He discusses false advertising in regards to extended validation (EV) certificates. Websites which had it used to show the green URL bar, but now browsers don’t do this.
Now you are supposed to click the padlock icon and inspect the details, but different browsers show different things.
If it shows the name of the company that issued the certificate, how do you know you should trust them?
“EV only works if people change their behaviour in its absence and clearly, that just doesn’t happen”
Troy Hunt
People now use mobile devices to browse the internet, and the security information is even more hidden in the browser. On iOS, you have to download a separate app!
Even “website checkers” are misleading.
A site seal is just an image, and therefore can be spoofed. Troy has registered digicert-secured.com to troll DigiCert and is still up a year later. It has a nice picture of a seal (animal).
In a previous blog, I wrote about some routine training courses we need to do each year. I briefly discussed some security questions but there is one example I forgot to add. One course we did, my manager was raging that he got one of the questions “wrong” and he seemed more annoyed that he knew this course was one that NHS staff must also do. He Googled the question to see if anyone was complaining, and he found a post on stack exchange.
The question is as follows
Which of the following would make the most secure password? Select one:
a. 6 letters including lower and upper case.
b. 10 letters a mixture of upper and lower case.
c. 7 characters that include a mixture of numbers, letters and special characters.
d. 10 letters all uppercase.
e. 5 letters all in lowercase.
The answer we went with is B, because it’s the answer that contains the most characters, and as a bonus, has a mix of upper and lowercase.
However, this is apparently wrong, and we should have chosen C.
The Stack Exchange user, Robin Winslow, then referred to the famous XKCD comic, which illustrates what is now commonly thought of as the best type of password.
The key thing is that a password is useless if the person cannot remember their own password, and forcing complexity at the expense of this fact means the person is then most likely going to write it down. Additionally, forcing certain types of characters into the password also makes it more predictable.
If you ask me to choose a password, I may choose a memorable word, eg “programming“.
If you tell me I cannot have that because it needs to have an uppercase letter. I could add another character, or choose a random existing character to be uppercase, but that makes it hard to remember, so I am gonna choose “Programming“.
Then if you tell me it needs to have a number. Again, I could add a number somewhere in there, or substitute a letter, but that can be hard to remember, so I am going to put it on the end. There could be a significant number to me, or I can just choose the number 1 and put it at the end, because that is easy to remember, or easy for me to guess that I did that. So now it is “Programming1“.
Exactly the same thing happens if you tell me it has to be a special character. Probably end up choosing “Programming!1“. It has more characters than my initial password of “Programming” but it’s at the expense of memorability.
Another aspect to consider is password expiry. At work, we used to have to change our passwords every three months, but now it’s currently six months. However, what’s my next password going to be? Probably “Programming!2”. So if the aim is to stop people accessing the system if they somehow got my old password, they still will get in because they can just guess the new one.
I wasn’t sure what the rationale was to change the expiry from 3 to 6 months because if you think it’s not a great feature, then you would just outright remove it. When the Head of Security started working for us, the first thing I saw him do was walk away from his laptop without locking it – so maybe that illustrates how good his skills are.
Troy Hunt points out that Microsoft’s latest policy is to not use expiry at all.
I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? pic.twitter.com/a2yQQvNRpa
Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire
Microsoft Azure
Troy makes some follow-up points
Geez there’s some debate about this one! Mostly support but also some misunderstanding so let’s fill some gaps: Firstly, password managers don’t solve this problem, not when you’re talking about the credentials to logon to your PC. That’s a rare case where you need to type it…
…unless you’ve gone passwordless via security keys, biometrics etc. Clearly this negates the need to use the password with such frequency thus reducing the opportunity for compromise. There may still be a password (e.g., fallback from biometrics), but exposure is much less.
The argument of “well what if the password is exposed a year later” could just as easily be “well what if it’s exposed a month later” when there is a 90 day rotation cycle. Different windows of risk, so why not make the cycle a week? Because it’s painful…
…plus, the solution is the same: MFA. The usefulness of a password alone for AD login has dramatically reduced with the mass adoption of multi factor. Mandate it on your AD tenant and the value of rotation dramatically reduces.
Troy Hunt
Also, there are always ways around policies for those more-determined users
I used to be at a company that did that. Someone quickly came up with a script that changed the password ten times in a row and set it back to the original (last ten passwords were not allowed).
I’m not sure I 100% agree on the “well what if the password is exposed a year later” point. Expiry does remedy that in some cases but no expiry will always leave you vulnerable. You are relying on knowing there has been a breach.
Troy Hunt has discussed that the best security involves a mixture of methods. It generally comes down to
Something you know
Something you have
Something you are
Aaron Toponce did recently post on Twitter about this, but his account has since been deleted. This is why dumping things into OneNote is useful. Troy Hunt has also discussed this idea many times.
Not sure what Taylor Swift has got to do with it. Maybe she pretends to be happy.
So if your account has all 3 types associated with it, even if someone knows your password, they cannot get in because they will need your token (Authenticator app on your phone). If they have managed to also steal your phone, then they can’t get in if they also need your fingerprint. If they are holding you at gun-point to make you unlock your account using your finger, then you have bigger problems.
Aaron’s musings was this:
If a password is stored in a password manager, is it still something known, or does it become something possessed? A password manager vault can be stolen.
Knowledge of where the passwords are stored and how to retrieve them then becomes “something known” and the vault itself “something possessed”. No?
Aaron Toponce
This has since become quite topical in the recent LastPass breach where keyvaults have been posted on hacking forums. If the master password is then cracked, then hackers will have access to many people’s accounts. I was always intrigued by password managers, but I did feel you really are putting your trust in one company.
Stranger Coding Tings 