this point, he’s got between 60 and 70% of the 5,000 Wi-Fi networks cracked in literally

154
00:12:24,400 –> 00:12:26,840
just a couple of hours.

155
00:12:26,840 –> 00:12:31,080
And just to help drive the point home about using a phone number as a password, even though

156
00:12:31,080 –> 00:12:39,640
this guy was using a relatively weak laptop, his CPU was able to guess 194,000 hashes per

157
00:12:39,640 –> 00:12:42,960
second, which is actually quite poor.

158
00:12:42,960 –> 00:12:51,320
I mean, if he was using a desktop with an array of decent GPUs, that could be well in the

159
00:12:51,320 –> 00:12:52,320
millions.

160
00:12:52,320 –> 00:12:54,760
So just keep that in mind when you’re creating passwords.

161
00:12:54,760 –> 00:12:59,840
If they’re relatively weak, it really wouldn’t take someone that much effort to use a system

162
00:12:59,840 –> 00:13:06,200
that can guess millions of passwords per second and crack your password, even if they can’t

163
00:13:06,200 –> 00:13:09,760
use more sophisticated techniques.

164
00:13:09,760 –> 00:13:15,400
And while this particular incident occurred in Israel, you know, we’re under the impression

165
00:13:15,400 –> 00:13:18,440
that this is probably a worldwide problem.

166
00:13:18,440 –> 00:13:24,720
So just from my personal experience, I recall one time I was at a professional services

167
00:13:24,720 –> 00:13:32,040
firm and I wanted to get on their Wi-Fi and I asked one of the employees there what their

168
00:13:32,040 –> 00:13:39,520
Wi-Fi password was and the guy who owned the place said, it’s our phone number.

169
00:13:39,520 –> 00:13:44,560
And I have heard of other people using their phone number as their Wi-Fi password.

170
00:13:44,560 –> 00:13:50,840
So not only is that incredibly weak and very easy to crack, but once somebody does crack

171
00:13:50,840 –> 00:13:53,880
that, now they also know your phone number.

172
00:13:53,880 –> 00:13:58,800
So now let’s talk about how people create passwords when they’re not using a password

173
00:13:58,800 –> 00:14:00,320
manager.

174
00:14:00,320 –> 00:14:06,840
So because we use a password manager, every single password we use is long, random and

175
00:14:06,840 –> 00:14:16,320
unique, and there’s no way that a human being could do that without storing them in some

176
00:14:16,320 –> 00:14:18,760
way like a password manager.

177
00:14:18,760 –> 00:14:26,040
So what people do instead is oftentimes they’ll reuse passwords over and over.

178
00:14:26,040 –> 00:14:29,400
And there’s a lot of problems with doing that.

179
00:14:29,400 –> 00:14:35,840
We mentioned before that some services might be storing your password in plain text.

180
00:14:35,840 –> 00:14:41,200
So in that case, even if you are using a strong password, if it’s sitting on someone’s server

181
00:14:41,200 –> 00:14:47,560
in plain text, their employees can see that, their contractors might be able to see that,

182
00:14:47,560 –> 00:14:52,720
and if anybody hacks into their servers and downloads that, then at that point it doesn’t

183
00:14:52,720 –> 00:14:57,640
matter how strong your password is because they have it and they can use it directly.

184
00:14:57,640 –> 00:15:02,560
And since password reuse is such a common problem, once somebody gets a hold of your

185
00:15:02,560 –> 00:15:08,800
password, one of the things that they’ll usually try is finding your other accounts and seeing

186
00:15:08,800 –> 00:15:11,200
if you’re using the same password.

187
00:15:11,200 –> 00:15:17,360
And if you are, then they can get into any other account that uses that password.

188
00:15:17,360 –> 00:15:22,520
And that might sound a little farfetched to some people, but what you need to understand

189
00:15:22,520 –> 00:15:24,680
about that is a couple of things.

190
00:15:24,680 –> 00:15:28,200
One, oftentimes credential stuffing is automated.

191
00:15:28,200 –> 00:15:33,400
So it’s not like somebody’s necessarily sitting there and going to, you know, thousands of

192
00:15:33,400 –> 00:15:37,600
random websites and typing in your credentials to see if they work.

193
00:15:37,600 –> 00:15:44,440
And another thing is, there are a lot of websites out there where you can type in people’s

194
00:15:44,440 –> 00:15:50,680
email addresses, usernames, phone numbers and things like that and pull up a list of

195
00:15:50,680 –> 00:15:52,680
their known accounts.

196
00:15:52,680 –> 00:15:58,560
So credential stuffing isn’t just, you know, some academic exercise, it’s a very real issue

197
00:15:58,560 –> 00:16:00,960
and it’s a very valid concern.

198
00:16:00,960 –> 00:16:04,680
It’s why you should never, ever reuse passwords.

199
00:16:04,680 –> 00:16:11,120
Another problem with reusing passwords or using a password and kind of modifying it a

200
00:16:11,120 –> 00:16:16,200
little bit from one system to the next is, and you’ll, you’ll find this out the hard

201
00:16:16,200 –> 00:16:19,880
way is every system has its own rules.

202
00:16:19,880 –> 00:16:28,320
So even if you can memorize like a 50 character random highly secure password, that’s great

203
00:16:28,320 –> 00:16:34,960
until you get to a service that only allows say a 20 character password or some of them

204
00:16:34,960 –> 00:16:40,080
don’t allow asterisks, some of them don’t allow underscores and so on.

205
00:16:40,080 –> 00:16:45,240
So this also makes memorizing passwords very difficult.

206
00:16:45,240 –> 00:16:53,040
I remember not too many years ago, I had an account at a financial institution where their

207
00:16:53,040 –> 00:16:59,840
password rules were that your password could be no more than 12 characters, numbers and

208
00:16:59,840 –> 00:17:02,680
lowercase letters only.

209
00:17:02,680 –> 00:17:09,480
So for that particular service, they were forcing me to use an insecure password.

210
00:17:09,480 –> 00:17:16,080
Luckily I was using a password manager and I could limit that weak password to that system

211
00:17:16,080 –> 00:17:22,320
rather than use say one weak password for all of my systems.

