Password confessions of a security professional

Cropped gavin millard avatar.webp
Gavin Millard
@
@gmillard

Gavin MillardI have a confession, it’s hard to admit and I know it might make me a bit of a social pariah and an outcast in the industry I work in but I need to get this off my chest.

I used a single password for many online services *deep breath* for a long time.

It wasn’t a big deal at first, I only used it on Slashdot, then eBay, then Yahoo!, then Apple then a plethora of other systems until I simple lost control, plugging the same password into too many websites to count.

It’s just so darn convenient to use one password that I could rattle off in a second on every website I visited, confidently knowing that if I remembered the username or email address used I’d be able to buy something I didn’t need but desperately wanted.

Sign up to our free newsletter.
Security news, advice, and tips.

I finally realised I had a problem though when I signed up to yet another service and they emailed me confirmation of my account with my “one online password” just sitting there, cleartext, in the email and had to do something about it.

I turned to my friends and colleagues for support but they were all at it as well, popping the same password into lots of different websites with gay abandon, not worrying about the future consequences.

Years before I fell into this terrible habit, I had an encrypted spreadsheet on my desktop computer where I dutifully stored all my credentials. It wasn’t that secure by today’s standards but worked.

Do you use a good password?I hardly bought a thing off the Internet so it mostly contained logins to the systems I administered, each password created by either a cunning recipe I’d come up with or random bashing on my keyboard if I needed to relieve some stress.

The aim was to slow down any would be hacker from being able to brute force access using dictionary attack techniques, allowing me to sleep at night knowing the 50 or so corporate systems protected by my angry keyboard mashing were safe.

Times have moved on though from having a questionably encrypted XSL file, I needed passwords synced across multiple devices including my mobile and tablet and had to come up with a better way of creating new passwords as frequent bouts of maniacal keyboard mashing would surely raise eyebrows in the office.

The solution? A decent password management platform.

I can now create complex passwords with any number of connotations and never have to worry about remembering the output. I can even sync to my other devices when needed so don’t have to worry about having the one version of my password database sitting on my laptop in London when I’m desperately trying to book a flight on BA.com on my iPad from Germany.

The first few months were hard and I faltered a few times at moments of weakness when the desire to book a hotel quickly was more important than going through the rigmarole of resetting the existing password, creating a new one and storing it, but I got there in the end and I’m now clean and away from the steel like grip of my old habit.

The most shocking part of this woeful tale is how many accounts I now have in my password manager – at last count over 100. Previously if one of the online services I used got popped, the attackers could have gained access to all of them, completely owning my increasing online footprint. Sobering thought.

With the recent spate of accounts being breached at companies I don’t need to mention, maybe now is a good time to take a step back and rethink your password habits.

Stop trusting other companies to protect your password and give them one that you’ll use nowhere else so if they do get breached, you’ve significantly reduced your risk of further exposure.

If you don’t already use one, make the right decision and download a password manager today.

Here are a few to get you started:

What are your tips for password safety? Leave a comment below.


Gavin Millard, EMEA Technical Director for Tenable Network Security, is a trained ethical hacker who works with large enterprises to address their cybersecurity challenges. Gavin speaks frequently on communicating the value of security to the business, hacking, compliance and other key security topics.

17 comments on “Password confessions of a security professional”

  1. Salomão Santiago

    Another great option is PasswordBox (passwordbox.com).

  2. Simon Reed

    And this downloaded password manager will be secure … how? Secure as Dropbox (oops, hacked twice)? Secure as a big company like eBay (oops, hacked)? Secure as a commercial product like Sony products (oops, comes with a rootkit as standard)? Secure as a Microsoft product (oops, they've shipped viruses)?

    Why should I trust a password manager that, for example, stores my (377 different) passwords or their key in the cloud?

    1. Coyote · in reply to Simon Reed

      Edit: better question is this. The very fact the password manager is on your own computer… well, if you don’t trust it and therefore yourself then you have far more serious issues, don’t you? But see below for more on that.

