I think it’s confusing that they list credential stuffing as number one and explicitly connect it to password reuse, but then they later state that they are for the paranoid.
They also don’t mention that password managers a) limit impact of phishing and b) enable humans to actually rotate passwords on case of a breach or phish
That’s where I stopped reading. They begin with assertions that seem reasonable but then say that credential stuffing means the password used is irrelevant because ‘they already have it’. I don’t know what the % of people using password managers is but … Chrome, Apple stuff - surely this is enough for us to say that plenty of people aren’t reusing passwords and that this blanket statement is therefore not just technically false but practically not true enough to state in such a way?
The core message of the blog post - that you can get away with the worst kind of password if you’re using hardware MFA - is right on the money.
But! Password re-use is what lets people log into all of your (non-MFA) accounts after finding one password in a hacked dump from 2013 that they’ve been chewing on for as long as it takes. Some online vendors probably still aren’t salting passwords correctly, making password recovery almost trivial with modern hardware / usual end user password lengths. It won’t show up in these password scan analyses, but can be far more devastating: I still think it’s good advice to not re-use passwords. Write them down in a book, use a password manager, whatever.
& to reiterate that core message: using a 2FA hardware key is the single most effective thing you can do to secure your online accounts. Even if you can’t be bothered with 2FA on most of your accounts (which is fair enough) using it on your primary email account will make a huge, huge difference. Anyone with access to the email you used to create other accounts can use that email to reset every account you used it for, so it’s your most important online identity.
The cheap Yubico keys are £25 or so. How much will a compromise of your Gmail (Outlook / whatever) cost you?
On one hand, using a Yubikey (or other FIDO device) is extremely easy. Plug it in, touch it. The end. We really just need to expand server-side support.
On the other hand, how do people keep their hardware key always on them? I find this essentially impossible.
Do you carry your keyring around your house/apartment? Maybe my problem is that I’m unbearably lazy and hate having to get up and walk over to go get my Yubikey from across the room
If you’re using a YubiKey to log into a web site, the odds are that it’s using WebAuthn these days. You don’t need a separate token with WebAuthn, you can use the TPM to protect your credentials and have the OS unlock them with biometrics. Most of the works stuff I use is like this: I tough a fingerprint reader on my machine to log in. I might not have my keys with me, but I definitely do have a computer with me when I want to log in. When I want to log in from another machine, my phone can be used to authorise a new device (either registering a new private key or temporarily) by sending a notification to my phone that requires the same process (touch the fingerprint reader and then approve) to log in.
Credential Stuffing - Does your password matter - No – attacker has exact password.
This is precisely a situation where your choice of password does matter - if you don’t re-use, then the attack fails.
Password spray - No, unless it is in the handful of top passwords attackers are trying.
In other words - yes, it matters a lot. If you choose a good password, you won’t be vulnerable.
Brute force - No, unless you are using an unusable password (and therefore, a password manager) or a really creative passphrase. See below.
In other words - choosing a good strong password is exactly the thing that will protect you.
In these 3 cases it’s the opposite of what the article says - your choice of password makes a large difference.
The article appears to be mixing up two different questions:
Does the way an individual chooses passwords make a difference to the chance they will be hacked (answer, yes, it makes a big difference, especially in situations where other ways of obtaining passwords are likely to fail)
Should companies focus on passwords and password policies as a way of ensuring user security?
There’s an interesting context assumption there “We don’t have good numbers on how often it happens to Active Directory domain controllers”. I get it’s written for the MS people, but AD is not all there is and we know that databases do get dumped quite often. Doesn’t Troy from HIBP get a new dump notification pretty much every other week?
I think it’s confusing that they list credential stuffing as number one and explicitly connect it to password reuse, but then they later state that they are for the paranoid.
They also don’t mention that password managers a) limit impact of phishing and b) enable humans to actually rotate passwords on case of a breach or phish
That’s where I stopped reading. They begin with assertions that seem reasonable but then say that credential stuffing means the password used is irrelevant because ‘they already have it’. I don’t know what the % of people using password managers is but … Chrome, Apple stuff - surely this is enough for us to say that plenty of people aren’t reusing passwords and that this blanket statement is therefore not just technically false but practically not true enough to state in such a way?
The core message of the blog post - that you can get away with the worst kind of password if you’re using hardware MFA - is right on the money.
But! Password re-use is what lets people log into all of your (non-MFA) accounts after finding one password in a hacked dump from 2013 that they’ve been chewing on for as long as it takes. Some online vendors probably still aren’t salting passwords correctly, making password recovery almost trivial with modern hardware / usual end user password lengths. It won’t show up in these password scan analyses, but can be far more devastating: I still think it’s good advice to not re-use passwords. Write them down in a book, use a password manager, whatever.
& to reiterate that core message: using a 2FA hardware key is the single most effective thing you can do to secure your online accounts. Even if you can’t be bothered with 2FA on most of your accounts (which is fair enough) using it on your primary email account will make a huge, huge difference. Anyone with access to the email you used to create other accounts can use that email to reset every account you used it for, so it’s your most important online identity.
The cheap Yubico keys are £25 or so. How much will a compromise of your Gmail (Outlook / whatever) cost you?
On one hand, using a Yubikey (or other FIDO device) is extremely easy. Plug it in, touch it. The end. We really just need to expand server-side support.
On the other hand, how do people keep their hardware key always on them? I find this essentially impossible.
You can make it easier by having multiple Yubikeys, including one permanently attached to each device.
Same as the house keys - on a keyring. If that’s not in my pocket, something’s wrong.
Do you carry your keyring around your house/apartment? Maybe my problem is that I’m unbearably lazy and hate having to get up and walk over to go get my Yubikey from across the room
It’s in my pocket literally all the time I’m not in bed or in water. Same with the phone. I’d keep forgetting them otherwise.
The first thing I do after putting on my trousers is put wallet, phone and keys in my pockets, watch on my wrist and wedding ring on my finger.
If I left my keys out of my pocket, I would be worried about locking myself out of the house accidentally.
If you’re using a YubiKey to log into a web site, the odds are that it’s using WebAuthn these days. You don’t need a separate token with WebAuthn, you can use the TPM to protect your credentials and have the OS unlock them with biometrics. Most of the works stuff I use is like this: I tough a fingerprint reader on my machine to log in. I might not have my keys with me, but I definitely do have a computer with me when I want to log in. When I want to log in from another machine, my phone can be used to authorise a new device (either registering a new private key or temporarily) by sending a notification to my phone that requires the same process (touch the fingerprint reader and then approve) to log in.
Mine lives on my keyring, so I always have it on me.
This is precisely a situation where your choice of password does matter - if you don’t re-use, then the attack fails.
In other words - yes, it matters a lot. If you choose a good password, you won’t be vulnerable.
In other words - choosing a good strong password is exactly the thing that will protect you.
In these 3 cases it’s the opposite of what the article says - your choice of password makes a large difference.
The article appears to be mixing up two different questions:
Does the way an individual chooses passwords make a difference to the chance they will be hacked (answer, yes, it makes a big difference, especially in situations where other ways of obtaining passwords are likely to fail)
Should companies focus on passwords and password policies as a way of ensuring user security?
There’s an interesting context assumption there “We don’t have good numbers on how often it happens to Active Directory domain controllers”. I get it’s written for the MS people, but AD is not all there is and we know that databases do get dumped quite often. Doesn’t Troy from HIBP get a new dump notification pretty much every other week?