Cybersecurity Mythbusters: Is There Such a Thing as a Strong Password?
Transcription
Patrick
Welcome to "Cybersecurity Mythbusters." I'm Patrick McBride. I'm the chief marketing officer at Beyond Identity, and with me is Jasson Casey, the CTO at Beyond Identity. And we're going to be exploring myths throughout our episodes. We hope that many of you will write in and give us some really interesting challenges to work on.
But for our first episode, we had to rely on friends and family, so we had our biggest fan write in, Jasson's mom.
Jasson
Thought we were going to leave my mom out of this.
Patrick
Well, I think you'll like this one. So, for our first inaugural episode, we're going to explore whether there is actually a thing as a strong password. Mom wanted to know what it was and how to make one so she didn't get compromised.
Jasson
Yeah. It's going to be easy to take apart this one. So, actually, I have the easy job. Patrick's going to spend a lot of time and energy researching passwords, password complexity, computation time, blah, blah, blah. I'm going to look for ways of taking the easy route and just stealing the password or, perhaps, even just getting the victim to give it to me.
The first vulnerability that we're really going to talk about is social engineering. It's a fancy way of, basically, getting someone to divulge their password to you, so let me illustrate. First, let's call up our victim.
Patrick
Hello?
Jasson
Hi. Is this Patrick McBride?
Patrick
It is.
Jasson
Hi, Patrick. This is Jasson Casey from the security office of your bank. We've noticed some suspicious activity on your account.
Patrick
Oh. Did somebody steal some money?
Jasson
Well, we noticed that you seem to be in New York today. However, there are some charges that are happening in New Orleans. I take it you're not in New Orleans?
Patrick
I'm not.
Jasson
So, let's go through a couple measures to secure your account. I'm going to send you a text message to verify that you are, in fact, who you say you are.
Patrick
Okay.
Jasson
And then, we're going to put some extra controls in place. Now, remind me, what is your phone number?
Patrick
It's 202-867-5309.
Jasson
Okay. I just sent you a text message. Let me know when you receive it.
Patrick
I got it.
Jasson
Okay. So now, we've confirmed you are who you say you are. Now, I need you to follow the link in that message.
Patrick
Okay.
Jasson
And I need you to reset your password.
Patrick
Oh, yeah. It's asking me for it now. Should I put it in?
Jasson
Go ahead and reset your password for extra security.
Patrick
Okay. Okay.
Jasson
I think we have you protected now. If you notice anything over time, please give us a shout. Otherwise, you ought to be okay.
Patrick
All right. Thank you.
Jasson
So, in that scenario, we basically sent Patrick a suspicious link. We got them to enter in his existing password, and now, we have it, right? We could have done it in a lot of different ways. We could have even just asked him to give it to us. And again, like, the first problem with passwords is they're inherently portable, and it's easy to get someone to divulge it to you either verbally or through something that looks legitimate.
Narrator
Meanwhile, Patrick is still cranking away trying to build the strongest password. Eleven characters, special characters, capital letters, you know the drill.
Jasson
All right. So, the question is, if I spend all of this time and energy on encryption and hashing and trying to protect the password for a service, how is it that people are still able to intercept the password? And turns out, the answer is really simple. We just cut to the chase.
We intercept the password before the user ever puts it in anything, but let's walk through a particular example. So, we have our adversary over here, Mr. Adversary, Dr. Adversary, whatever you want to call him. But clearly, you can tell, evil adversary from alternate "Star Trek" universe. And the first thing the adversary does is they land a piece of malicious software on the victim's device. We typically say endpoint, but we just mean phone, laptop, desktop.
And what this malicious software does is it collects the password of the victim as they're entering the password into a legitimate service before any sort of hashing, salting, and encryption ever even happens. And this is really just, kind of, a simple illustration of how passwords can be harvested from an endpoint and completely bypassing all of the security controls put in place by the service the victim is trying to use.
Narrator
Patrick is completing his long and complex password, but will it be enough to protect him from Jasson's simple attacks?
Jasson
So, we're going to continue our discussion of password and credential attacks. And in this particular scenario, it's called man in the middle, and it's going to continue the theme that no matter how robust your password or credential is, if we can steal it at the right point in the system, we can bypass all of those security controls that you have in place.
So, the attack is going to start usually with an email or an SMS to the victim, and it's going to have a call to action that is a little bit blood pressure-raising. It's going to try and incite a little bit of fear to get you to go and do something, and it's going to say something like, "This is your bank. I've noticed some suspicious activity. I need you to immediately log in and refute these charges so we keep you safe." And, of course, you're going to follow those links.
You're going to follow those links, but you're going to follow them to an adversary site. It might look like your bank, but it probably isn't your bank's domain name. It's probably something that looks a little bit off, right? And it's going to be signed with a legitimate certificate, right? Because you can sign domains with legitimate certificates pretty easily. And it's then going to proxy the conversation back to the legitimate service. So, you are, in fact, logging into your bank.
You're just logging into your bank via an adversary, again, to fix this sham problem that never really existed in the first place. And during this sequence, the adversary is harvesting your password, your username, and something called the access token, which is equally valuable. So again, no matter how robust your password is, there are many, many types of attacks that just bypass the controls of a password.
Patrick
All right. So, at the end of the day, my really cool, long, strong, 11-character password didn't matter at all?
Jasson
It could've been 11 million random characters. It wouldn't have mattered. They didn't attack the password. They just stole it. Can we blow things up now?
Patrick
I think so.
Jasson
Ha, ha!