Last Sunday, Zappos (a popular, Amazon-owned, online shoe reseller) warned its employees and customers that an attacker had gained access to their internal network, and made off with a bunch of sensitive customer information. The good news? The attacker did not gain access to any customer credit card info. The bad news? He or she did steal over 24 million users’ names, addresses, phone numbers, email addresses, and encrypted or hashed passwords.
Zappos hasn’t released any technical details about the attack, and I don’t expect them to. If forced to guess, I’d assume it probably originated from some web application flaw, which is a pretty common vector these days. That’s why I often suggest that IT and web administrators focus their security resources on their web applications; both by encouraging secure web coding practices, and by leveraging security controls with application-layer inspection capabilities (such as the HTTP and HTTPS proxies that WatchGuard’s XTM appliances offer). However, that’s not what I’m here to talk about today. Today, I want to talk about passwords.
I’ve talked about passwords many times before, but as a core principle of security (technically part of Authentication), the advice bears repeating. Here are some password-related tips; both general and related to password security breaches:
- Change your password(s) after a security breach – If a site you use ever has a security breach where attackers gain access to passwords (hashed or not), change your password immediately. In Zappos case, they are forcing this advice by terminating old passwords. If you use Zappos, be sure to change your password now, before a bad guy does it for you.
- Use strong passwords – I believe passwords should be greater than 10 characters. One easy way you can create long passwords, with enough entropy, is by using passphrases, or more specifically something I call pass-sentences. WatchGuard’s Bud Logs In video talks about these concepts in more detail (and is good for basic endusers).
- Use different passphrases on different web sites – This is crucial aspect of password security, especially when considering these types of web breaches. If you, like most people, use the same password for many different web sites, the attacker that has Zappos’ password archive now may have your password for all web sites. If you have been using the same password everywhere, not only should you change your Zappos password, but you should change your password on every site (and make it different this time). This breach situation is exactly why experts recommend you use different passwords everywhere. That said, many people find this advice hard to implement in practice; which brings me to the next tip…
- Leverage password vault software – Password vaults make it easier for you to manage multiple passwords securely. They are not perfect. If you use multiple machines and OSs, you may have trouble finding password management software that meets all your needs. Plus, password vaults become a single point of potential failure, as they almost literally store all the keys to your kingdom. It’s extremely important to use secure password vaults, and protect them. That said, they offer the only practical solution to managing multiple passwords today. This article suggests a few good ones to use (I have used 1password myself).
Ed Dewey says
A good read, as always. I use strong passwords and never the same for whichever account I have. However, I have tried vaults and not really liked them. I keep all my personal passwords in a Word 2007 document which has a strong password on it. Is that an acceptable alternative in your estimation?
I’d be curious to know the answer to that as well as I’m very suspicious of password vaults for some reason. I trust them about as far as I can throw them… I just basically keep them all in my head and leverage the “Forgot Password” functionality of sites as I forget them. Probably not the most efficient, but I feel more confident with what I’m doing.
Corey Nachreiner says
Being a paranoid personality, I don’t fully trust all password vault software either… but I do think there are some decent ones. Like any product, some do the bare minimum to make a buck, others really believe in the concept, and do their best to make a product that really does what it’s intended for. You just have to find the one you trust, based on your research…
BTW, there’s one other imperfect, but easier to implement, password reuse strategy that I sometimes give…. As you browse the web, there are sites you register for, and get credentials on that really need to be secure (banking sites, ecommerce, social networking, etc)… but there are also sites that you end up with credentials on, but never put anything sensitive, and really are throw aways sites that aren’t important to you (may a forum site you don’t post on a lot, a site where you have to sign up for a whitepaper).
I have given the advice where you only follow the strongest password security practice for the important site. So you definitely use different, strong passwords on all the import sites I mention, but you then go ahead and use the same throw away password for non-important sites… This can make your technique of just remembering your passwords a bit easier.
The one caveat to this technique, and one I intended to talk about in my original post, but forgot, is that “forget password” mechanism. As we all know, these forget password mechanisms often leverage “Security questions.” Security question answers are one of the often forgotten pieces of data an attacker can steal in a breach, and these questions and answers are often reused as well. If you have security question answers on one of your “throw away” sites that matches the questions on a important site, suddenly that one shared throwaway password becomes an issue.
Luckily, the forgot password mechanisms are also often tied to email addresses, which makes it harder on an attacker… but I’ve always worried about these security questions and answers in a web breach situation.
Corey Nachreiner says
I agree that password vaults are still an imperfect solution. None that I’ve played with work exactly the way I would like, and I’m very much a mixed platform dude (Windows, OS X, iOS, android, etc, etc, ad nauseam), so it’s hard to find a solution that is equally easy and available for all platforms.I’m also not convinced that they all share rigorous levels of security, though I hear some are pretty good.
In any case, I personally do prefer them more than the manual method.
I don’t hate your Word doc approach, and it is already better than what most people do. So it may represent an appropriate solution, but I do see a few potential issues with it.
Granted, I haven’t looked deeply into Word’s built-in encryption in awhile, but there are a few issues I remember about it. It may be confusing for normal users. If I remember right, Word documents offer the ability to both add a password to a document that only protects the document from being open, or edited, and a separate feature for adding a password which actually encrypts the documents. I suspect you already know the difference, and choose the appropriate setting, but I could see some users not realizing the difference. I also remember the default encryption settings not being great. I think Word offers you many algorithms to encrypt a document, but I think the default might be a weak one. Also, I think some of the options that allow for legacy, or compatible documents, also result in using old Word 2000 encryption, which has known issues. So in short, even though an advanced user like you can get Word to create and store a pretty encrypted document, normal users may user settings that aren’t that strong.