212
00:17:22,320 –> 00:17:27,360
Another thing that people commonly do when they’re not using a password manager is they

213
00:17:27,360 –> 00:17:33,840
have these kind of gimmicks that they use to generate passwords and that’s usually something

214
00:17:33,840 –> 00:17:42,440
like using a name of your pet or your child or your spouse using certain kinds of dates

215
00:17:42,440 –> 00:17:49,320
like dates of birth or anniversary dates, travel destinations, hobbies and so on, which

216
00:17:49,320 –> 00:17:54,560
of course for most people is pretty easy to find out whether those are public records

217
00:17:54,560 –> 00:17:58,440
or spammed on social media accounts and whatnot.

218
00:17:58,440 –> 00:18:04,080
So you definitely don’t want to use that kind of information in your passwords.

219
00:18:04,080 –> 00:18:10,440
One thing to keep in mind about that is there are tools out there where you can enter in

220
00:18:10,440 –> 00:18:16,960
this kind of information and it will generate tens, hundreds, thousands, hundreds of thousands

221
00:18:16,960 –> 00:18:23,960
of potential password combinations that somebody might be using with this kind of information.

222
00:18:23,960 –> 00:18:28,640
Another thing that we’ll notice people doing when they’re not using a password manager is

223
00:18:28,640 –> 00:18:34,920
we’ll see them store their credentials in something like an Excel spreadsheet or put

224
00:18:34,920 –> 00:18:37,560
them on a sticky note or something.

225
00:18:37,560 –> 00:18:43,640
And it’s not that uncommon to see these stories where you know malware steals these files

226
00:18:43,640 –> 00:18:48,960
off of people’s computers or someone makes a video of themselves or takes a selfie or

227
00:18:48,960 –> 00:18:53,480
something and you can see their password on their sticky note in the background.

228
00:18:53,480 –> 00:18:59,600
So even if you are creating strong passwords, you also need to be cognizant of storing them

229
00:18:59,600 –> 00:19:01,680
securely.

230
00:19:01,680 –> 00:19:08,360
And one interesting thing to note about Microsoft Excel, if you actually read through Microsoft’s

231
00:19:08,360 –> 00:19:14,000
documentation and you know their descriptions of things in like the group policy editor

232
00:19:14,000 –> 00:19:23,320
and whatnot, you can see that Microsoft Windows has the capability of capturing keystrokes,

233
00:19:23,320 –> 00:19:29,280
screenshots, mouse clicks, files and stuff, especially when something crashes.

234
00:19:29,280 –> 00:19:36,680
So I would also be hesitant to, you know, store sensitive data in

235
00:19:36,680 –> 00:19:42,160
an Excel file because there is a chance that some Microsoft employees could get access

236
00:19:42,160 –> 00:19:44,000
to some of that data.

237
00:19:44,000 –> 00:19:48,520
That’s also a reason to consider not using Windows, but that’s the subject of another

238
00:19:48,520 –> 00:19:50,000
episode.

239
00:19:50,000 –> 00:19:52,400
So what does this mean for you?

240
00:19:52,400 –> 00:19:58,440
What you need to understand is that people who crack passwords understand these things.

241
00:19:58,440 –> 00:20:05,880
They understand how people create passwords and believe it or not, they have a lot of

242
00:20:05,880 –> 00:20:10,680
tools at their disposal that they can use to crack your passwords.

243
00:20:10,680 –> 00:20:14,720
So one of those are password dictionaries.

244
00:20:14,720 –> 00:20:19,800
When an attacker gets a hold of one of your hashed passwords, they can only really make

245
00:20:19,800 –> 00:20:26,100
use of that by figuring out what the plain text password was that generated that hash.

246
00:20:26,100 –> 00:20:32,360
So the hashing is helpful in your case, but it’s really only as strong as your password.

247
00:20:32,360 –> 00:20:38,080
And the reason for that is because your hash passwords might be in one of these dictionaries.

248
00:20:38,080 –> 00:20:46,320
So there are free dictionaries online that anybody can download that basically map hashes

249
00:20:46,320 –> 00:20:48,840
with plain text passwords.

250
00:20:48,840 –> 00:20:58,520
So if you take any known password, like password123 or letmein or something like that, anybody

251
00:20:58,520 –> 00:21:02,320
can calculate what the hash of that is.

252
00:21:02,320 –> 00:21:07,960
So basically what people do is they collect known passwords, they hash them and store them

253
00:21:07,960 –> 00:21:09,680
in a database.

254
00:21:09,680 –> 00:21:14,480
So if anybody comes across your hashed password and they don’t know what it is, they can look

255
00:21:14,480 –> 00:21:20,480
it up in one of these dictionaries and if there’s a match, then that positively indicates

256
00:21:20,480 –> 00:21:24,480
what your original plain text password was.

257
00:21:24,480 –> 00:21:31,080
Now you might not think that your passwords are in there, but what I can tell you is that

258
00:21:31,080 –> 00:21:39,120
some of these password dictionaries contain billions of passwords and they get these from

259
00:21:39,120 –> 00:21:40,660
old data breaches.

260
00:21:40,660 –> 00:21:47,160
So it’s possible that you’ve created an account 15 years ago to buy a t-shirt or something

261
00:21:47,160 –> 00:21:54,520
and just forgotten about it and that service has since been hacked, they downloaded the database,

262
00:21:54,520 –> 00:22:00,600
that database contained your hashed password, it was cracked using a number of techniques

263
00:22:00,600 –> 00:22:07,800
and eventually those end up on the internet and people put them in these password dictionaries.

264
00:22:07,800 –> 00:22:13,040
So for the average person, I would say it’s actually quite likely that at least one of

265
00:22:13,040 –> 00:22:19,120
the passwords that you’re using is in one of these password dictionary databases.

266
00:22:19,120 –> 00:22:21,800
And this is just one type of attack.

267
00:22:21,800 –> 00:22:27,000
There are probably at least a dozen other ways of cracking somebody’s password and there

268
00:22:27,000 –> 00:22:31,520
are all kinds of tools that people can use to do this.

269
00:22:31,520 –> 00:22:38,600
I’m not going to name them, but you should also be aware that there are public forums

270
00:22:38,600 –> 00:22:46,440
and websites where the hacker community publicly discloses people’s credentials.

271
00:22:46,440 –> 00:22:52,800
So one of the websites that I have in mind allows anybody, even without an account, to

272
00:22:52,800 –> 00:22:58,960
go to it and type in a username and email address, a phone number or something like that and

273
00:22:58,960 –> 00:23:07,280
pull up in some cases many, many, many records from data breaches associated with that information.

