World Password Day 2022

Today is World Password Day!

It's a reminder that all your passwords (except for a few exceptions like device passwords/PINs) should be strong: random, long (a minimum of ~15 characters but why not choose 30), and unique (i.e. no password ever used for more than a one account). This may sound hard to do but it's easy with a password manager (e.g., BitWarden, 1Password, LastPass).

To go along with strong passwords you should enable two-factor authentication (2FA) on all your accounts that support it. For most users the TOTP type of 2FA (e.g., Authy, Google Authenticator) is a good balance of security and usability; use the SMS type of 2FA only if there is no other type available.

If you do nothing else, make sure your primary email account follows the above guidelines: if an attacker can take over that account, they can take over most of your other accounts by doing a password reset on them.

For larger organizations, Single Sign-On (SSO) is a nice way to get rid of most passwords for users.


Unblocking paste in web pages

Have you ever tried to do the usual password manager thing on a web page and had it fail?  It could be because the web page blocks pasting into one or more of its password text fields.  This post will tell you how to get around this.

Some web sites block pasting into password fields -- typically on a login page and/or a password change page -- because they think that by blocking use of a password manager they are somehow making them or their users more secure.  That's plain dumb!

This blocking used to be a lot more prevalent than it is today, but a few days ago I found that one of my important service accounts would not let me paste into the password change page.  This prevented me from using my password manager's password generator tool to generate a very long random new password, something I do for all new and changed passwords.

I refused to change the password to something short and simple that I could type, as the website clearly intended me to.  So I did some research and found an extension that is able to fix this, Allow Right-Click:

I suggest configuring the extension so that it appears in your list of extension icons in the top right of your browser.  Later, when you run into a page that blocks pasting, do this:

  1. click on that extension icon to enable it (the icon will darken)
  2. do your pasting, or have your password manager do the pasting
  3. click on the extension icon again to disable it (the icon will change back).  
Note that I'm suggesting #3 only because keeping unnecessary extensions disabled when not needed is good for security.

N.B. Be aware that any pasting of passwords into web pages comes with the risk that you could get phished.  By pasting a password -- instead of using your password manager's autofill -- you are bypassing a key protection that the password manager provides you: verification of the login page domain name against the expected domain name prior to pasting.  

Many users forget to check the domain name before they blindly start typing their userid and password, which is a nice way to get phished.  Your password manager, though, is smarter than that and will always verify the domain name.  So always use the password manager's autofill feature instead of manually copying the password from the password manager and pasting it into the login page.  
If the autofill doesn't work for some reason -- this will happen occasionally -- and you need to manually paste, be darned sure you're pasting into a valid login page, not a phishing page.  Check this by carefully examining the domain name.

The above applies to password change pages too, as a phishing page could just as easily be a password change page as a login page.


WebAuthn and Password Managers

I've thought for a while that password managers would be ideal places to store WebAuthn private keys. 

I already use a password manager to store my passwords so, as passwords move to WebAuthn, I'd like to use it to store my WebAuthn private keys as well, probably in parallel with a hardware security key like YubiKey.

WebAuthn supports roaming authenticators, which I believe could include a cloud service like a password manager.  This idea seems obvious so I'm surprised it hasn't gotten any traction.  Maybe there's an issue that I'm not aware of, and one of these days I need to do some deeper research.

1Password just announced support for SSH keys: SSH and Git, meet 1Password 🥰 | 1Password.  Hopefully this is a step on the path.


Update 2022-04-01: For a very relevant proposal, see the "Copyable, multi-device Passkeys" section here: What does the future hold for modern authentication? - Yubico


Defenses against phishing

In a local Slack forum someone recently asked about how phishing and IoT attacks compare in number.  My answer was...

Phishing in all its variants is by far the biggest vector because (in most forms) it requires essentially no effort by an attacker.  An IoT attack needs to be specifically executed against a target by an attacker, so most "run of the mill" SMBs are not that likely to be on the receiving end of this.  All orgs are going to be on the receiving end of phishing, though, and continually.

For phishing, the best defenses are:

  • training users about phishing
  • using long, random strings for all passwords
  • providing the org's users with a password manager (e.g., BitWarden, 1Pasword, LastPass)
  • enabling 2FA on all accounts that support it (preferably not SMS-type 2FA; TOTP authenticator apps like Authy are nice compromise between security, cost, and convenience)
  • through the org's Acceptable Use Policy (AUP), requiring employees to (a) use long, random strings for all passwords, (b) use only the org's designated password manager for storing the credentials for all accounts, and (c) enable 2FA on all accounts that support it, and to use SMS-type 2FA only if there is no other option available
  • using an email provider that does a very good job of filtering out spam
  • if the org is larger, providing a Single Sign-On (SSO) system to employees, to get rid of as many password-based account logins as possible (e.g., Okta, Ping, Microsoft AAD)


SIM swapping

If you think that SIM swapping just means you putting a new SIM card into your phone, you should read this great article:

Sharp SIM-Swapping Spike Causes $68M in Losses | Threatpost

SIM swapping is a very real threat that, if executed against you, can result in the takeover of some of your Internet accounts.  And it's quite easy to execute.

Here are some addition suggestions beyond those in the article:

  1. Put a strong, unique password on your cellular account login. The article mentions "variation of unique passwords" but that's not secure.  You should be using long random passwords for all accounts and a password manager to manage those passwords.
  2. Call up your cellular carrier and tell them you want to place a special password on your account to block malicious porting (= SIM swapping) of your phone number.  Not all carriers will allow this.
  3. Alternatively, for more security but less convenience, call up your carrier and tell them not to allow any changes to your account unless you're physically present in one of the carrier's stores and a carrier employee verifies your ID.  Not all carriers will allow this.
  4. Even better, get a second, separate phone number for use only for account ownership, authentication, and 2FA.  Don't this use account to call anyone, and keep the number as private as possible. Google Voice is a great choice.  There are ways of getting a GV number if you live in Canada or another unsupported country.
  5. Put a PIN on your phone's SIM card. You do this from your phone's settings. This is actually to protect you in case your phone gets stolen, not to prevent SIM swapping. But the effect of a stolen phone -- and therefore stolen SIM card -- is essentially the same as that of SIM swapping: your accounts that use SMS for ownership, authentication, or 2FA can get taken over.
  6. Make sure you store the passwords/PINs mentioned above in your cloud-based password manager, and for resilience make sure you can access your password manager from all of your devices.  (This also applies, of course, to all your other account credentials.)