Work with passwords: how to protect your accounts (expert opinion)
Recently it became known about the "vulnerability" in the system for corporate clients of the Gett taxi service. As the researchers found out, the same passwords were issued to all of them by default (naturally, no one of them changes many of them). As a result, knowing one password, the attackers could get into many accounts at once (among the clients of Google Russia, Vkontakte, Ozon and other companies).
The scandals associated with password theft and theft of personal data occur regularly - only over the past couple of years have passwords from large companies such as Adobe , popular email services flowed into the network, have hackers even cracked passwords themselves. Studies have also shown that authorization and authentication are among the main security problems of online banks.
')
In order to increase the level of security of their users, many companies publish tips on how to secure their accounts (here is the “Yandex” post on Habré and material from the startup Buffer or special pages from Microsoft and Google ). The creators of the popular XKCD comic book devoted one of the issues to password protection:
We decided to interview representatives of IT companies to find out how they work with passwords and which of the security recommendations they follow themselves:
Alexey Shevelev (@Boomburum), Project Manager, Thematic Media
Now I use 1password - I like the fact that there is a client for a smartphone, tablet and laptop. Convenient and beautiful, it seems even safe. Inside, everything is neatly laid out and filled, sometimes changing passwords on all records is a chore, but worth it. Most often I use a password generator that generates long, complex passwords. Actually, long ago refused easy passwords.
Until recently, TouchID worked on an iPhone, which stopped working after replacing the button - I had to switch to a regular password. There you can use a simple 4-digit code of numbers or more complex (with letters). If you turn on a complex password and use only digits in the code, for example, 137900 (6 digits), then instead of the qwerty-keypad, it will still be numeric - this is convenient and safer (6 digits are harder to pick than 4). However, in the new version of iOS it seems you can use longer codes.
Arkady Prokudin, an information security expert, author and host of the Open Security podcast
To create passwords, I use two methods and no software products.
The first is the old school: malen'kaya latinica + BOL'WAYA + special characters @ &) + numbers135
Such a password is difficult to remember. But if you find some intricate combination in everyday life, it will be easier. For example: MicrosoftSilverlightBeta3.5a, Nokia3310, etc.
The second method: use as a password, the string of one of the poems in the English layout. For example, “A grasshopper was sitting in the grass” - D nhfdt cbltk repytxbr /.
Grigory Matviyevich, a leading iOS developer Redmadrobot
How much they say about it, but most people use very weak passwords: qwerty, 12345, 11111. Some people complicate passwords - make up two words, add numbers. But in fact, it does not add strong stamina. All of them quickly get over to modern computing power. There are programs and algorithms, there are dictionaries. A strong password should be long, “random”, contain different case letters, numbers and, preferably, symbols.
For a complex password, I usually come up with some meaningless phrase or rhyme: “fish tractor 33 pump yogurt”, and tear out each word by letter. Then I memorize on any associations, and the password is ready. I would also advise you to have several passwords, because if you register on any left-wing service with the same password as in your Internet bank, then this can end badly for your wallet.
Andrey Prozorov, Head of Expert, Solar Security
In the past few years, I have become too lazy to remember passwords. The fact is that the various services for which I have registered are becoming more and more, the passwords for them are better to choose strong (long, with numbers and symbols) and unique.
At the same time, classic ideas like “use associative password phrases” no longer work. For myself, I came to the use of special software for storing and generating passwords. I use the 1Password client for the iPhone, periodically making a backup.
My passwords are complex and unique, and the common database is encrypted. It is convenient for me, I consider the risks of such storage minimal.
Dmitry Evteev , Technical Director of HeadLight Security
Practice shows that most users are not so resourceful in the context of password selection. As a rule, passwords contain names, dates, and other information close to a person from his real life. In conjunction with the fact that the average person’s memorization is not too large, most users use 2-3 passwords for all their systems that need to be authenticated using a passphrase. In corporate systems where the security policy requires regular password changes, there is also a common situation in which people either write complex passwords on paper and store it closer to the keyboard, or use some simple logic when creating a password. For example, they add numbers to a certain root that indicate the date of the password change, or even use a counter (increasing the numbers in the password). In such cases, having knowledge of the previous password, the attacker can easily determine the logic of its creation, and the whole point of the action in this case is lost - the attacker will be able to guess the new password every time. Both in the case of private users and in the corporate environment, usually all passwords are tied to one email account, hacking which a hacker can gain access to various systems and services - the presence of such a sensitive system is a separate information security problem.
In general, passwords are very bad. Every day I myself come across the need to remember many passwords from multiple systems. In this regard, one-time passwords sent, say, by SMS - this is extremely convenient. However, even here there are some pitfalls (the same SMS can be intercepted), but the very concept of one-time passwords makes it possible to significantly complicate the implementation of the attack. Unfortunately, it is not yet possible to link a token to the global authentication system (although the big brother is moving in this direction), in order to then receive one-time passwords and transparently pass authorization in most Internet services. At the same time, in a corporate environment, such a system is easily realizable, but here you can bury your head in the budget, because such a system will be expensive.