274
00:23:07,280 –> 00:23:13,560
So when one of our clients asks us to do some reconnaissance on their information, I’d

275
00:23:13,560 –> 00:23:22,560
say more than half the time with this website, we can find at least one of their passwords.

276
00:23:22,560 –> 00:23:28,240
So if you’re thinking that some of this sounds kind of like just an academic exercise where

277
00:23:28,240 –> 00:23:34,120
this doesn’t apply to you for some reason, I’d say statistically you’re probably wrong

278
00:23:34,120 –> 00:23:37,760
and you’re probably in these databases as well.

279
00:23:37,760 –> 00:23:46,120
Now keep in mind, what I’m referring to specifically is one tool that takes, you know, 15 seconds

280
00:23:46,120 –> 00:23:50,200
for us to type in someone’s information and see what comes up, but there’s tons of these

281
00:23:50,200 –> 00:23:51,720
out there.

282
00:23:51,720 –> 00:23:57,320
And one of the important things worth noting with these kinds of websites is that they might

283
00:23:57,320 –> 00:24:01,120
be revealing some information about you that you don’t realize.

284
00:24:01,120 –> 00:24:07,480
So if you actually go to these websites or you look at common passwords, you’ll notice

285
00:24:07,480 –> 00:24:12,880
that they contain some information that might be sensitive or you might not want people

286
00:24:12,880 –> 00:24:14,400
to see.

287
00:24:14,400 –> 00:24:22,720
So we’ll see passwords that say things like satan and naziman, and we were actually doing

288
00:24:22,720 –> 00:24:30,800
some work for a client and found one of her passwords, and it was Ilove… a person’s name.

289
00:24:30,800 –> 00:24:33,600
Like let’s just say IloveBob.

290
00:24:33,600 –> 00:24:40,480
Now one of the things that’s interesting about that was this client was married and it wasn’t

291
00:24:40,480 –> 00:24:41,520
to a Bob.

292
00:24:41,520 –> 00:24:47,080
So you can kind of see how something like that might be misinterpreted or used against

293
00:24:47,080 –> 00:24:49,040
you somehow.

294
00:24:49,040 –> 00:24:55,560
So in addition to creating strong passwords, also be careful to avoid putting information

295
00:24:55,560 –> 00:25:00,280
in there that you wouldn’t want someone else to find just in case if your password is cracked

296
00:25:00,280 –> 00:25:03,720
or it’s stored somewhere in plain text.

297
00:25:03,720 –> 00:25:10,560
And this applies to security questions as well because sometimes websites get breached and

298
00:25:10,560 –> 00:25:15,000
security questions get compromised and those also end up on the internet.

299
00:25:15,000 –> 00:25:21,880
So we recommend to our clients that when you get security questions, you answer them with

300
00:25:21,880 –> 00:25:27,520
random answers and store those in your password manager as well because you know, a question

301
00:25:27,520 –> 00:25:35,000
like what color is your car or where’s your favorite place to travel or our favorite what’s

302
00:25:35,000 –> 00:25:40,640
your mother’s maiden name, which is basically public record at this point.

303
00:25:40,640 –> 00:25:46,120
You don’t really want to answer those honestly because a security question is basically just

304
00:25:46,120 –> 00:25:51,800
another password and it’s usually the last stop before someone gets into your account.

305
00:25:51,800 –> 00:25:58,640
So if you are forced to answer security question, like what’s your mother’s maiden name, you

306
00:25:58,640 –> 00:26:03,120
don’t want that to be the real answer because obviously it’s very easy for somebody to figure

307
00:26:03,120 –> 00:26:06,000
that stuff out and get into your account.

308
00:26:06,000 –> 00:26:12,600
But of course, if you’re not using a password manager, it’s a lot harder to avoid answering

309
00:26:12,600 –> 00:26:18,920
those questions honestly, which leaves your accounts vulnerable because let’s face it,

310
00:26:18,920 –> 00:26:22,840
if someone wanted to get into your account and they don’t know your password and they

311
00:26:22,840 –> 00:26:26,800
have no way of obtaining the hashed version of it and cracking it, they could just as

312
00:26:26,800 –> 00:26:32,320
well go through the password reset process, which might be as easy as answering one of

313
00:26:32,320 –> 00:26:33,320
these questions.

314
00:26:33,320 –> 00:26:37,200
And we’ll go into more detail about that in a future episode, but we just thought we should

315
00:26:37,200 –> 00:26:39,680
mention that here free of charge.

316
00:26:39,680 –> 00:26:46,720
At this point, we’d like to reemphasize that a lot of password cracking attempts are done

317
00:26:46,720 –> 00:26:49,120
using automation.

318
00:26:49,120 –> 00:26:56,360
And we emphasize this because we’re concerned that a lot of people choose weak passwords

319
00:26:56,360 –> 00:27:04,480
or at least passwords that are weak for a computer to guess, because they don’t envision

320
00:27:04,480 –> 00:27:06,320
that that’s how their passwords are cracked.

321
00:27:06,320 –> 00:27:11,720
They envision someone sitting down at their account and just typing in passwords.

322
00:27:11,720 –> 00:27:17,480
So you know, we would agree if you picked something out random like purplekeyboard or something

323
00:27:17,480 –> 00:27:23,480
like that, you know, it’s true that nobody would probably sit down and guess that.

324
00:27:23,480 –> 00:27:29,880
But you have to remember that it is automation that you’re trying to fight against.

325
00:27:29,880 –> 00:27:37,840
Automation that can guess millions of passwords per second on even consumer-grade hardware.

326
00:27:37,840 –> 00:27:45,040
Now in fairness, sometimes people do sit down and guess passwords like those scenes in Archer

327
00:27:45,040 –> 00:27:49,080
where they’re trying to guess the password to get into the mainframe or whatever.

328
00:27:49,080 –> 00:27:51,560
And it just turns out to be guest.

329
00:27:51,560 –> 00:27:56,320
That does happen and every once in a while we do see data breaches where the password

330
00:27:56,320 –> 00:28:02,160
was something stupid like that, like admin username admin password admin.

331
00:28:02,160 –> 00:28:07,920
This does happen, but the standard that you’re trying to protect against is automation using

332
00:28:07,920 –> 00:28:12,080
dictionary attacks, brute force, and other techniques.