Also, if you really are a paranoid security nerd, there’s also the local memory problem. When you open your document, the passwords will be somewhere in your computer’s memory, likely not encrypted. While not all password vault software is created equal, I do know that some password vault software does consider this possibility, and either tries to wipe stuff from memory properly after use, or leverages encryption even in memory.
In either case, whether you use the Word document, or password vault software, it becomes the weak link… so you need to do everything in your power to protect it. And frankly, if an attacker gains access to your computer or device, it still may be game over.
My less paranoid, security nerd answer is that I think your technique is fine. Often security experts get caught up in trying to enforce perfect security, which will NEVER exist. They forget it’s about risk management, which is more about implementing only the most appropriate security for a level of risk. While password security is very important, I think you method is pretty appropriate for the potential level of risk (someone breaching a site with your password).
Corey Nachreiner says
BTW, the only thing I forgot to mention about password vaults is the additional convenience (those this convenience scares me at the same time). Many password vaults have options to automatically fill in your password for you. One reason people don’t follow advice to use different passwords is due to simple inconvenience (we’re all a little lazy sometimes, or at least I am). So the fact the password vaults can add some convenience might allow more ppl to leverage them…
Of course, this begs the question of what happens when an attacker has physical access. If someone does gain access to your computer, you wouldn’t want it filling in passwords for all your resources. However, I do think some password vault software does have that issue solve too, making you re-enter you master password when you lock your computer, or within a period of time with no activity… In anyway, that is one other reason I started using them over the manual technique.
Good points, Corey. I’m guessing Zappos must have forced a password reset on all of those users. Wouldn’t take terribly long to run those hashes against rainbow tables to crack open a couple of accounts I’m guessing.
Corey Nachreiner says
Yeah… Zappos terminated the old passwords… So old users logging on will probably be directed to immediately change their passwords (not a customer myself, so I haven’t seen what actually happens).
You are right on the rainbow tables… That’s why I mentioned in passing that whether stolen password archives are hashed or not, may not make a difference. If I remember correctly, in the HBGary case, their passwords were hashed… but they were hased with MD5 without any salt. There are tables for MD5 and SHA1 that make decrypting those types of archives pretty easy. That said, Zappos hasn’t really shared how their password archive was “scrammbled” (their words). They may use pretty strong hashing or encryption techniques, in which case the passwords may still be safe despite this breach… but better safe than sorry… 🙂
Jack Kallenbach says
Unlike the others, I like my password vault program. I use the Open Source program Password Safe. http://pwsafe.org/ It uses the Twofish encryption method. I use a strong password to protect my Password Safe. Something that would be very difficult to crack but something I will never forget. Besides, I am in my Password Safe at least once a day so it is very unlikely I will ever forget this password.
I currently have over 433 entries in my Password Safe. This is way too many strong passwords for me to remember. I strongly suggest keeping a backup copy of the encrypted password file in a safe location away from your working copy. I would be lost if something happened to this file.
They even have a version that runs on the Android platform. I can now take an encrypted copy with me.
The program has a very nice password generator. If I am protecting something that I am really paranoid about, I will let it generate a random 30 character password with case changes, numbers, and symbols. I don’t need to remember this password as I just copy and paste it when I need it. I only need to remember the password to the Password Safe.
Since I only need to remember the password to my Password Safe, I can use a different strong password for everything.
My PC is behind a nice Watchguard Firebox. I monitor the logs. If this Password Safe program was doing anything strange, it should show up in the firewall logs. I have never seen any evidence that the program is doing anything strange in my WatchGuard logs.
I would never keep my passwords in something as easily cracked as a password protected Microsoft document. It takes me about 30 seconds to discover the contents of a password protected Microsoft document, and I don’t consider myself an expert on this subject. There is too much at stake to risk my passwords in such a way.
I take a Never Say Never attitude about my network security. I believe anything can be breached if someone really sets their mind to it. Even my Watchguard Firebox. My job is to make things as difficult as possible. A good firewall and strong passwords are all part of the equation.
Corey Nachreiner says
Thanks for sharing your experience with pwsafe. The benefits you share are exactly why I personally prefer password vaults in general to any manual method. Being open source, and free are also pluses to the one you recommend.
My only personal negative for it is it seems to only be Windows and Linux centric (though you mention Android too)… and I have some Macs and iOS devices to also consider… but nonetheless, password vaults are pretty much the best way to go now!
Ed Dewey says
Here’s a pretty good article on Office 2007 document encryption vs. Office 2003:
2007 format files by default get 128-bit AES, Sha-1, with the option of increasing to 256-bit.
Ed Dewey says
Yes, an Office 2003 document was/is quite easily cracked, due to RC4. I had a password cracker on hand for people who forgot their passwords and it always worked. I tried one “rated” for a 2007 document and it could do nothing with it after dozens of hours. Of course, I had a strong password on it.
i will try for this sure 🙂 thanks for it
I think this is among the most significant information for me.
And i am glad reading your article. But should remark
on few general things, The website style is perfect, the articles
is really nice : D. Good job, cheers