Surviving The Password Apocalypse: Lessons Learned From My Own Hacking Experience
Published: March 13, 2023
As the protagonist of now viral video, "I Just Got Hacked," I can't stress enough the importance of online security in today's digital age. Cybercrime has made personal information more vulnerable than ever, and the consequences of a hack can be life-altering.
Through the video trailer, viewers witnessed the chaos and turmoil that ensued when my personal information fell into the wrong hands. From financial ruin to dealing with the aftermath of natural disasters, I experienced the full impact of a malicious hack. Okay, so maybe the video is a tad dramatic. So, what is the real story?
I was just like anyone else, using passwords to authenticate myself on various websites and applications. But then one day, I got hacked.
I received a notification via email that someone from South Korea just logged into my Evernote account. While I typically approach things with a laid-back attitude, I found myself reeling with shock and anxiety in this particular situation. To understand my panic in that moment, it's important to know that I use Evernote to store and access information for a variety of company internal test systems, personal application accounts, and more. A frightening feeling arises when realizing a stranger has access to some of your confidential data. While I usually avoid storing cleartext passwords in Evernote, I do give myself hints to remember them. However, for some internal systems that are not critical, I also store cleartext passwords. Even though a hacker cannot access those systems without being connected to the corporate VPN, which requires my corporate credentials that are only stored in my head, I still felt uneasy.
I hastily logged into Evernote and reset my password. But that was just the beginning. I had to shift through numerous notes to identify any other accounts that may have been compromised, delete sensitive data, and reset passwords for all of them. Despite my efforts, it still wasn't enough. I had no choice but to reset all my passwords for all critical web applications since I often use the same email account and not always a unique password. Yes, my laziness and my aging memory prevent me from generating and remembering super complex passwords for dozens of apps.
Luckily, the dust settled, and no unusual activity occurred on my accounts. However, the experience served as a wake-up call for me, prompting me to prioritize account and identity security with greater seriousness moving forward. If you're interested, follow the white rabbit to discover where my research led me and what tools I now use to prevent my South Korean buddy from accessing my account again.
More Secure Authentication Methods
Authentication is the process of verifying the identity of a user, device, or service. In recent years it became evident that passwords are an inadequate authentication method, given the numerous techniques available for hacking them. These techniques include brute-force attacks, dictionary attacks, phishing, social engineering and more. For additional information, check out this article from ITPro, a technology news hub. Let’s look at some of the major, contemporary mechanisms for performing authentication in 2023:
Passwordless Authentication eliminates the need for a user to remember and enter a password. Instead, users are authenticated using other methods, such as facial recognition, fingerprints, or a security key. This is considered more secure than traditional password-based authentication because it eliminates the risk of password reuse and most of the attacks listed above.
Two-Factor Authentication (2FA) adds an additional layer of security to traditional password-based authentication. To access an account with 2FA, a user must provide two pieces of information. The first piece of information is typically a password, and the second is a one-time code generated by a device or sent to the user's phone or email. While 2FA increases the security of an account, it's worth noting that some of these methods have also been compromised. You might want to reconsider using SMS based delivery of a one-time-password (OTP).
Multi-Factor Authentication (MFA) requires an additional, third form of identification. MFA can include a combination of password, fingerprint, facial recognition, and security key. However, even the option of using an OTP generated by an MFA app on your phone (such as Microsoft Authenticator, Google Authenticator) is not 100% safe. These MFA methods are now susceptible to token theft and pass-the-cookie attacks. As a result, Microsoft recommends the use of FIDO2 security keys and other options that I discuss later in this blog.
New Standards to the Rescue
The FIDO alliance, a consortium of companies including Microsoft, Apple, Google, Intel, PayPal, and many others, was formed with a stated mission to provide “authentication standards to help reduce the world’s over-reliance on passwords.” FIDO provides new frameworks like Universal Second Factor (FIDO U2F), Universal Authentication Framework (UAF), and FIDO2, which includes the W3C’s Web Authentication (WebAuthn) specification and FIDO Client to Authenticator Protocol (CTAP). FIDO's website provides a clear explanation of how all these frameworks work: https://fidoalliance.org/how-fido-works/.
What is my new security strategy to protect myself?
Given the various vulnerabilities associated with traditional password-based authentication and even some forms of 2FA and MFA, it became evident that I needed to take further steps to safeguard my online accounts. As a result, I have implemented several tools and strategies to enhance my security posture and reduce the risk of unauthorized access to my sensitive data. Let's dive into the specific tools and methods that I use now to protect myself:
Password Management
Since most web apps do not yet support pure, passwordless access, the need for passwords as the first factor in my multi-factor journey remains. To avoid relying on my spotty memory, I subscribed to a powerful helper called Bitwarden, a password manager whose code basis is open source and vetted by numerous security experts. The hosted service costs $10 per year and automatically syncs all my passwords between all my devices, enabling me to use a unique, complex password per service. Bitwarden provides both a Chrome extension and a mobile app for convenient access to all my account names and passwords. Pro Tip: once you navigated to a login page for which Bitwarden already knows your credentials, simply use the keyboard shortcut Ctrl-Shift-L and Bitwarden will automagically insert your credentials into the web site’s username and password fields. It doesn’t get easier than that.
Hardware Security Keys
With my most critical web services, such as banking and payment portals, I can't take any chances. So, I've invested in hardware security keys from Yubico, a prominent contributor to the FIDO2 open authentication protocol, to ensure that even if a hacker gains access to my account credentials, they won't be able to access my most sensitive information. I purchased two hardware keys from Yubico as a backup in case one of them gets lost or stolen. The YubiKey 5 NFC works with any legacy device that has USB-A and also with my iPhone using near-field communication (NFC). Just hold the key close to the mobile phone and it authenticates you! On the other hand, the YubiKey 5Ci works with the more modern USB-C and Lightning interfaces, making it perfect for my non-NFC iPad.
A substantial number of web applications already support YubiKey, and there is no need to install anything on the key itself. Simply navigate to the website where you want to use YubiKey and check the security settings section for multi-factor (MFA) or two-factor (2FA) authentication. If the website supports hardware keys, you should see the option to enable it and the website will guide you through the straightforward steps to register your key(s).
But don’t worry, once you have registered your key with a device and a website you don’t have to provide the key on every login. The website will memorize your device and key for a few weeks or months until it asks you again. However, In the event that my buddy, the South Korean hacker, manages to steal my password once more and tries to log in from an unregistered device, the website will require the hardware key, effectively thwarting their attempt to gain access to my account.
How do I secure my account on websites like Reddit that don't support hardware keys but might allow for 2FA using an authenticator app? Yubico provides its own authenticator app which works similarly to apps like Microsoft or Google authenticator but with an added advantage: OTP codes are generated on the hardware key and not sent via the internet, making them immune to interception by hackers. However, it's important to note that each YubiKey hardware key is a unique MFA authenticator, so if a website like Reddit only allows a single authenticator and you lose the corresponding hardware key, you'll need to use your backup codes to unlock your account. Be sure to keep them in a secure location!
In conclusion, my experience has taught me not to rely on password-only authentication in 2023 and beyond. Reusing the same or similar passwords across websites is a risky practice. Therefore, I recommend using a password manager to generate unique, complex passwords for each site. Additionally, it's essential to enable 2FA/MFA for all critical websites and apps that support it. Whenever possible, use a second factor that requires something you have (a key, face ID, etc.) in addition to something you know (password through password manager).