I recently came across an interesting piece written by Microsoft's Alex Weinert, Your Pa$$word doesn't matter. He is part of Microsoft's Security and Protection Team. As such he is involved in keeping Microsoft's Azure Cloud solution safe, along with Skype, Xbox, and more.

I've written about passwords before. See my posts Passwords: How Even Your Bank Doesn't Know Your PIN and Passwords: Just Add Salt.

Credential Stuffing

The reason that he says that your password doesn't matter is that most ways that security is breached involve the bad guy already knowing your exact password.

For example, Alex reveals that attackers who have purchased credentials (creds) from breached sites with bad security retry the creds on other sites such as Microsoft. For Microsoft, that happens more than 20 million times per day. As he says, "Being human. Passwords are hard to think up. 62% of users admit reuse." If you re-use your password on multiple systems, and one of them is Microsoft, then it doesn't matter what your password is—a special character, more than 8 characters, upper and lower case, and so on—since the attacker has the exact password already, having purchased it from someone who stole it from a site with poor security.

Phishing

The next most common attack is phishing. This is where an attractive email promising entertainment or a bargain include a link to "Amazon" or "eBay" or "Netflix." I put them in quotes because actually they include a link to a doppelgänger site to sign in. It looks just like Amazon or whatever, but you are typing your credentials into the bad guys' website. They might even take the credentials and pass you on to the real website, so you might not even notice you got compromised. Alex says this is very common, making up about 0.5% of all incoming emails at Microsoft.

Another version of this is called spearphising. This is not so concerned with getting passwords, so Alex's post doesn't discuss it. But you should be aware of it. Spearphishing doesn't randomly send emails to a large number of people, the email is targeted. For example, it might go to a junior employee in finance and look just like it comes from the CFO. As reported here:

An employee at Pomeroy Investment Corporation recently received a spear-phishing email in which an attacker posed as a fellow company employee and asked the recipient to transfer $495,000 to a bank based in Hong Kong. The employee fulfilled the money transfer. 

Other spearphishing attacks have succeeded in getting employees to transfer confidential data such as access codes.

Password Spray

There are other less common attacks. There is only one where it matters what your password is, known as password spray. This takes passwords known to be common, such as "password" or "123456, and trying them. This has to be done carefully, perhaps attacking many usernames on many systems simultaneously so any one is only approached occasionally. It doesn't look suspicious enough to shut down the accounts. Alex says this accounts for at least 16% of attacks and many hundreds of thousands of accounts are broken daily.

Here are the top 10 passwords that attackers try, and since most of them are using the same lists, these are the passwords to totally avoid. If you use any of these passwords, or anything like them, on any system (Cadence won't let you use any of these since they don't pass the rules, but you probably have other accounts):

• 123456
• password
• 000000
• 1qaz2wsx
• a123456
• abc123
• abcd1234
• 1234qwer
• qwe123
• 123qwe

Cracking

One other form of attack that Alex discusses is "the one that gets people into creating really wacky password rules", worrying that if the entire password database is stolen then the attackers can crack passwords using high-power computers. Alex thinks that this is just not the threat to worry about. As he puts it:

Why put out so much effort when you can just find the password (reuse), guess it (spray), or just ask nicely (phish)?

One thing that has changed the economics of this, though, is blockchain (Bitcoin) and the hardware used for mining. Alex says that:

The cryptocurrency markets have driven costs of cracking rigs waaaay down and it is now feasible to build a rig capable of cracking in excess of 100B (yes, that’s a B) passwords per second against SHA256 for $20,000 (as of July 2019). Organized criminals and governments can blow that budget away, and quantum may and may not vastly accelerate even these numbers.

Multi-Factor Authentication

The solution to all of these is multi-factor authentications (or MFA). Sometimes this is called two-factor authentication or 2FA. The reason that this is so important is that Microsoft has found that:

Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

What is multi-factor authentication? It requires more than a username and password, at least the first time a system is accessed from a new machine. This can require you to have an app installed on your phone that handles the authentication, it can involve sending you a text message and requiring you to type the code you were sent. All of these ensure that not only do you have "something you know", the password, but also "something you have", your phone. Activating your phone might require your fingerprint or face, which is a third factor, "something you are".

Even if you fall for some phishing attack and type your password into a doppelganger website, the creds you gave the attackers won't get them anywhere if they also must have access to your phone.

Do This

• Your password doesn't matter except for password spray, so make sure your password is not one of the common 100 or so passwords that are easy to guess. But beyond that don't obsess over making your password really obscure or changing it often.
• Turn on multi-factor authentication so it matters much much less if somehow your password is compromised. See the end of this post for details on how to do this on iPhone, Android, and Facebook.

XKCD

When I wrote this piece a few days ago there was no good XKCD, and I like to say there is an XKCD for everything. But Randall Munroe came through just last Wednesday:

How to Turn on MFA

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.