      For starters, one of the options is open source. Keepass. Now if you don't know enough to read AND understand the source, then what makes you think you have enough knowledge and experience to decide on anything else? If you do think otherwise then you are fooling yourself. And MS is not the only one guilty of that. Even security companies have done that. That you refer to a big company and somehow associate that fact that it would be secure is laughable. (I would also argue MS is bigger than eBay as an aside). No, do not make that mistake: bigger corporations care far less about security, in that way. In general they are being paid and it is not their passion so why would you trust them more? Even when they DO care it is a fair bit different than someone who cares and at same time is asking NOTHING in return.

      But all that aside: what are you on about with 'the cloud' ? This has nothing to do with the cloud. (The irony is I saw that part AFTER thinking and writing about the open source part… which only further shows my suspicion may indeed be correct). No, storing your passwords on a remote machine WOULD be stupid but this is not the same thing. Not generally speaking any way. Obviously you could have a password manager on a server you manage (but that would be YOUR responsibility, NOT some random host). Then again, you referring to MS as an example makes me wonder if you WOULD be running your own server. …

      None of that is to be offensive… but it all crossed my mind while reading your message a few times. The bottom line is this: the higher your unique password to account ratio is, the better. Further, password strength and length do matter. And you suggest you have 377 different passwords and you not using a password manager (that's how I read it anyway so take this with that context). I don't believe a word of it, if you are using even somewhat reasonable passwords. Even if THAT is true (and you ARE using different, unique, reasonable passwords) the best question is: why even care? You are doing fine just as is, after all.

  3. j0hn

    To avoid stored passwords being compromised, don't store the complete password. You can still save a file with the incomplete passwords or even print the list and leave it on your desk but unless the intruder knows what is missing, the passwords are fairly useless and trying them will probably just lock the accounts.
    Simple example: insert GCHQ after the first uppercase letter and repeat the last non-alpha
    Printed password: 4opR3tE5&jK%^6k
    Actual password: 4opRGCHQ3tE5&jK%^^6k

    To add a bit more complexity, you could add a different sequence based on the account you are logging into. Anyone trying passwords from the list will soon realise that they are either wrong, expired or possibly incomplete, but they would need a very long time to work out exactly what is missing and where it is missing from.

    Of course, this technique will not defeat a keylogger or shoulder-surfer but you can be fairly confident that losing the printed sheet is not the end of your online world.

  4. Vesselin Bontchev

    Haven't looked at the others, but I am familiar with LastPass and strongly advise you NOT to use it – or any other password manager that lets you "sync" across devices over the Internet. Trusting passwords you care about to some third party in the cloud is simply stupid. What if they are hacked? What if they are compromised by the NSA (or already forced to cooperate with them) or any of the other spy agencies?

    Using a password manager is a good idea, but it MUST keep the passwords on your local computer and nowhere else.

    1. doubter · in reply to Vesselin Bontchev

      Vesselin,
      Firstly, in today's world, what would be the point of a password manager that is not operative across multiple devices? Most of us use multiple platforms daily.
      Having said that, I denote certain machines as trustworthy, from which I am happy to perform online transactions, and others as non-trustworthy for various reasons (specifically my Android device, and of course public machines as how does one know there isn't malware or a physical keylogger on such a machine).
      Secondly, do you really know lastpass? It has multiple layers of security, too many to mention here, but they include two factor authentication if used on a machine that hasn't been designated as a trusted machine, blocking certain countries, etc.
      One has to be practical and take measures proportional to the risk. I don't leave my front door open when I go out but I don't have razor wire, armed guards and alsations prowling either.

    2. Gavin Millard · in reply to Vesselin Bontchev

      You are concerned that somebody will break the AES 256Bit encryption? It would be cheaper to fly to where the person is located, drug them and beat them with a wrench until they give passwords over rather than attempt to decrypt AES.

  5. Eddie Bates

    The Best place to not only store and also create Passwords? DigitalSafe!
    The only service that is compliant with the following:
    Swiss Federal Act on Data Protection (FADP),
    Freedom of Information and Protection of Privacy (FOIPPA),
    Personal Information Portability and Accountability Act (PIPEDA),
    Health Insurance Portability and Accountabilty Act (HIPPA),
    Payment Card Industry Data Security Standards (PCI-DSS).
    All data is stored in Switzerland!Swiss security and confidentiality is 100% assured! Visit www.americansrighttoprivacy.com and sign up for DigitalSafe your Swiss Bank Account for Data!