333
00:28:12,080 –> 00:28:17,320
But even if those automated techniques fail, you should be aware that information that

334
00:28:17,320 –> 00:28:24,640
is available about you on the internet, particularly social media can also be used to create probabilistic

335
00:28:24,640 –> 00:28:27,640
guesses as to what your passwords may be.

336
00:28:27,640 –> 00:28:34,880
And you might not think that that’s very effective, but it is because again, people tend to use

337
00:28:34,880 –> 00:28:39,640
very common techniques for creating their passwords like using the name of their pet,

338
00:28:39,640 –> 00:28:45,760
for example, which of course, on most people’s social media, they list that kind of information.

339
00:28:45,760 –> 00:28:51,600
So if somebody is motivated and they can’t crack your password with a dictionary attack

340
00:28:51,600 –> 00:28:57,280
or with just brute force or something like that, they might resort to perusing your social

341
00:28:57,280 –> 00:29:03,060
media and other sources of information about you to try to come up with more tailored guesses

342
00:29:03,060 –> 00:29:05,160
as to what your passwords are.

343
00:29:05,160 –> 00:29:12,680
And this is one of an infinite number of reasons why you should be very selective about what

344
00:29:12,680 –> 00:29:17,280
information you expose about yourself to the internet.

345
00:29:17,280 –> 00:29:24,760
You know, you might not think that something like the name of your dog is sensitive information.

346
00:29:24,760 –> 00:29:31,400
But you know, usually it isn’t until you use it as a password, which a lot of people do.

347
00:29:31,400 –> 00:29:37,760
But we recommend that people just either don’t use social media or use it very sparingly

348
00:29:37,760 –> 00:29:45,480
because it’ll surprise you what kind of information is used for security purposes.

349
00:29:45,480 –> 00:29:53,320
So one time I had an issue with one of my banks and they made me answer some identity

350
00:29:53,320 –> 00:29:58,240
verification questions to make sure that I was who I said I was.

351
00:29:58,240 –> 00:30:05,360
And one of the two questions was, what was the color of one of my cars?

352
00:30:05,360 –> 00:30:09,560
And you know, you might not think that that’s a big deal, but you know, it should make you

353
00:30:09,560 –> 00:30:11,720
wonder how hard is that to find out?

354
00:30:11,720 –> 00:30:16,160
I mean, first of all, car records are somewhat public record.

355
00:30:16,160 –> 00:30:18,680
A lot of BMVs do sell people’s car records.

356
00:30:18,680 –> 00:30:23,920
And second of all, a lot of people have pictures of them in their cars on social media.

357
00:30:23,920 –> 00:30:29,200
So you might not think that a lot of the information that you have on your social media accounts

358
00:30:29,200 –> 00:30:34,280
is sensitive until, you know, something like this happens and somebody’s able to use it

359
00:30:34,280 –> 00:30:37,360
information to breach your accounts.

360
00:30:37,360 –> 00:30:42,200
So we’ve talked a lot about how passwords are cracked, but now let’s talk about what

361
00:30:42,200 –> 00:30:44,760
happens when passwords are cracked.

362
00:30:44,760 –> 00:30:51,280
So obviously, if somebody is able to get ahold of one of your passwords, they’re probably

363
00:30:51,280 –> 00:30:56,220
going to use that to access whatever data that was securing, whether it’s decrypting

364
00:30:56,220 –> 00:31:01,440
some data or getting into an account, they’re probably going to get in there and and check

365
00:31:01,440 –> 00:31:06,840
it out, but very rarely does the damage stop there.

366
00:31:06,840 –> 00:31:12,520
It’s quite likely that whoever has your password is going to see if you’ve used that password

367
00:31:12,520 –> 00:31:18,880
with, you know, banks, social media, email, and so on, and try to get into those accounts

368
00:31:18,880 –> 00:31:20,120
as well.

369
00:31:20,120 –> 00:31:26,440
That’s an attack called credential stuffing. You should never ever reuse passwords for that reason.

370
00:31:26,440 –> 00:31:33,600
And I think another thing that people do sometimes is they don’t necessarily reuse the same password

371
00:31:33,600 –> 00:31:39,400
exactly, but they’ll memorize the password and then add a little bit to it.

372
00:31:39,400 –> 00:31:45,200
So it might be like purplekeyboard-Facebook or purplekeyboard-Twitter or something

373
00:31:45,200 –> 00:31:46,200
like that.

374
00:31:46,200 –> 00:31:47,680
And that’s better than nothing.

375
00:31:47,680 –> 00:31:54,280
But if somebody sees that, then they can obviously tell what you’re doing and they can use that

376
00:31:54,280 –> 00:31:59,880
to infer what your passwords might be in other systems.

377
00:31:59,880 –> 00:32:05,920
So when an attacker is done having their way with you and your accounts, then oftentimes

378
00:32:05,920 –> 00:32:12,840
what they do with it is they either sell it to other attackers, or they’ll just make them

379
00:32:12,840 –> 00:32:14,880
public for free.

380
00:32:14,880 –> 00:32:20,680
A lot of passwords from previous data breaches are freely available on forums, particularly

381
00:32:20,680 –> 00:32:22,000
on the dark web.

382
00:32:22,000 –> 00:32:26,560
And then from that point, I mean, you better hurry up and change them because now there’s

383
00:32:26,560 –> 00:32:31,400
going to be tons of people looking at those and looking to take advantage of you.

384
00:32:31,400 –> 00:32:40,480
And even beyond that, what cracked passwords are also used for is improving password cracking

385
00:32:40,480 –> 00:32:42,120
tools.

386
00:32:42,120 –> 00:32:49,240
So this is something that gets hackers and security researchers really excited is when

387
00:32:49,240 –> 00:32:56,200
we get one of these mega data breaches like LinkedIn where they result in a lot of cracked

388
00:32:56,200 –> 00:33:02,080
passwords, people get really excited because we get to see real world examples of how people

389
00:33:02,080 –> 00:33:08,560
are creating passwords and how those kinds of trends change over time.

390
00:33:08,560 –> 00:33:15,680
So this is a really important point to keep in mind is that we need people to stop believing

391
00:33:15,680 –> 00:33:21,160
that their passwords are safe because only they know them, you know, you’re a human being

392
00:33:21,160 –> 00:33:23,120
just like anybody else.

