The most concerning trend with password complexity problems is the massive escalation in the use of the "forgot password" option ubiquitous to login systems.
Think back to the last time you clicked "forgot password" on a login page. Close your eyes and remember the circumstances. Do you remember trying the four or five most likely variations of your one password1? Now, what made you give up? Were you in a hurry? Did the login page threaten to lock your account if you guessed wrong again? Had you guessed everything you thought it could possibly be, knowing that whatever the actual password was, you made it in haste to create the account and are now angry with yourself for assuming you would remember it?
What was your state of mind when you relented and finally clicked "forgot password"? Did you feel relief that there was this option to bail you out?
Let's get to the most important part of this exercise. After you clicked "forgot password," what did you have to provide? What were the steps to get back into your account? I'm going to wager that over 95 percent of you only had to supply your email address for password reset instructions. Maybe some of you had to answer a "secret question" like where you went to third grade or your cat's birthday – or some other trivial thing2 that would take an attacker three minutes to find on your Facebook page.
I bet you see where I am going with this:
The single greatest weakness in your identity management process is your personal email account.
Let that sink in for a moment.
During a national TV interview recently on best password practices, the No. 1 thing I stressed to the audience was that, above all else, you need to lock down your personal email account. There is no more important account that you have. None. Yet, I also bet that most of you reading this aren't using your strongest passwords on your personal email account. You most likely don't even have multi-factor authentication enabled on it. Why not?
"No one cares about my personal email," is the common refrain when I ask this question. Well, you're right that no one cares about you planning Aunt Bertha's retirement party with the rest of the family, although that intel is great if someone wants to know when a bunch of people will be out of their homes...
Attackers care about getting access to your important information and systems and they are going to take the path of least resistance to get in.
Real world example
“Pat” recently had about $20,000 from their investment account stolen while they were away on vacation. The thieves were able to accomplish this in the following way:
1) The criminals gained access to Pat's personal email several months before the crime. Pat was using the email account that came with their ISP service (@sbcglobal.net, @comcast.net, etc.) and probably hadn't updated the account settings in over a decade - not since the account was first opened.
2) The criminals setup a long-term monitoring process waiting for the right time, and of course, used proxies to hide their true geographic location for logins.
3) Pat used the email account to receive basic news from their investment account financial company.
4) Pat secured an overseas vacation package through a travel agency and corresponded with said travel agency via email.
5) While Pat was on vacation, and presumably would be out-of-contact, the criminals went to the financial institution website and clicked "forgot password."
6) Oddly enough, the secret question was "Where was Aunt Bertha's retirement party?" – and the answer was conveniently stashed in the same compromised email account.
7) Now the criminals had access to the investment account...but wait, there's more!
8) A significant transfer of cash – like $20,000 – required written authorization - it couldn't be done just from within the institution's website... but an email counted as written authorization if it came from the associated account.
9) Pat returns home from vacation to a gigantic mess and will now be spending the next decade or more monitoring for identity theft, as there was a significant amount of other sensitive information also in the email account - tax information, medical statements, etc.
The good news is the financial institution owned up to its flawed identification process and Pat got the $20,000 back, but the long term damage is yet to be seen.
What's the lesson here?
Treat your personal email account like you would treat your bank account.
- A compromise of your personal email account is the same as a compromise of every other account associated with your personal email account.
- Once an attacker has access to your personal email account, they are going to potentially have access to every other account on every other website you have an account on. Furthermore, they can use your personal email account to pivot this attack to your entire contact list.
How to keep your personal email account safe
- Make sure your personal email account has the strongest password/passphrase you can. Make sure it is unique too.
- Enable multifactor authentication on your personal email account. This is even more important than your password strength. If you aren't using multifactor authentication, you are leaving the door wide open. There is no excuse for not having multifactor authentication enabled on any sensitive system in 2017.
- Don't stay logged into your personal email account - at minimum, don't stay logged in on devices not within your immediate sphere of control or that don’t require additional authentication to use.
- As to the "forgot password" issue - don't supply answers to challenge questions that are easily discoverable. Things that anyone can find out about you with minimal effort – your mother's maiden name, your birthdate, your anniversary, your kid's birthdays, or anything else you have on social media, exists in public records, or is otherwise out there. Check out Michael Bazzell's Open Source Intelligence website to see just how easy this stuff really is to discover.
Indeed, it is better to lie on them or use nonsensical answers. For example, if the challenge question is "What's your mother's maiden name?" use your first pet's name, the first vacation you remember, or something else entirely. (Just make sure you remember you lied.)
Looking to the future.Ultimately, we are left with a scenario where our current methods of identification/authentication are too weak. The day will come sooner than later where passwords will be obsolete. But, until then, don't succumb to the belief that no one cares about your personal email account. It's what attackers care most about - the keys to the kingdom.
1. I theorize that the vast majority of users really only have one password and use it everywhere with only subtle changes, such as including special characters or numbers. (e.g., Password1!, Password1@, passWord1!, etc.)
2. Did you remember how to format or spell the answer to the secret question? What happened if you got this wrong?