Passwords

October is Cybersecurity Awareness Month
Here is another tip to help you strengthen your personal Cyber security at home
Its Patch Tuwensday, did you get your automatic updates sorted? If you don’t know what I’m on about, go find last weeks tip. This week, lets focus on Passwords.

Passwords are old, really old, and ever since they have been in use there have been people trying to crack them.
Trying to remember a bunch of random characters is hard and when IT tells you that you should really have a separate password for each authentication service, it becomes impossible. How can we fix this, how can we make sure all the things are secure?

Passphrase over password. Passphrases are a group of words or a sentence used in place of a password to secure an account. They are useful as they introduce a whole lot of complexity without introducing a whole lot of “darn, what is my password again.” Instead of trying to remember say 8 – 12 characters of a password, here is where I say your password is too short and you should feel bad, you can easily remember 4 unrelated words and know that I’m nodding in silent approval. According to https://www.security.org/how-secure-is-my-password/ the password ‘pizza eating guitar monkey‘ would take a computer around 7 septillion years to crack and I haven’t even added capitals or numbers.

MFA where possible. If a service offers it, take the time to set it up. This aids in protecting your account in the case someone else knows, or ‘guesses’ your password. There are a few different methods to deal with MFA and some are better than others. Having a service SMS you a code leaves you vulnerable to a sim swapping attack, where someone goes to the effort to have your phone number transferred to a sim card in their possession.
Having an Authenticator app on your phone to present authentication requests or provide the authentication codes instead means they now need your phone and likely your phone’s passcode, your fingerprint, or your face.
Don’t authorise any random MFA requests you receive which you do not believe you have triggered. And do not provide an MFA one time code or SMS code to someone who has called you claiming to be from your bank, I can guarantee they are not. They may not straight up ask you for it either, the way I’d do it* is trigger an MFA request ask you if the code came through and if the code is 132 271. As the attacker, my hope is that you respond with “No, its …” and provide the correct MFA Code, or I would try to prompt you for the correct key in another way. And BAM your account is mine. Also be wary of someone claiming they are from IT saying they have sent an authentication request to your phone for you to approve.
Enough with the tangent, back to it.

Check for compromise. You can see if your account has been listed in a database of known data breaches at https://haveibeenpwned.com/. It contains breaches going back a number of years so keep in mind you may have already changed your password (effectively re-securing your account) since the listed breach occurred. You can sign up to be notified if your email address appears in a future breach. Have I Been Pwned also has a tool you can use to check if that new password you’ve created is already likely to be on a password list out there. Starting to see web browsers which offer password storage to also check your saved password against known password lists too, which is great.

Password Managers can help with the generation and secure storage of complex passwords and passphrases.
Yes, some web browsers offer password management and whilst using your browser’s password manager is better than nothing at all, it still really doesn’t compare to having a dedicated password manager – I use a different password manager for Work vs Home accounts, Work provides one and I signed up with another. I’m not suggesting you need to go to that level, a lot of managers have great personal/corporate integrations and separations. But, I’ve found this works well for me. I can securely share passwords between my family members and provide some logical separation from the passwords I use for work and those I use at home.

More reading:
https://www.cyber.gov.au/acsc/view-all-content/publications/creating-strong-passphrases

Cyber security tips this month are taken from https://www.cyber.gov.au/acsc/view-all-content/advice/personal-security-guides which is a really good read

*Not saying I would do it, just this would be conceptually a plausible way an attacker might trick you into providing the detail without explicitly asking for it.