393
00:33:23,120 –> 00:33:29,000
And chances are if your passwords are not random, that you’re using some sort of a mental

394
00:33:29,000 –> 00:33:33,480
shortcut to create them that a lot of other people are using as well.

395
00:33:33,480 –> 00:33:39,840
So even though only you know your password, you might be making it in such a way that

396
00:33:39,840 –> 00:33:45,360
based on how everybody else makes passwords that we’ve seen, we can guess what your password

397
00:33:45,360 –> 00:33:48,280
is, even though we’ve never seen it before.

398
00:33:48,280 –> 00:33:53,320
Now in fairness, we do recommend that people create random passwords.

399
00:33:53,320 –> 00:33:54,320
It’s what we do.

400
00:33:54,320 –> 00:33:58,560
We’ve got hundreds of them, they’re all long, random and unique.

401
00:33:58,560 –> 00:34:03,600
But a password doesn’t necessarily need to be random in order to be secure.

402
00:34:03,600 –> 00:34:09,880
You could do something like five, six or seven completely random words all strung together.

403
00:34:09,880 –> 00:34:17,360
That would be very difficult to crack, but again, if you’re not using a password manager,

404
00:34:17,360 –> 00:34:18,640
it’s not realistic.

405
00:34:18,640 –> 00:34:21,960
It’s just not realistic to do that without reusing them.

406
00:34:21,960 –> 00:34:28,800
You know, how can you manage or remember dozens or hundreds of passwords?

407
00:34:28,800 –> 00:34:33,680
And if you are using a password manager, you might as well just make them random.

408
00:34:33,680 –> 00:34:39,640
All right, so hopefully by this point, we’ve convinced you that your passwords, if you’re

409
00:34:39,640 –> 00:34:43,760
not using a password manager are probably more vulnerable than you realize and that

410
00:34:43,760 –> 00:34:45,760
you should be using one.

411
00:34:45,760 –> 00:34:50,600
So now let’s talk about what actually a password manager is.

412
00:34:50,600 –> 00:34:57,400
A password manager is simply an application or a service to help you store your passwords.

413
00:34:57,400 –> 00:35:00,080
That’s what they are at their most basic level.

414
00:35:00,080 –> 00:35:04,640
But you know, over time, they add all kinds of, you know, interesting features which can

415
00:35:04,640 –> 00:35:09,480
help you manage your passwords like random password generators, little helpers that

416
00:35:09,480 –> 00:35:12,000
show you how strong they are.

417
00:35:12,000 –> 00:35:15,960
So if you put like a phone number in there, it should probably show you some kind of warning

418
00:35:15,960 –> 00:35:21,760
telling you that it’s extremely insecure and they’ll have things like automatic sign-in

419
00:35:21,760 –> 00:35:28,800
features for like websites and things like that and store arbitrary files and whatnot.

420
00:35:28,800 –> 00:35:36,080
So a password manager stores this information in what’s typically called a vault, which

421
00:35:36,080 –> 00:35:38,720
is basically just an encrypted file.

422
00:35:38,720 –> 00:35:42,760
The whole thing should be encrypted.

423
00:35:42,760 –> 00:35:48,800
I don’t know if you heard about this LastPass, this most recent LastPass security

424
00:35:48,800 –> 00:35:49,800
incident that they’ve had.

425
00:35:49,800 –> 00:35:54,040
They’ve had several of them, which is why we don’t recommend LastPass.

426
00:35:54,040 –> 00:35:59,760
And we’ll talk about that in a separate episode, but one of the issues with LastPass vaults

427
00:35:59,760 –> 00:36:05,920
was they weren’t encrypting all of the data that you were putting in LastPass.

428
00:36:05,920 –> 00:36:10,640
So there was certain information like website URLs that weren’t being encrypted.

429
00:36:10,640 –> 00:36:13,920
For God knows what reason, I have no idea why they would do that unless they were doing

430
00:36:13,920 –> 00:36:19,640
something like, I don’t know, selling that information or something stupid like that.

431
00:36:19,640 –> 00:36:26,000
So a good respected password manager should encrypt every piece of information that you

432
00:36:26,000 –> 00:36:30,720
type into it and the ones that we recommend do.

433
00:36:30,720 –> 00:36:36,960
So we’ll go into some more detail in future episodes, but we recommend that our clients

434
00:36:36,960 –> 00:36:43,200
use KeePass or Bitwarden, just depending on what your needs are, you know, we’re not

435
00:36:43,200 –> 00:36:46,360
sponsored by Bitwarden, they don’t even know we exist.

436
00:36:46,360 –> 00:36:50,500
And obviously KeePass doesn’t sponsor us because it’s free and open source software

437
00:36:50,500 –> 00:36:53,600
that you just run locally on your own system.

438
00:36:53,600 –> 00:36:57,460
So to start wrapping this up, let’s talk about action items.

439
00:36:57,460 –> 00:37:01,880
So if you haven’t figured it out by now, one of those action items is start using a password

440
00:37:01,880 –> 00:37:02,880
manager.

441
00:37:02,880 –> 00:37:07,360
And once you get one set up, start replacing your passwords.

442
00:37:07,360 –> 00:37:12,840
We recommend that our clients document what accounts they have, which I think a lot of

443
00:37:12,840 –> 00:37:13,840
people don’t* do.

444
00:37:13,840 –> 00:37:19,480
I think they just try to remember them all, but write them down in a secure manner, go

445
00:37:19,480 –> 00:37:23,200
down the line and start changing your passwords.

446
00:37:23,200 –> 00:37:25,760
And you know, I understand that that’s a tremendous amount of work.

447
00:37:25,760 –> 00:37:31,520
So what we recommend that people do is start with your most critical accounts like your

448
00:37:31,520 –> 00:37:35,480
email and your bank accounts, things like that.

449
00:37:35,480 –> 00:37:40,760
And also make sure you hit all the ones that you use passwords with, because those can

450
00:37:40,760 –> 00:37:42,240
really blindside you.

451
00:37:42,240 –> 00:37:45,540
So I’ll share a personal story.

452
00:37:45,540 –> 00:37:52,200
So I created my first email account many, many years ago is with, you know, one of the

453
00:37:52,200 –> 00:37:59,920
biggest email providers at the time, and one day I noticed that someone got into my email

454
00:37:59,920 –> 00:38:06,040
account and was sending out suspicious emails to the people in my contacts list.