As for programs for storing passwords, they can be easily applied, and I myself use one free program (I will not say which one) - otherwise I could not remember all my passwords. At the same time, I do not trust the cloud-based software for storing passwords - for all its convenience, errors can be made in it (which has already been proven by successful attacks on popular services), which in turn can allow an attacker to pull down the password database of all users and with a successful scenario of stars learn the master password, in this case, the consequences of the attack will be extremely interesting ... for the attacker.
Max Krainov, CEO Aviasales
Everything is simple: Roboform / OnePass or similar systems. Passwords containing less than 16 characters with a bunch of cracks are not considered at all. When we transfer passwords in chat rooms, immediately after confirmation we erase them. As for access to data, we have a need-to-know basis policy (access to the data necessary for work, and no more - ed.), If a person leaves, change passwords. At the same time, there is no prescribed policy, all the rules have been developed by top managers of the company who have been in it for many years.
Dmitry Sklyarov, Senior Analyst, Positive Technologies
In order for a password to remain only your secret, it is usually enough to follow three simple rules:
In order not to memorize many long complex passwords, you can use any decent Password Keeper. It can also generate random passwords of a given strength.
To protect the database with passwords, you will have to remember one strong password. As an option - use a passphrase with a length of 20-30 characters.
If Password Keeper supports two-factor authentication with a smart card or USB Security Token, this increases the level of security and reduces the “window of opportunity” for the attacker.
Of course, the use of Password Keeper-programs can lead to the loss of secrecy of all stored passwords in case of compromise of the master password. This risk must be taken into account.
Now many programs for storing passwords have versions for mobile operating systems and offer synchronization through the cloud. This is certainly convenient, but convenience is almost against security ...
My choice is KeePass on trusted computers, the base is protected by a long passphrase. And no password stores in the clouds or on mobile devices.
But what foreign experts think about password protection:
Jesper Johansson , Chief Information Security Engineer at Amazon
Some companies have a security policy prohibiting employees from writing passwords on pieces of paper. I think this is absolutely wrong ( Johansson made this statement while still a Microsoft employee ). Everything should be the other way around - the policy should say that you must write your password. I have 68 different passwords for different systems. If I cannot write any of this, guess what I will do? I will simply use the same password everywhere.
Until now, there are systems that do not allow the use of "normal" passwords, so I will choose the simplest and the worst of all possible options. At the same time, if you write them down on a piece of paper (and hide it in a safe place), then there are no problems. This way you can save more passwords and make them stronger.
Bruce Schneier , an expert and author of books on information security and cryptography
Usually a password consists of a root and a suffix. The root may not necessarily be a vocabulary word, but more often it is something that can be pronounced, to which are added different suffixes (in 90% of cases) or prefixes (in 10% of cases). Programs for password selection use dictionaries (English and other languages), replace letters with similar symbols ($ instead of s, etc.). Address book information can also be used to select passwords, important dates and other personal data.
To create a strong password, you need to do something that will complicate this selection process. I suggest using sentences that turn into a password. For example, “This little piggy went to market” (“the little pig went to the market”) can do something like “tlpWENT2m”. A nine-character password that will not be in any dictionary. After I published it, of course, it is not necessary to use this one specifically, but the essence is clear.
If you can not remember all your passwords, then write them down on a piece of paper and carry in your wallet. But you need to write not the password itself, but the original sentence, but rather a hint that will help you remember it. Or you can use Password Keeper, there is nothing like that in this, many cannot remember all of their passwords.
Brian Krebs , information security researcher, Krebs on Security blog author
There are some tips for creating strong passwords, it is better to check your passwords for compliance with them. The password must consist of a combination of upper and lower case words, numbers, symbols and letters.
You cannot use your own username or easily guessed words (“password”), vocabulary words and obvious combinations of characters (“azdzxs”) as a password. Also, do not choose a password based on data that may not be so confidential (phone number, date of birth, names of family members).
You can not use the password for e-mail (if there is something important) on any other site. If someone hacks online store where you shopped, you can read your letters.
I used to think that storing passwords in a form written down somewhere is not worth it. However, now I still agree with Bruce Schneier that you can store passwords in a written form, the main thing is that it was not the password itself, but something that would help him remember.
When using Firefox, it is important to enable and configure the master password for all passwords, otherwise anyone who has physical access to the computer will be able to see the passwords in plain text by making a couple of clicks. There are also some good cloud password managers (LastPass, DashLane, 1Password), but if you don’t want to trust such data to the cloud, you can use a local manager (Roboform, PasswordSafe, Keepass). The main thing is to choose a strong master password, which, moreover, you can then remember (if you forget it, then problems will begin).
