The Perils of Re-Using Passwords

2019-12-18

Passwords will be with us for quite a while and so will password breaches, I'm afraid.

Last week I received a notice that a site I use experienced a password breach. The email explained that the passwords themselves were encrypted, but that I should change my password on that site and any others where I used the same password (if I can remember!) Unfortunately, many readers of that message may be under the false belief that if an encrypted password on site A is exposed, there is no danger of attackers cracking it and using it on other sites. That's simply not the case.

stack of signs with the word password on them

Two Dangerous Scenarios

There are two dangerous scenarios: the first is the simplest. If they do somehow manage to decrypt your password on site A, they can then try that password on other sites where you use the same username or where your email address is exposed on both sites.

The second scenario is a bit more interesting. If the attacker finds the same encrypted or hashed string for your password on multiple sites, she knows that you have the same password in both cases. (It also means that both sites obscure passwords in the same manner, which is not necessarily unusual or bad.) That means if one of those sites has a weak password recovery scheme, it can be used to expose passwords to both accounts.

In either case, when attackers discover a password that maps to a particular hash, they save it and potentially share it with other bad guys, making the situation worse for everyone.

The Solution

The solution is simple and I have mentioned it before: use a unique, long, random password for each site and don't share it with anyone. Keep those passwords in a password keeper program and use a complex password for that. Let the password keeper generate the passwords, too: humans are really bad at generating random anything.

If you think this is too much work, there are others that agree. In fact, the developers of Google Chrome and Mozilla agree. Chrome's had an extension called "Password Checkup" for a while, now they are including some features in the browser itself. Specifically, when you enter a password, the browser will check a list of linked passwords Mozilla will do something similar using the Have I Been Pwned service I mentioned before. Each browser allows the saving of passwords in an encrypted database. Chrome has a random password generator that the user can enable. Firefox was due to include the feature as an easy to use checkbox in version 69, but I just updated to that while writing this post and it doesn't seem to be there, but it can be enabled manually.

Update: I updated Firefox to version 70 after writing this to check the new security features. You read more about them on Lifehacker.

It is important to use good passwords for Wi-Fi access and router/access point administration, too. Each of those can be checked by trying passwords from tables. If you use a password for your Wi-Fi access that was exposed in the past, bad guys can get into your network. Similarly, if you use a previously-exposed password on your router, the configuration can be edited bad guys can not only access the network but potentially exfiltrate data.

We can't completely get rid of passwords tomorrow, or even next year, but we can use good ones, use them only once, and change them where is a breach.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.