Qualys Blog


Solving the Secure Password Conundrum

Last year around the holidays, Hacktivists published a list of usernames and passwords registered with the stratfor.com site. I had signed up for their free feed of geopolitical analysis several years ago through a recommendation from @anton_chuvakin and did not even remember the password I had used. While the disclosed information in the breach did not really worry me, I was fairly certain that I had probably used the same password to sign up for other services. Now I had a dual challenge:

  1. Recall the password I used for the site at the time.
  2. Research where else I had used that password and change it on those sites as well

Since I could not remember the password, I downloaded the password archive from one of the locations shared on pastebin.com (see cryptome.org for a nice timeline), looked for my username, extracted the MD5 hash string and then cycled through each of my "password sharing candidates" with a small PERL script to see if a match could be found. I found a match relatively quickly and then had to start on the tedious work of resetting my password on all sites that were using that very same password. It took me about two hours to go to each of the 17 sites that I had located through my password manager and reset the respective passwords. This time I followed best practice and let the tool generate a random password for each site. None of the sites were particularly important, but among them was the site where I pay my utility bills (they do not store credit card information), a forum for the car I drive, my local library and the sandwich store next door that allows for online ordering.

Then early Monday morning I got a similar e-mail from Zappos informing me that they had had a data breach as well, and that I had to reset my password at their site. Now with Zappos, I am in a somewhat worse and somewhat better situation: Zappos has my credit card information, but on the other hand, I have the same password only at Zappos' sister site Amazon, so the password change was simple and done quickly.

The lesson from all of these events is simple: reusing passwords, while convenient, is risky. Use a distinct password on each site when you open an account. I cannot remember the login details for the hundreds of sites with whom I have accounts, so I make use of a password manager to take care of that. I recommend installing a 3rd party product over the browser built-in manager, as they are harder to attack and less likely to disclose your passwords to a browser exploit.

Personally I use LastPass, which works well for me across my Linux and Mac computers and even on my Chromebook. I also like it because it allows two-factor authentication with a Yubikey or Google Authenticator. Two-factor authentication is a great security option if the service or site supports it, asking the user to provide an additional proof of identity, typically by prompting for a numeric code that is displayed on a token or on the user’s cellphone. I opt-in to two-factor authentication whenever possible and have activated in on my bank account, Paypal and eBay, DNS Management for my domains and GMail account. Even my son uses it on his World of Warcraft account. It adds an additional step to the login process, but provides additional security. This measure is well worth the added work which he realized when he lost all of his equipment on an account that did not have two-factor enabled.

Leave a Reply