The scandals associated with password theft and theft of personal data occur regularly - only over the past couple of years have passwords from large companies such as Adobe , popular email services flowed into the network, have hackers even cracked passwords themselves. Studies have also shown that authorization and authentication are among the main security problems of online banks.
')
In order to increase the level of security of their users, many companies publish tips on how to secure their accounts (here is the “Yandex” post on Habré and material from the startup Buffer or special pages from Microsoft and Google ). The creators of the popular XKCD comic book devoted one of the issues to password protection:
We decided to interview representatives of IT companies to find out how they work with passwords and which of the security recommendations they follow themselves:
Alexey Shevelev (@Boomburum), Project Manager, Thematic MediaNow I use 1password - I like the fact that there is a client for a smartphone, tablet and laptop. Convenient and beautiful, it seems even safe. Inside, everything is neatly laid out and filled, sometimes changing passwords on all records is a chore, but worth it. Most often I use a password generator that generates long, complex passwords. Actually, long ago refused easy passwords.
Until recently, TouchID worked on an iPhone, which stopped working after replacing the button - I had to switch to a regular password. There you can use a simple 4-digit code of numbers or more complex (with letters). If you turn on a complex password and use only digits in the code, for example, 137900 (6 digits), then instead of the qwerty-keypad, it will still be numeric - this is convenient and safer (6 digits are harder to pick than 4). However, in the new version of iOS it seems you can use longer codes.
Arkady Prokudin, an information security expert, author and host of the Open Security podcastTo create passwords, I use two methods and no software products.
The first is the old school: malen'kaya latinica + BOL'WAYA + special characters @ &) + numbers135
Such a password is difficult to remember. But if you find some intricate combination in everyday life, it will be easier. For example: MicrosoftSilverlightBeta3.5a, Nokia3310, etc.
The second method: use as a password, the string of one of the poems in the English layout. For example, “A grasshopper was sitting in the grass” - D nhfdt cbltk repytxbr /.
Grigory Matviyevich, a leading iOS developer RedmadrobotHow much they say about it, but most people use very weak passwords: qwerty, 12345, 11111. Some people complicate passwords - make up two words, add numbers. But in fact, it does not add strong stamina. All of them quickly get over to modern computing power. There are programs and algorithms, there are dictionaries. A strong password should be long, “random”, contain different case letters, numbers and, preferably, symbols.
For a complex password, I usually come up with some meaningless phrase or rhyme: “fish tractor 33 pump yogurt”, and tear out each word by letter. Then I memorize on any associations, and the password is ready. I would also advise you to have several passwords, because if you register on any left-wing service with the same password as in your Internet bank, then this can end badly for your wallet.
Andrey Prozorov, Head of Expert, Solar SecurityIn the past few years, I have become too lazy to remember passwords. The fact is that the various services for which I have registered are becoming more and more, the passwords for them are better to choose strong (long, with numbers and symbols) and unique.
At the same time, classic ideas like “use associative password phrases” no longer work. For myself, I came to the use of special software for storing and generating passwords. I use the 1Password client for the iPhone, periodically making a backup.
My passwords are complex and unique, and the common database is encrypted. It is convenient for me, I consider the risks of such storage minimal.
Dmitry Evteev , Technical Director of HeadLight SecurityPractice shows that most users are not so resourceful in the context of password selection. As a rule, passwords contain names, dates, and other information close to a person from his real life. In conjunction with the fact that the average person’s memorization is not too large, most users use 2-3 passwords for all their systems that need to be authenticated using a passphrase. In corporate systems where the security policy requires regular password changes, there is also a common situation in which people either write complex passwords on paper and store it closer to the keyboard, or use some simple logic when creating a password. For example, they add numbers to a certain root that indicate the date of the password change, or even use a counter (increasing the numbers in the password). In such cases, having knowledge of the previous password, the attacker can easily determine the logic of its creation, and the whole point of the action in this case is lost - the attacker will be able to guess the new password every time. Both in the case of private users and in the corporate environment, usually all passwords are tied to one email account, hacking which a hacker can gain access to various systems and services - the presence of such a sensitive system is a separate information security problem.
In general, passwords are very bad. Every day I myself come across the need to remember many passwords from multiple systems. In this regard, one-time passwords sent, say, by SMS - this is extremely convenient. However, even here there are some pitfalls (the same SMS can be intercepted), but the very concept of one-time passwords makes it possible to significantly complicate the implementation of the attack. Unfortunately, it is not yet possible to link a token to the global authentication system (although the big brother is moving in this direction), in order to then receive one-time passwords and transparently pass authorization in most Internet services. At the same time, in a corporate environment, such a system is easily realizable, but here you can bury your head in the budget, because such a system will be expensive.