455
00:38:06,040 –> 00:38:11,840
And I wondered for years how this happened because, you know, this was a major company.

456
00:38:11,840 –> 00:38:17,680
This was the type of company that would have disclosed if they had a data breach.

457
00:38:17,680 –> 00:38:24,360
And because they didn’t, my assumption is that someone got my password and logged into

458
00:38:24,360 –> 00:38:25,360
my account.

459
00:38:25,360 –> 00:38:29,160
And I wondered for years, how could someone have gotten my password?

460
00:38:29,160 –> 00:38:34,560
I mean, very few people even knew that this account existed.

461
00:38:34,560 –> 00:38:38,400
And the password wasn’t super bad.

462
00:38:38,400 –> 00:38:43,440
And it wasn’t something that you would guess by looking at the email address.

463
00:38:43,440 –> 00:38:47,760
So now that I’ve been studying this stuff for years, I would bet a lot of money that

464
00:38:47,760 –> 00:38:53,640
what actually happened was I was probably using that email address and password for

465
00:38:53,640 –> 00:38:58,360
other accounts because, you know, this was decades ago and I was very young and this

466
00:38:58,360 –> 00:39:00,960
is just what everybody did.

467
00:39:00,960 –> 00:39:07,800
So I probably made an account somewhere like some game forum or something, you know, this

468
00:39:07,800 –> 00:39:12,200
is one of the reasons why we recommend that people start documenting all of their accounts.

469
00:39:12,200 –> 00:39:18,280
Because if you really think about it, if you go back, you know, decades and think about

470
00:39:18,280 –> 00:39:25,320
every little website that you went to to create an account, like a forum or a website that

471
00:39:25,320 –> 00:39:29,120
just sells t-shirts or something like that, you probably have dozens of these accounts

472
00:39:29,120 –> 00:39:31,200
that you’ve forgotten about.

473
00:39:31,200 –> 00:39:37,360
And I’d bet a lot of money that one of those got hacked and never disclosed it.

474
00:39:37,360 –> 00:39:44,360
And then whoever hacked that site downloaded my information, cracked my password and then

475
00:39:44,360 –> 00:39:47,160
used that to get into my email account.

476
00:39:47,160 –> 00:39:52,520
So this is a cautionary tale to encourage you to update your passwords and especially

477
00:39:52,520 –> 00:39:57,160
make sure you hit those ones that you’ve reused with other accounts.

478
00:39:57,160 –> 00:40:03,400
Now I acknowledge that, you know, this episode has been pretty light on the details regarding

479
00:40:03,400 –> 00:40:08,920
KeePass, Bitwarden, how you actually download, install and use them and best practices and

480
00:40:08,920 –> 00:40:09,920
things like that.

481
00:40:09,920 –> 00:40:12,680
We’ll go over those in a future episode.

482
00:40:12,680 –> 00:40:18,520
This one is really just focused on convincing you that you should be using a password manager.

483
00:40:18,520 –> 00:40:21,920
So please take this seriously.

484
00:40:21,920 –> 00:40:25,320
One of the things you need to understand is that you might not care about your security

485
00:40:25,320 –> 00:40:30,240
for whatever reason, but just keep in mind that if you have a security incident like

486
00:40:30,240 –> 00:40:34,520
someone breaks into your accounts, whether those are personal accounts or work accounts,

487
00:40:34,520 –> 00:40:39,520
that has the potential to affect not only you, but others around you that might be your

488
00:40:39,520 –> 00:40:43,200
employer that might be your spouse, your children or whatever.

489
00:40:43,200 –> 00:40:49,200
So please take this seriously because if somebody can get into your email accounts or your social

490
00:40:49,200 –> 00:40:51,160
media, they can do all kinds of things.

491
00:40:51,160 –> 00:40:53,520
They can do illegal things.

492
00:40:53,520 –> 00:40:58,400
They can spam and scam, you know, people in your contact list.

493
00:40:58,400 –> 00:41:03,280
They can lock you out of your accounts, but just just sit down sometime and think about

494
00:41:03,280 –> 00:41:07,160
how much damage somebody could do by getting into your accounts.

495
00:41:07,160 –> 00:41:12,960
Because if you really think about it, a lot of service providers don’t really know who

496
00:41:12,960 –> 00:41:15,040
anybody actually is.

497
00:41:15,040 –> 00:41:20,560
As far as they’re concerned, you’re responsible for the security of your account.

498
00:41:20,560 –> 00:41:25,760
And if somebody takes over your account, it can be very difficult to convince them that

499
00:41:25,760 –> 00:41:28,720
you’re the actual owner of the account.

500
00:41:28,720 –> 00:41:33,680
So if you can imagine somebody getting into your Fecesbook account, for example, if you

501
00:41:33,680 –> 00:41:39,520
were to contact them and say, hey, somebody took over my account, how are they supposed

502
00:41:39,520 –> 00:41:42,200
to know who you are or who they are?

503
00:41:42,200 –> 00:41:47,520
You know, most likely what they’re going to do is ask you some questions which you either

504
00:41:47,520 –> 00:41:50,760
might have a difficult time answering.

505
00:41:50,760 –> 00:41:55,160
I’ve read that if you’re trying to recover a Google account, one of the things that they’ll

506
00:41:55,160 –> 00:42:02,000
ask you is the date that you created the account, which obviously very few people record that

507
00:42:02,000 –> 00:42:03,000
information.

508
00:42:03,000 –> 00:42:08,080
But you know, a company like Fecesbook, they might be liable to say, hey, we’ll only let

509
00:42:08,080 –> 00:42:15,600
you recover your account if you upload, say, a government ID, which is pretty sketchy because

510
00:42:15,600 –> 00:42:20,600
you know, as far as we’re concerned, they’re one of the creepiest companies that the world

511
00:42:20,600 –> 00:42:25,960
has ever produced, not to mention they’ve had their own fair share of security incidents.

512
00:42:25,960 –> 00:42:32,160
So just imagine giving them, you know, a scan of your driver’s license and then later have

513
00:42:32,160 –> 00:42:37,040
another security incident and now your driver’s license is floating around on the internet.

514
00:42:37,040 –> 00:42:39,120
Think about what somebody could do with that.

515
00:42:39,120 –> 00:42:43,360
They could open a crypto account using your identity and launder money and all kinds of

516
00:42:43,360 –> 00:42:44,360
crazy things.

