Even if you’ve heard about the 3.27 billion email and password combinations made public on an English language hacker forum in 2020, you may not have heard the worst of it.
Anyone could buy the list for $2 a download.
You’d think that was the scariest part of what became known as the Compilation of Many Breaches (COMB) leak–but it’s not.
The scariest and most preventable part of this breach is that people reuse their passwords and cybercriminals know it.
You may have read Backblaze’s post about credential stuffing attacks. Briefly, it’s a brute force attack using credentials from a list like COMB to unlock an account, most likely with a weak and common password like 123456 or “passwort” (if you’re German).
Is there a better reason than COMB to stop reusing passwords for multiple devices, apps and websites? That alone should do it, but if you need more reasons, they are legion.
There’s no denying how hard it can be to remember 12 to 15 pieces of information in length. After all, our telephone numbers are only seven digits long by design–which happens to be the length of any sequence of numbers we humans can easily recall.
While we each have responsibility for implementing password best practices, the COMB attacks show us that personal password protection isn’t enough. Cloud service providers (CSP) are also responsible for protecting the data entrusted to them. Backblaze uses a sophisticated security approach to protect access.
Regardless, user verification is just more effective with strong passwords, so here are a few tips on keeping your password secret and your data safe.
What Is a Password?
First and foremost, a password is a secret authenticator, according to the National Institute of Standards and Technology (NIST). They have a lot to say about the strength of passwords by complexity, length, and manner of creation. We’ll get into details a little later.
The string of letters, numbers, and symbols used in a password can’t be easy to guess or forget. This is tougher to achieve than it sounds, and typically users choose short, memorable passwords for convenience.
If you want to eliminate the possibility of being the next victim of credential stuffing, here are some things you shouldn’t do:
- Use the same password for more than one online account or website.
- Recycle or rotate passwords.
- Store passwords where anyone can access them (e.g. on a piece of paper or as an autofill setting in your browser).
The reality is that hackers can (and have) released accurate email and password combinations, and the best way to render that old information utterly useless is never to use those passwords again. (Also, stop adding a “2” at the end of “Password1.” You’re not fooling anyone.)
How Does a Strong Password Help Keep Your Data Safe?
You should know that verifying a digital identity with an email and a password isn’t as straightforward as presenting your photo ID at the airport. And, password authentication isn’t as safe as it once was, thanks to cybercrimes resulting in lists like COMB. In light of the security risks hackers pose, new authentication guidelines were created to help CSPs ensure the authenticity of a user.
The Three Authenticators
There are three types of authenticators.
- Something you know (e.g. password).
- Something you have (e.g. a cellphone).
- Something you are (e.g. biometric data).
CSPs or verifiers can employ different combinations of authenticators to achieve different levels of assurance that will ultimately help to reduce successful cybersecurity attacks. The different combinations of authenticators create an authentication assurance level (AAL). For example, when you log in, a CSP might use a combination of your password and a code generated by an authenticator app.
A strong password is essential to each authentication level. Each AAL meets the recommended privacy controls and relies on something that only you know and is difficult to estimate. Cyber criminals only need to guess one reused email and password combination to make a costly mess of things for you or your business.
Strong Passwords Defined
This may sound too simplistic, but the NIST (SP 800-63-3 Appendix A) qualifies a password’s strength by its length. In the case of brute force attacks, shorter passwords are too easy to uncover before rate limitings results in a lockout. Passwords of sufficient length reduce the success of credential stuffing or denial-of-service attacks. The NIST recommends that CSPs allow passwords or password phrases of almost any length so long as it doesn’t demand excessive time to disguise with a salting of random letters, numbers, and hashing algorithm.
The next thing to consider when creating a strong password is complexity. That said, the NIST recommends that password complexity not impede memorability, which would defeat the purpose of using a password to authenticate something you know. Too complex of a password leads people to writing down passwords or storing them in unsafe places rather than forgetting them. This vulnerability has to be addressed when CSPs provide instructions for creating passwords for users.
Unfortunately, analysis of breached data reveals that combining complexity and length isn’t a foolproof deterrent. However, a sufficiently long password is harder to guess, and an adequately complex one will improve the masking efforts like salting and hashing.
One more way to ensure you’re using a strong password is to use a tool to randomly generate one based on a set of standards, like length, type of character, readability, etc.. Randomly produced passwords are harder to brute force attack or guess. While there are a few different places you can find a random password generator, we love password managers like BitWarden, 1Password, and LastPass, which generate, organize, and secure passwords.
Remember that breached data can provide insights into what an old password might be for the same account or similar type because cybercriminals know that we are creatures of habit. Not only that, but some facts are immutable. A great example is when you always select the same challenge question. If that data has been breached, it’s likely known to cybercriminals; also, your mother’s maiden name is not going to change. As another layer, you can use randomly generated answers to security questions the same way you use randomly generated passwords, meaning those answers won’t be able to be reused (or easily gleaned from dumb Facebook quizzes).
Next, let’s get into how you can keep hackers from guessing your strong passwords.
How to Create a Strong Password
To review, strong passwords are long, complex, and secret. These days you can take advantage of a password generator and save it to your password manager. However, there are times you need to come up with a strong password.
Consider these two steps for making a password strong:
Step one: Use a memorable phrase that’s 12 to 15 characters long (e.g. she sells seashells).
Step two: Lightly salt your version with some random characters (e.g. sHe sellz seasHells).
A few ideas for memorable phrases are to use a song lyric, a poetic verse or a line from a movie.
Pro Tip: When you lightly salt your memorable phrase, try not to use @ for the letter ‘a’ or the number zero for the letter ‘o’.
Avoid being predictable. Also, avoid the temptation to use sensitive information like your child’s birthdate or your first and last name or 12345678. Trust me, using this type of information is uber common worldwide.
Another way to check that you’re using a unique password is by culling breached data records. According to Troy Hunt’s pwned.com site, the password Qwerty was used 71,219 times before I typed it into Have I Been Pwned Password API. As Hunt points out, the NIST recommends that CSPs compare user-generated passwords with unacceptable ones. A blocklist should have passwords from previous breaches and predictable options that include the service name, like using the password ‘G000gle’ for your Gmail account.
What Else Can You Do to Protect Against Credential Stuffing Attacks?
In the battle against brute force attacks from hackers that can compute ridiculous numbers of hashes without rate limiting, users play a critical role in protecting your data with strong passwords.
Here are a few other ways to keep your data safer:
- Enable Two Factor verification when you can.
- Use a Time-based One-Time Password (ToTP) authentication app.
- Use a third-party verification method called Single Sign-On via G-Suite or Office 365. (Although beware the persistent glut of single sign-on through social media channels, which can get somewhat dicey).
The good news is that even as cybercriminals get more ingenious, new and innovative tools have been created to make personal data security easier than ever. And, as data nerds ourselves, Backblaze takes your cybersecurity seriously. Check out some of the ways we secure your data here.