An estimated 25% of all Internet users choose weak passwords that are easy to remember. Around 60% use the same password for several or all of their accounts.(1) These dangerous habits are due to the growing number of websites requiring online authentication.
Say no to recycled passwords
Hackers know people recycle passwords, and they use this knowledge to their advantage. Many cybercriminals obtain login information by hacking poorly protected websites, before using this data to access other platforms.
Regardless of password complexity, users’ accounts are only as safe as the weakest website they have registered on. This is why stolen login information circulates so freely on the Dark Web, irrespective of the sensitivity of the hacked website.
Say yes to password managers?
Instead of memorising different passwords, some people opt to use a password manager. Examples include LastPass (the most well known), KeePassX (an open source option) or 1Password (for Apple users). The idea is simple: the password manager randomly generates strong passwords which can be accessed using a single “master” password.
In the case of LastPass, for instance, users define a master password which is hashed using SHA-256. SHA-256 is slower to compute than SHA-1, so hackers need much more time to carry out brute force attacks, which acts as a discouragement.(2) Users’ passwords are encrypted using the AES-256 standard and stored in a vault.(3)
Here, the master password plays two roles: it is used to identify LastPass users and enable them to read their encrypted passwords.
Unfortunately, password managers also have failings, as LastPass knows well:
- In 2015, LastPass admitted that hackers had gained access to its members’ email addresses, hashed master passwords and security questions. However, the company underlined that hashing passwords (including hashing, salting and key derivation functions or PBKDF2) made de-hashing virtually impossible.
- In 2016, computer security researcher Tavis Ormandy identified a vulnerability in LastPass’s extension for Firefox 3.3.2. Attackers could lure LastPass users to malicious websites, where they fooled LastPass into handing over users’ credentials by pretending to be legitimate.
- On March 21 2017, Ormandy found another bug affecting LastPass’s Chrome, Firefox and Edge extensions. As in 2016, attackers could lure LastPass users to malicious websites, where they fooled LastPass into revealing passwords by pretending to be legitimate third parties.
Proceed with caution
LastPass recommends that users choose long and complex master passwords to protect against sophisticated brute force attacks. This piece of advice – and the various security incidents affecting LastPass – show that password managers are not always infallible.
Common sense is still required when visiting websites or choosing passwords (including master passwords). The main advantage of password managers is that they make it easier for users to adopt good practices.
Some organizations, including Britain’s National Cyber Security Centre (NCSC), consider that password managers should be seen as short-term fixes. A long-term solution would be to phase out password authentication processes altogether. Other options include multifactor authentication (already used by many banks), biometric recognition and digital IDs issued by state services.
(1) Data taken from the report “Adults’ Media Use and Attitudes Report 2013” produced by Ofcom in 2013.
(2) In cryptanalysis, this means testing all possible combinations until the right combination is found.
(3) NASA considers that this unique encryption standard is suitable for encrypting top secret communications. It is also public.