517
00:42:44,360 –> 00:42:50,400
So long story short, take this stuff very seriously because it is very serious.

518
00:42:50,400 –> 00:42:52,800
That pretty much wraps up this episode.

519
00:42:52,800 –> 00:42:56,800
Hopefully we’ve convinced you that using a password manager is important.

520
00:42:56,800 –> 00:43:01,540
If you still don’t think that it is, you know, I don’t really know what to tell you other

521
00:43:01,540 –> 00:43:07,680
than we’d be very interested to hear how you manage your passwords or, you know, what

522
00:43:07,680 –> 00:43:13,480
makes you think that you’re immune from these kinds of issues that we’ve discussed.

523
00:43:13,480 –> 00:43:15,560
We’d be very interested in that.

524
00:43:15,560 –> 00:43:20,240
So if you like this content, you know, feel free to like it or give us a review, but more

525
00:43:20,240 –> 00:43:25,920
importantly, please share it with your friends, family or whoever, because we really need

526
00:43:25,920 –> 00:43:32,240
to get society as a whole to improve their password management practices.

527
00:43:32,240 –> 00:43:39,320
I mean, the data is very clear about how much of a disaster our password management practices

528
00:43:39,320 –> 00:43:40,320
are.

529
00:43:40,320 –> 00:43:44,960
You know, I mean, obviously if 80% of our data breaches are the result of poor credential

530
00:43:44,960 –> 00:43:47,600
management, this is a very serious problem.

531
00:43:47,600 –> 00:43:51,600
And finally, make sure you subscribe because we’re producing a lot of great content like

532
00:43:51,600 –> 00:43:52,600
this.

533
00:43:52,600 –> 00:43:58,880
And we’re going to go into more detail about password managers, VPNs, Tor, email, text

534
00:43:58,880 –> 00:44:02,280
messaging, end-to-end encryption, all kinds of things.

535
00:44:02,280 –> 00:44:28,000
So subscribe, stay tuned, and stay safe out there.

Blog

Cybersecurity - Data Encryption - Virtual Private Network (VPN) - Tor - 2

Passwords vs. Encryption

First, let’s clear up any potential confusion between passwords and encryption. Data that’s password-protected is not necessarily encrypted. For example, the password to a local Windows account doesn’t encrypt your PCs data, it just prevents Grandma from getting into your account with a single click.

Even if your password is used to encrypt your data, it needs to be considered how the encryption is performed and who has access to the decryption key. If you use Apple’s iCloud, for example, understand that even though your data is encrypted on their servers, Apple holds your decryption key and can decrypt your data for whomever or whatever purpose they please. Similar to the “not your keys, not your crypto” mantra in the digital asset community, it’s “not your keys, not your data” in the security community.

The reason we emphasize this is because we believe some forgo a password manager because they have a false sense of security as to what their passwords do. This then justifies implementing weak password practices, such as password reuse. It’s true that most businesses don’t have your password in plain-text, nor will they bother cracking it. However, that doesn’t mean your data is safe, as you might assume if your data was encrypted with your password (i.e. because only you know it). In addition to storing your password (usually in hashed form), most app/service providers have their own decryption key to your data, which allows them and potentially hackers to decrypt your data without your password.

What is a Password Manager?

At its most basic, a password manager is an application designed to securely store your passwords. The data the password manager stores is secured by a “master” password. Therefore, it’s critical that your master password is strong. In the case of a local application, the data is stored in a file, normally called a “vault.” This is a good option for users who are diligent about backing up their files. However, many of the most common password managers store your data on central servers. Doing so is more convenient, and can offer other features such as emergency access. This is a better choice for users who don’t have a good backup system and procedure.

Modern password managers typically contain several other features – e.g.:

  1. Password strength helpers (entropy, reuse check, common password check, data breach check, etc.)
  2. Random password generator
  3. File storage
  4. Automatic sign-in
  5. etc.

How App & Service Providers Manage Passwords

How app and service providers handle your passwords can make or break your security. Unfortunately, this is usually rather opaque, so one needs to be careful about whom they entrust their data.

For most services, your password is hashed and salted, then stored on their servers. However, your data is encrypted with a key that the provider controls. In addition to the risk of enabling the provider to decrypt and exploit your data, this leaves your hashed passwords vulnerable to hacks. If the server that holds your password gets hacked, the attackers will download the hashed passwords and start cracking them (i.e. converting them from hashed to plain-text). For this reason, we generally recommend software and services that encrypt your data using end-to-end encryption. End-to-end encryption doesn’t give others access to your password (i.e. decryption happens only at each end).

Cybersecurity - Password - Sticky Note - Bad Password Practices - Use a Password Manager

Password Psychology without a Password Manager

If given the choice to target either a person who uses a password manager or one who doesn’t, an attacker would go after the latter. Why? Because if you’re not using a password manager, chances are your passwords aren’t random*. If your passwords aren’t random, it’s likely that you’ve used some convenient gimmick to create your password**. And, chances are that you’re not the only one who has used said gimmick. Attackers know this and use this against you when cracking passwords. Do your passwords contain names or birthdays of your children, spouse, or pets? How about a phone number, favorite sport, or old address? Do you reuse passwords? If the password rules require having a number in the password, do you just add a 1 at the end? If your answer to any of these are “yes”, you’re not alone and that makes your passwords vulnerable.

In cases where users are forced to choose strong passwords, we unfortunately see risky behavior, such as writing them down on sticky notes or storing them in an Excel spreadsheet in Dropbox. Password managers solve this problem.

*In fairness, a password doesn’t necessarily need to be “random” to be secure. A password consisting of several random words can also be very secure, despite not being totally “random”. However, we say this because in absence of randomness, people usually choose predictable passwords.

**Just for fun, see if you use any of these common passwords.

Cybersecurity - Password - Password Cracking - Password Manager

How Passwords are Cracked

Automation

Let’s now discuss how passwords are cracked, which will reveal why your passwords are probably more vulnerable than you think. Before we lose you in the weeds, understand that the following is going on every day, usually with automation. It’s true that no one is probably sitting at their computer, typing in password guesses on your Facebook account. But that’s not the concern here – automation is. Give a hacker 100,000 hashed passwords of average users, and they’ll probably have half of them cracked within a few days using automation, not manual guesses.

We’re convinced that many choose weak passwords because they can’t imagine how someone would crack them via manual guess-and-check. Therefore, we need to emphasize that this is not how most passwords are cracked.

