I always love this comic strip from XKCD when it comes to generate a strong password. We are prone to choose simple solutions and taking shortcuts to make it easier for ourselves. Especially this time and day where we have many many many online services that we use on a daily basis.
Of course having multiple passwords it often leads to use using the same password (Read more about it here –> https://www.darkreading.com/informationweek-home/password-reuse-abounds-new-survey-shows/d/d-id/1331689 ) or a similair password to ensure that we can ourselves remember it. This of course can lead to our account being compromised if it is a simple password and attackers have been using password spray attacks. Secondly it might be an issue if a website that we use is compromised and our account information is leaked. If we use the same username and password it can be easily to apply/try those on other websites for an attacker.
For most we use Password Managers to make it easier for us where we have an integrated password solution, which makes it easy for use to store passwords and which also generates automatically passwords as part of the sign-in process.
How to see if I have been compromised or information leaked?
Identity based attacks are becoming more and more common with the rise of SaaS services where services are available everywhere & anytime which makes it also prone to attacks. Looking at statistics from Microsoft they see a big rise in identity based attacks. This is some statistics from last year, and will most likely increased as well this year.
A good start is to check haveibeenpwnd.com and check your email address, it will check to see if your account information has leaked because of a compromised 3.party website. (NOTE for business accounts you can also subscribe to domain updates if a certain user within your domain is detected you can get notified directly which you can setup here –> https://haveibeenpwned.com/DomainSearch )
If you are using Google as well they recently released a new service which is part of their password manager where they also check saved usernames and passwords against the information that Google has (https://passwords.google.com/)
For business users as well, Microsoft provides capabilities as part of Azure Active Directory where Microsoft has a match for a compromised account they can also take action directly on the affected end-user. However this requires additional license and will be part of a future blogpost.
So is a strong password enough?
Big answer, is no. It is a start but as you can read more about here –> https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984 But based upon Microsoft research it is more than 99.9% less likely to be compromised if you use MFA.
Most online services support MFA either using Google Authenticator, Microsoft Authenticator or other authenticator apps. The big approach should be to use enable MFA for your services (don’t rely on SMS or Phone Call but use Native app or use a FIDO based authentication key where possible)
Setup MFA Google Account: https://support.google.com/accounts/answer/185839?co=GENIE.Platform%3DDesktop&hl=en Google also support FIDO based authentication. You don’t need a Yubikey or another token, but you can also use your phone as a physical token (and not directly by using the app)
You can read more about it here –> https://android.gadgethacks.com/how-to/use-your-phone-as-security-key-for-logging-into-your-google-account-any-computer-0196032/
Setup MFA Microsoft Account: https://support.microsoft.com/en-gb/help/12408/microsoft-account-how-to-use-two-step-verification (Setting up MFA for Business Accounts require licenses depending on usage, and ill get back to this in a future blog post) You can read more about setting up FIDO based authentication to your Microsoft account here –> https://support.microsoft.com/en-us/help/4463210/windows-10-sign-in-microsoft-account-windows-hello-security-key
Setup MFA Facebook Account: https://www.facebook.com/help/148233965247823
Setup MFA Twitter Account: https://help.twitter.com/en/managing-your-account/two-factor-authentication
So to summarize when you are setting up your new online accounts and services. 1: Ensure that you use a strong password, based upon the example above (You can also use this to test the strenght of a password and tell you how long time it takes to bruteforce a password –> https://howsecureismypassword.net/ ) 2: Don’t use the same password or variant of password on different sites, and use a password manager to have it in, makes it easier 3: Always combine this with MFA where possible to ensure that if your account gets compromsied the attacker doesn’t get access if they don’t have access to the MFA device.
So the password correct horse battery staple for instnace would take a long time to bruteforce attack 🙂