By Ove Sveumshagen in passwords

How can you protect your user identities online and sleep better at night?

How to keep your online identities more secure

How can you protect your user identities online and sleep better at night?
Photo by rc.xyz NFT gallery / Unsplash

Usernames and password being discovered by attackers and adversaries are among the most devastating things that could happen to a business. They could be devastating to our personal lives as well. With the credentials at hand, the doors are pretty much open for the attacker to go after the business or your personal life. There are so many security functions that rely on this simple combination of username and password, and when they are exposed, there are at best a few controls in place to protect against misuse.

Pretty much all services we use rely on authentication by using username and passwords; like some banking services, Facebook, email, Dropbox, Netflix etc.

So it is obvious that keeping your business and private accounts secure are important...

  • But how can it be done?
  • Is it something that can be done to make life easier as well as more secure or do we have to struggle with remembering all password at all times which is cumbersome and difficult?
  • What is good enough with todays threat picture where usernames and passwords are discovered in breaches quite frequently?

There are many things you can do yourself to protect your user names and passwords. Some tools are free, other tools may cost money and some tools could be a hassle, depending on your situation and your acquaintance with tech and gadgets. Which tools you can and should use greatly depends on the situation; if the service does not offer e.g. two-factor authentication, then that security measure simply cannot be used.

Let's try to establish some principles to work out from.

1: A strong password is a long password. Using letters and symbols have much less effect than the password length: You can read more about that in the following recommendation from the Norwegian Security Authority: https://nsm.no/aktuelt/passordanbefalinger-fra-nasjonal-sikkerhetsmyndighet

2: Passwords should be unique for each service. Using the same password for many or all services increases your risk of being compromised.

3: Use multifactor authentication where available - something you know (like a password) - something you have (a physical security key or a paired password app) - something you are (fingerprint, face, voice etc)

4: Using passwords as the only factor of authentication, should be the last resort. If the service does not offer two-factor authentication, you simply do not have much to work on.

Out from this, let's look at a set of levels of maturity we can use and the pros and cons of each level:

Level 0 - Use the same password on practically all services

Pros: Easy to remember. No investments to be made or other services or apps to be used.

Cons: You are an easy target for attackers. Level 0 is the level where attackers are most likely to get access to your accounts. If any breach has been detected for a site where the passwords or hashes of passwords has been leaked, your credentials could most likely be used to access other services.

Level 1 - Use variants of the same password, or similar passwords on all services

Pros: Easy to remember. A breached site might not directly expose credentials to be used on other sites. No investments to be made or other services or apps to be used.

Cons: Attackers might easily guess all passwords if they are based on a system.

Level 2 - Use unique and long, 16 character+ password in a password manager on all services

Pros: Good protection against anybody guessing the password. When you have a password manager, it does not mater how long the password is. 16 characters+ passwords are in accordance with many recommendations, like the Norwegian NSM recommendations on the subject.

Passordanbefalinger fra Nasjonal sikkerhetsmyndighet
En søkbar database med lekkede passord har fått oppmerksomhet i media den siste tiden. Det viser viktigheten av å benytte flerfaktorløsninger for pålogging.
Nasjonal sikkerhetsmyndighet

Cons: It is hard to remember unique and long passwords for all services. Passwords have to be stored or written down somewhere. The password for the password manager must be really long, unique and good. You might have to buy a password manager which costs a monthly fee.

Level 3 - Level 2 + Use a password manager which alerts if your account has been found in a breach, like in haveibeenpwned.com. If your account has been found, you should then change the password and assess damages for that account. Did the service store credit card data? If yes, you should revoke the credit card immediately. Did anything suspicious happen to your account during the breach?

Level 4 - Level 3 + User 2 Factor Authentication (2FA) for services that supports it. Use Authenticator App from Microsoft, Google, DUO security or other. They are usually free. SMS as multifactor authentication are under attack and does not offer the same level of security, like this post from Krebs on security:

Can We Stop Pretending SMS Is Secure Now?
SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of people (many of them low-paid mobile store employees) who can be tricked or bribed into swapping control over a…
Krebs on SecuritySkip to content

Level 5 - Level 4 + Use FIDO2 compatible device, e.g. Youbikey or similar device as 2FA.

These devices does not have the vulnerability of the SMS or the authenticator app. Limit the reliance on SMS or Authenticator app. It is a good practice to have a backup FIDO2 key if the primary fails or is lost. You should register the backup FIDO2 key at the services as well as your primary key.

Level 6 - Level 5 + use different, one-time email addresses for accounts that are of less importance. This is a good idea for services that are of lesser importance and that you do not wish to give your primary email address.

Pros: this can reduce spam, the impact if your ad-hoc email address for a non trusted services is leaked it is of less importance than if your primary email has been leaked. If your email address is surname.lastname@somedomain.com, that would be unfortunate to have all over the internet. But an address like h2hg4-d903-3ghjs@somedomain.com is of far less value.

Summary

Many of us are on level zero, where we do little to protect us and might sleep uneasy. Others are somewhere between level zero and level five. But let's try to get somewhat closer to level 6, so we can have more resilience, and make life worse for the adversaries, and better for ourselves.

It is also a good practice to give a trusted person access to your vault in case of an emergency, or that access is only given in case of an emergency, like from a lawyer. That way it is manageable to close down accounts, revoke access to services no longer needed or other important services. It can be tediuos to manage all this without the proper access and overview for anyone that is left to figure out all this afterwards.

Note: The different levels are only suggestions from my point of view, and the different levels are not anchored in any framework of any kind.

More information

Microsoft publication: The quest to replace passwords:

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/QuestToReplacePasswords.pdf

NIST SP 800-63B Appendix A: Strength of Memorized Secrets

NIST Special Publication 800-63B
NIST Special Publication 800-63B