  6. cyberjack

    With a password manager you suddenly place all your trust with them, their staff and contractors, their 3rd parties, the networks they use and share, the legal system of the country they operate in (think Patriot Act etc). If all your passwords are in one place then there is one nice little place where your entire online life is at risk of compromise.

    Why is this more secure than writing them down (or better, a coded reminder) and keeping the little bit of paper in your wallet? IMHO it is not. Technology is not always the answer to security.

  7. j0hn

    I agree with cyberjack. We do tend to get lulled into thinking 'it will never happen to me'. Fortunately, I have been in the nightmare position of having had a large amount of confidential material compromised by an unscrupulous employer using a willing technician to break the law. I thought it would never happen because I stupidly thought that no IT professional would ever stoop so low. But when you find out that the secret stuff you carefully encrypted may as well have been printed in the company magazine, it makes you take a long hard look at why you ever saved it in the first place, never mind which systems you trusted to protect it.

    My conclusion is that you have to be smarter than next year's smartest crook, and, for most of us, that is probably impossible.

    P.S. Hello Solly! I'm sure I can't be the only guest who remembers you with fond infection! You saved me from certain doom on more than one occasion and I just wanted to say thank you.

  8. H. Anatomi

    A. Using a single password across many accounts, say, re-use of a password, is blamed as reckless.

    B. Managing many accounts with a single password (called master-password) with password management tools is recommended as clever.

    However, are A and B practically so different from each other?

    I would like to say that neither A nor B are reckless when used for low security applications. Neither A nor B is clever for high-security businesses.

    1. Gavin Millard · in reply to H. Anatomi

      A and B are totally different. A is dependent on many third parties keeping your password safe, B is dependent on one person and one application keeping the passwords safe. I trust my ability to protect my password database far more than third parties protecting their password databases and having a good duty of care with regards to hashing and salting.

  9. j0hn

    Something else worth thinking about (especially with password managers and secure cloud provision in general) is the fact that it is very difficult to validate any company's security claims. They may make bold statements such as "Industry-leading security technology as approved by xyz" but in effect you are almost totally reliant on their good will. Along with user error, this is a critical failure point and can be much worse if it is global. If their accreditation or intrusion testing has been sloppy or is inherently flawed, you are no better off than using a company who claims to "do their best to protect your valuable data".

    The Halifax bank reassures its customers with phrases such as: "We also use leading edge technologies to ensure your safety while banking online with us." but they don't even let you create a medium strength password. To add insult to injury, when things go wrong, some banks even have the audacity to accuse you of not having taken all necessary security precautions, many of which the average customer has never heard of.

    I am immune to all this banking worry – my financial adviser managed my cash – until it was all gone!

    1. Gavin Millard · in reply to j0hn

      Marketing lie? You are paranoid :-)

      KeePass might be the one for you http://keepass.info/

      1. j0hn · in reply to Gavin Millard

        Just to be clear, I wasn't implying that suppliers lie about their "leading edge technologies" and that quote was taken directly from the Halifax website. We can only accept such claims as an intention of good faith, not a guarantee. However, it is obvious that in order to employ "leading edge" we might expect them to be announcing something innovative every week but this simply does not happen. In any case, a weak password is hardly leading edge.

        By the way Gavin, I have used KeePass but I abandoned it after an illegal keylogger snaffled my master password and I had to spend many frustrating days sorting out the ensuing mess. I now think that all such applications should use a picture of eggs in a basket as their logo.

        It's a cruel irony that the keylogger (and its rogue installer) defeated quite a few so-called "leading edge technologies" – just before I broke all the eggs!

        1. Thomas Dial · in reply to j0hn

          "A keylogger snaffled my master password" is not a defect of KeePass but of the environment in which it is used. It is a fact though, that using a password manager carries the risk of compromising a great number of passwords at the same time, similar to the risk of using the same password for numerous accounts, mitigated somewhat by the fact that it is unnecessary to trust others to keep it secure.

Leave a Reply to j0hn Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.