Don’t Listen to the FTC on Password Security

| Security

It may be hard to believe, but even in 2016, brute force attacks remain one of the most common attack vectors on the web.

While it’s impossible to guarantee 100% security against brute force attempts, you can get pretty close by using strong passwords, using HTTPS on login pages (also using stronger encryption algorithms), using two-factor authentication, limiting failed login attempts (and banning those IPs with failed login attempts), adding a CAPTCHA field to login pages, using a firewall to filter malicious traffic, etc.

We all know how important strong passwords are. As part of an experiment, Ars Technica reported that a team of hackers was able to crack 90% of a 16,449 password list — all of which were 16-character, cryptographically hashed passwords. In less than one hour. But security experts are adamant that site owners regularly change passwords as well. Not long ago I believed this was unnecessary, but the recent data breach of Dropbox has changed my mind.

Not long ago, Dropbox account owners received an email saying their passwords had been reset, “purely as a preventative measure.” Last Wednesday brought news that some 68 million accounts had been compromised in a data breach dating back to 2012. Yes, that means users’ email addresses and corresponding passwords have (likely) been floating around darknet for nearly four years. That’s really bad news if you reuse passwords.

So, what’s your point?

For four years, Dropbox users’ login credentials were unknowingly in the hands of hackers. Do keep in mind that these were hashed passwords, so it’s not like hackers had them in plaintext. Still, if you never updated your password in that time, you may have been open to attack.

It’s also important to note that this wasn’t a brute force attack. The password file leaked. All of the brute force protection in the world can’t help you if hackers are able to obtain usernames, passwords, IPs, user device info, etc.

What happened to Dropbox can happen to anyone. It happened to LinkedIn. (117 million passwords leaked.) It happened to MySpace. (427 million passwords leaked for 360 million users — maybe the worst data breach ever.) It quite infamously happened to “dating” site Ashley Madison. It even happened to password manager LastPass in a cruel twist of fate for those looking to secure their passwords.

And it’s not that Dropbox was careless with security. The Home Depot, Target, Sony, and even the IRS have all suffered (high-profile) data breaches.

In most cases, these attacks occur months — or years — before users know what happened. Regularly changing your passwords helps protect against unknown data breaches. This also drives home the point of never reusing passwords — because if one password gets stolen, then all of your passwords are stolen.

Can’t say I was too pleased when I downloaded LastPass so I’d never have to remember passwords and then got an email saying they were hacked… and had to reset my master password. Oh, the irony.

What can I do to protect myself?

Use a password manager. LastPass, even though it got hacked, is still a good one. And there’s a free version as well. There’s also Dashlane (also has a free version), 1Password, and many others. Do yourself a favor and start using a password manager before you get hacked.

If using a password manager isn’t an option, then make sure you’re using strong passwords and changing passwords at least semi-regularly.

You’re not alone if you aren’t using a password manager. Most people, myself included, will resist taking additional security precautions that they know will be a pain. Some people still use weak passwords that are easy to remember, still use the same password for every site, don’t use two-factor authentication, don’t change their passwords regularly, etc. Just remember: the cleanup work involved in fixing a hacked website (or hacked anything) FAR exceeds taking a few minutes to reset a password.

You can also opt for two-factor authentication (2FA). 2FA is even more of a “nuisance” than password resets, but can prevent brute force attacks and help protect you from password leaks better than anything. 2FA adds an additional requirement for logins. When you enter your username and password, you may be prompted to enter a code that is either texted or emailed to you. Most banks require 2FA for online banking. If your password is ever stolen or brute forced, then the extra security layer can help prevent disaster.

Is there anyone who thinks changing passwords doesn’t help security?

Earlier this year, the chief technologist at the U.S. Federal Trade Commission (FTC) published an article that challenged the notion of mandatory password updates. She goes on to write:

… there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.

Source: Lorrie Cranor, “Time to Rethink Mandatory Password Changes,” March 2016

Cranor explains that many companies and government agencies mandate frequent password changes to prevent insider attacks, which we wrote was a significant threat to website owners. The logic is this: independent contractors / vendors come and go. Employees get fired (and sometimes become disgruntled). You don’t want to have the same system passwords that you did when these vendors/employees worked for you. It’s like changing the locks when you buy a house — just in case the previous owners left a few spare keys lying around.

But back to the idea that forced password updates compels people to choose easy passwords, or replace easy passwords with easy passwords — I agree. Sometimes people don’t understand the importance of choosing un-guessable passwords, so they’ll pick a password like “gosaints” and then change it to “gosaints1” when prompted to update. That isn’t helping you. However, that doesn’t mean regularly updating makes security weaker, as inferred by Cranor’s post. Picking weak passwords and replacing them with even weaker passwords is the part that’s bad for security.

What was even worse was how trusted, legitimate news outlets ran with the headlines. WIRED told its readers, “Want Safer Passwords? Don’t Change Them So Often.” Ars Technica took it a step forward and proclaimed, “Frequent password changes are the enemy of security, FTC technologist says.” And The Washington Post, a national publication with substantial readership, chimed in with the article, “Why changing your password regularly may do more harm than good.”

These are major publications and news outlets. I personally look to WIRED and Ars Technica for tech news, which is why I was disappointed to see these articles. It’s hard enough to get people to buy into taking additional security measures to protect themselves.

The last part of Cranor’s article brings home the point of this post. When asked when users should change their passwords, she responds, “If you have reason to believe your password has been stolen, you should change it, and make sure you change it on all of your accounts where you use the same or a similar password.” That’s my point. You may not know if your password has been stolen. 68 million Dropbox users didn’t know their passwords were stolen four years ago. Fortunately Dropbox did the right thing and automatically changed users passwords for them. Don’t wait until the unthinkable happens; don’t wait until after your password gets stolen to start doing damage control. Make it as hard as possible on hackers.

UPDATE 9/22/2016: The part where I called the MySpace breach the worst ever needs to be changed. Yahoo! has claimed the title with 500 million user accounts hacked. Yikes!