Plain-text and Weakly-hashed Passwords

In some cases, an attacker will find your password in plain-text, so there’s no cracking necessary. Unfortunately, some providers do get caught storing passwords this way, which is one of the reasons why reusing passwords is so dangerous. You can have the most secure password in the world, but if it’s discovered by an attacker in plain-text, the password’s strength won’t save you.

Even if your password is hashed, the hashing algorithm matters. Some hashing algorithms, such as MD5, leave passwords vulnerable to attack, whereas others like bcrypt are much more secure. Unfortunately, app and service providers don’t often tell you how they hash passwords, leaving users in the dark as to how vulnerable their password may be.

Cracking Strongly-hashed Passwords

Overview

If an attacker is able to obtain your hashed password, they can use dictionary attacks and related techniques to see if you’ve used either a common password, or one that’s been cracked in the past. For example, the MD5 hash of qwerty123 (without salt), a very common password, is 3fc0a7acf087f549ac2b266baf94b8b1. A dictionary can be created that maps hash values to known passwords (e.g. 3fc0a7acf087f549ac2b266baf94b8b1 = qwerty123, 5f4dcc3b5aa765d61d8327deb882cf99 = password, etc.). If a hacker gets ahold of your hashed password, they can quickly see if it’s in their dictionary and, if it is, this reveals your password. This might sound rather benign, but note that some password dictionaries contain over 10 billion passwords. Chances are you’re either using a password in one of these dictionaries or have in the past.

Example Dictionary Attack

The following illustrates a simplified dictionary attack against a user database that someone has hacked into.

Password (User-entered) MD5 Hash (Stored on Server)
password 5f4dcc3b5aa765d61d8327deb882cf99
qwerty123 3fc0a7acf087f549ac2b266baf94b8b1
trustno1 5fcfd41e547a12215b173ff47fdd3739

Figure 1: Example password hashing and storage

ID Username Password
1 koolkat 5952e5d10ede271bcddceb99fca44c04
2 sk8erboi d5637ac35652681d6bdf48f00d285fa3
3 paranoid 5fcfd41e547a12215b173ff47fdd3739

Figure 2: Simplified example user database table stored on app server

MD5 Hash Password
5f4dcc3b5aa765d61d8327deb882cf99 password
3fc0a7acf087f549ac2b266baf94b8b1 qwerty123
5fcfd41e547a12215b173ff47fdd3739 trustno1

Figure 3: Hacker Builds Dictionary of Known Passwords

In the above example (Figures 1-3), if a hacker obtains the data from the database in Figure 2, and references the user’s hashed passwords against the dictionary in Figure 3, what would happen? As we can see, user “paranoid” is pwned because he used a password with the corresponding hash: 5fcfd41e547a12215b173ff47fdd3739. Even if we can’t crack MD5, we know from the dictionary of known passwords that 5fcfd41e547a12215b173ff47fdd3739 corresponds to password: trustno1*. For the other two users, whose hashes are not in the dictionary, the hacker would need to employ some other technique (e.g. brute-force).

*trustno1 is a very common password. Ironically, if you trust no one, you shouldn’t use such a pathetic password. Security is not without it’s humor.

Guess-and-Check Using Knowledge of Victim

If an attacker doesn’t have your hashed password, and they’re motivated, they may use their knowledge of you to make educated guesses using an understanding of password psychology. If they don’t know you well, they may peruse your social media profiles and other sources for clues. This is one of the reasons why over-sharing on social media is so dangerous. Seemingly harmless data like pet names, travel destinations, the color of your car, etc. can be used to crack passwords, impersonate you, or correctly answer identity verification questions to get into your accounts.

Password-cracking tools can then be used to take pieces of information about you (dates, pet names, etc.) and create an array of probable password guesses. This sounds rather mundane, but depending on how well the victim is known, and how poorly they choose their passwords, this technique can actually be rather effective.

Brute Force

If all else fails, brute force may be used, which is the systematic guessing of password combinations until either the password is cracked or the attacker gives up. Think of one of those padlocks that use 3 single digits for the combination – it wouldn’t take you very long to manually brute-force this until you crack it (000, 001, 002, 003, …).

If an attacker is able to guess passwords without rate limitations, this technique can be effective for weaker passwords. Bear in mind that modern computers, especially if equipped with high-end CPUs or GPUs, can make millions of guesses per second. One of the fastest supercomputers in 2019 had the capability of making 100 million million guesses per second. How would your passwords hold up to brute force?

It should also be noted that brute-force techniques can be enhanced to guess the types of passwords most likely to match. For example, it’s well-known in the security community that many Wi-Fi routers are “secured” with the user’s phone number. Therefore, if someone was trying to crack your password, Wi-Fi in particular, guessing all possible phone numbers would be a great place to start. This would only take a few seconds given modern hardware, so if you’re using your phone number as a password, change it to something more secure ASAP.

What Happens to Cracked Passwords

When hackers crack passwords, what happens next depends on their motivations. State actors may be inclined to keep this information for themselves, whereas many private hackers end up releasing their stolen goods at some point, either to the public or to buyers only. In the latter situation, regardless of who the credentials are shared with, it’s conservative to assume they will eventually end up being publicly available. This cannot be stressed enough. We won’t share any of them here, but there are websites that allow you to view almost anyone’s passwords as long as you have their username or email address. This makes for great party conversation: “So, what are you up to these days, besides using terrible passwords like letmein and iloveyou?”

At some point, someone with the credentials will use them to try to get into the system or data that the password protects. When a password is gathered and cracked, there’s usually other information associated with it (e.g. username, email address). This other information is often used to go to other services (e.g. Facebook, Gmail, etc.) to see if you reused those credentials, which is an attack called “credential stuffing“. If you did, you may have a big problem on your hands, because all of those accounts are now compromised.

Concluding Thoughts

When people don’t use password managers, they almost always choose passwords that are easy to crack or store them insecurely. When people use a password manager, they’re more likely to use strong passwords because the password manager remembers the passwords for you. At Bigger Insights, all of our passwords are long, random, and unique. We couldn’t imagine doing this without a password manager.

If this post doesn’t convince you that you need a password manager, we’re not sure what would, and we pray that you don’t get pwned. If you do get pwned, or would like some assistance with implementing a good password manager, fill out the contact form at the bottom of the page.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top