Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - All Passwords have been lost: What's next? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

All Passwords have been lost: What's next?

Published: 2014-08-06
Last Updated: 2014-08-06 11:40:45 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1]

yes. we have talked about this many times, but it doesn't seem to get old sadly.

So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option). 

For web sites:

  • review your password policies. There is no "right" policy, but come up with something that rejects obvious weak passwords and on the other hand, allows users to choose passwords that they can remember (so they can have a unique password for your site).
  • Make sure your site works with commonly used password managers. The only real way for the user to have a unique password for each site is a password manager.
  • lock accounts that haven't been used in a long time, and delete their password from your database forcing a password reset if they try to reactivate it
  • consider two factor authentication, at least as an option and maybe mandatory for high value accounts (e.g. administrators). Google authenticator is probably the easiest one to implement  and it is free. We talked about other alternatives in the past as well.

For users:

  • Have a unique password for each site. As an alternative, you may have a single "throw away" password for sites that you don't consider important. But be aware that at one point, a site that is not important now, may become important as you are doing more business with them.
  • Use a password safe, if possible one that allows syncing locally without having to send your password collection to a cloud service.
  • For important sites that don't allow for two factor authentication, consider a "two-part password": One part will be kept in your password safe, while the second part you type in. The password safe part is unique to the site while the additional second part can be the same for different sites or at least easy to remember. This will give you some protection against a compromised password safe.
  • Change passwords once in a while (I personally like every 6 months... ) in particular the "static" part of these high-value passwords.
  • Ask sites that you consider important to implement 2-factor authentication.

That's at least what I can come up with while sipping on my first cup of coffee for the day. 

[1] http://www.holdsecurity.com/news/cybervor-breach/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: passwords
13 comment(s)
Diary Archives