As for programs for storing passwords, they can be easily applied, and I myself use one free program (I will not say which one) - otherwise I could not remember all my passwords. At the same time, I do not trust the cloud-based software for storing passwords - for all its convenience, errors can be made in it (which has already been proven by successful attacks on popular services), which in turn can allow an attacker to pull down the password database of all users and with a successful scenario of stars learn the master password, in this case, the consequences of the attack will be extremely interesting ... for the attacker.
Max Krainov, CEO AviasalesEverything is simple: Roboform / OnePass or similar systems. Passwords containing less than 16 characters with a bunch of cracks are not considered at all. When we transfer passwords in chat rooms, immediately after confirmation we erase them. As for access to data, we have a need-to-know basis policy (access to the data necessary for work, and no more - ed.), If a person leaves, change passwords. At the same time, there is no prescribed policy, all the rules have been developed by top managers of the company who have been in it for many years.
Dmitry Sklyarov, Senior Analyst, Positive TechnologiesIn order for a password to remain only your secret, it is usually enough to follow three simple rules:
- Do not try to think of short, easy-to-remember passwords;
- do not use the same passwords on different resources;
- Do not enter passwords on computers that cannot be trusted.
In order not to memorize many long complex passwords, you can use any decent Password Keeper. It can also generate random passwords of a given strength.
To protect the database with passwords, you will have to remember one strong password. As an option - use a passphrase with a length of 20-30 characters.
If Password Keeper supports two-factor authentication with a smart card or USB Security Token, this increases the level of security and reduces the “window of opportunity” for the attacker.
Of course, the use of Password Keeper-programs can lead to the loss of secrecy of all stored passwords in case of compromise of the master password. This risk must be taken into account.
Now many programs for storing passwords have versions for mobile operating systems and offer synchronization through the cloud. This is certainly convenient, but convenience is almost against security ...
My choice is KeePass on trusted computers, the base is protected by a long passphrase. And no password stores in the clouds or on mobile devices.
But what foreign experts think about password protection:
Jesper Johansson , Chief Information Security Engineer at AmazonSome companies have a security policy prohibiting employees from writing passwords on pieces of paper. I think this is absolutely wrong ( Johansson made this statement while still a Microsoft employee ). Everything should be the other way around - the policy should say that you must write your password. I have 68 different passwords for different systems. If I cannot write any of this, guess what I will do? I will simply use the same password everywhere.
Until now, there are systems that do not allow the use of "normal" passwords, so I will choose the simplest and the worst of all possible options. At the same time, if you write them down on a piece of paper (and hide it in a safe place), then there are no problems. This way you can save more passwords and make them stronger.
Bruce Schneier , an expert and author of books on information security and cryptographyUsually a password consists of a root and a suffix. The root may not necessarily be a vocabulary word, but more often it is something that can be pronounced, to which are added different suffixes (in 90% of cases) or prefixes (in 10% of cases). Programs for password selection use dictionaries (English and other languages), replace letters with similar symbols ($ instead of s, etc.). Address book information can also be used to select passwords, important dates and other personal data.
To create a strong password, you need to do something that will complicate this selection process. I suggest using sentences that turn into a password. For example, “This little piggy went to market” (“the little pig went to the market”) can do something like “tlpWENT2m”. A nine-character password that will not be in any dictionary. After I published it, of course, it is not necessary to use this one specifically, but the essence is clear.
If you can not remember all your passwords, then write them down on a piece of paper and carry in your wallet. But you need to write not the password itself, but the original sentence, but rather a hint that will help you remember it. Or you can use Password Keeper, there is nothing like that in this, many cannot remember all of their passwords.
Brian Krebs , information security researcher, Krebs on Security blog authorThere are some tips for creating strong passwords, it is better to check your passwords for compliance with them. The password must consist of a combination of upper and lower case words, numbers, symbols and letters.
You cannot use your own username or easily guessed words (“password”), vocabulary words and obvious combinations of characters (“azdzxs”) as a password. Also, do not choose a password based on data that may not be so confidential (phone number, date of birth, names of family members).
You can not use the password for e-mail (if there is something important) on any other site. If someone hacks online store where you shopped, you can read your letters.
I used to think that storing passwords in a form written down somewhere is not worth it. However, now I still agree with Bruce Schneier that you can store passwords in a written form, the main thing is that it was not the password itself, but something that would help him remember.
When using Firefox, it is important to enable and configure the master password for all passwords, otherwise anyone who has physical access to the computer will be able to see the passwords in plain text by making a couple of clicks. There are also some good cloud password managers (LastPass, DashLane, 1Password), but if you don’t want to trust such data to the cloud, you can use a local manager (Roboform, PasswordSafe, Keepass). The main thing is to choose a strong master password, which, moreover, you can then remember (if you forget it, then problems will begin).
Source: https://habr.com/ru/post/263101/
All Articles