Op-Ed: Passwords – The cause of and solution to online problems
by firestorm_v1 on Jan.24, 2020, under Editorial/Opinion, Miscellaneous, Security, Software
Anyone that’s been online as long as I have (and yes, there are many that have been online for far longer) knows that your passwords getting leaked and compromised isn’t a question of “if” but rather a question of “when”. As we continue onward in the online world, it’s critically important now more than ever to have a strong password policy and to actually enforce your strong password policy! I italicized the last bit as this will be the crux of this entire article as I experienced a password breach for the first time.
I’ll preface this by saying that I’m not a n00b at being on the Internet. I know about making strong passwords, and I even use an offline password manager as I’m not quite there with trusting the likes of LastPass or 1Password for online security. (Note: I don’t doubt either product, I’m just not sure an always online password manager is a good idea for me. YMMV.) The problem runs into what to do about legacy accounts, or those accounts that you used once many years ago and forget about.
In this particular event, it’s just such an account that ended up biting me in the rear end and almost resulted in losing access to several of my online accounts! I’ll get into the details down below but rest assured, all is well and my accounts are secure again.
Ahhh… memories.
To set the stage for how this unfolded, we have to set the wayback machine way, way back, to around the early 2000’s. At that point, Battle.net was the 600lb gorilla of online gaming for Diablo and the soon to be launched StarCraft games. A new player on the scene was Sierra Entertainment and their little-known game called “Half-Life” (also, I’m old…)
Sierra turned into Valve and launched Steam, Battle.net turned into Blizzard Entertainment, and that catches you up to almost current. Suffice it to say that back in the early 2000’s, password managers were notepad files on the desktop, good password policies were passwords you could remember, and everyone who was anyone had an @yahoo.com email address (Didn’t trust that newfangled Google thing yet…)
Starting out as one does, I (like everyone) had that golden password. The one they used for everything, the unguessable, unbreakable password. As passwords became more commonplace and accounts more prolific, I evolved how I kept my passwords. Back in the day, I’d have one or two “master” passwords, and most of my online activity would be variants of those passwords which was of course a text file. When I first created a “real” password database and started using a password manager, all the accounts that I could remember got entries in the database and it went up from there however there was still a good bit of cruft (old accounts I never used). As an example, my Blizzard account was still listed as the original “Battle.net” account. (Yes, it’s that old…)
Unfortunately, password managers have one weakness. They don’t know what they don’t know, and what they don’t know (and you don’t remember) could very well end up causing you problems, just as it did me.
… where did that come from?
Last week, I was in a team meeting when my phone goes off. It’s a notification from Steam’s Mobile Authenticator. Wait, I didn’t log into my Steam account… I grabbed my laptop and opened up my password manager, then copied and pasted the credentials into Steam’s website and provided my Authenticator code and I was in. I went in and changed my password to something new, updated my password manager with the new credentials and went about my day. This should have been a red flag for me.
Fast forward to this afternoon. Waiting for the clock to count down so I could go home, I get an email from Blizzard with an authentication code. Ok, same story. I didn’t recognize the login so my password must have leaked, so I logged in using the credentials from the password manager and changed my password. All should be set, right? NOPE. More emails came in, until finally I got a new email from Blizzard.
YOUR EMAIL ADDRESS HAS BEEN CHANGED.
Several expletives later and I’m trying to login to Blizzard again and regain my account. No such luck. Then, another email… YOUR SECURITY QUESTIONS HAVE BEEN CHANGED. Ok, now the symptoms are unmistakable, I (or rather my Blizzard account) was the victim of a targeted attack. I had Email authorization enabled, and I regularly monitor my account for odd activity. Unfortunately with the email address changed, Blizzard’s site had locked me out completely.
A quick chat with Blizzard’s accounts department and I’ve regained access to my account, changed the password, and enabled their Blizzard Mobile Authenticator app, but the root question remained. How did my account that had a secondary method of authentication get breached? Isn’t 2FA via email supposed to stop this from happening? Evidently not.
I was informed by the agent I chatted with that Email authentication doesn’t work entirely and password resets take several minutes to process. The only way to get “true” 2FA was to install the Blizzard Mobile Authenticator. The last time I took a look at my Blizzard account, was back when World of Warcraft had just launched and they were issuing RSA tokens to users! I wasn’t even aware Blizzard had a mobile app. The big smoking gun was the failure of their Email Authentication to actually do its job and protect the account. Had the Email Authentication actually worked, I would not have been in this position, even though my password was compromised.
Anyway, with the bleeding stopped and my Blizzard account secured, I went home to try and figure out what happened and ensure it didn’t happen again.
When you think you’re on top of things, you aren’t!
After spending the last two hours of digging through my password manager, there were three things that became apparent:
- Password reuse played a factor – The same legacy “master” password was used in several other old accounts.
- Account age played a factor – Newer or more recently used accounts had strong and unique passwords and 2FA had been enabled where available but these changes weren’t made retroactively to the older accounts.
- Changes on the provider side – Had I known about Blizzard’s 2FA Mobile Authenticator, this particular breach likely would not have happened.
In the end, it’s the email alerts that saved me. Had I not been made aware that someone was trying and had ultimately succeeded in breaching my Blizzard account, it’s very possible that I would never had known my Blizzard account was no longer mine.
With the compromised credentials and the scope of risk identified, I set about changing all the passwords I could find that used that old original password. If the account had the option for 2FA via authentication, it was enabled and confirmed.
What I should have done, and what you should do too…
This event proved to me a few things: Using strong passwords is mandatory, using shared passwords is always asking for trouble, and finally, a password manager is only as good as the person behind the keyboard.
So, what can one do when implementing a password manager?
- Make strong passwords! – Use the password manager’s built-in password generator, Diceware, or CHBS to generate unique passwords for all your entries.
- Don’t re-use passwords! – Although it might be tempting, don’t re-use passwords across services. Ever. New entries get new passwords.
- Use 2FA if available! – If a two-factor method is available, USE IT. 2FA apps (like Blizzard’s app or Google authenticator) will help mitigate the fallout of a compromised password.
- Don’t rely on email notifications and SMS authentication! – Both have been proven to be insecure or easily broken.
- Change all the passwords at least once a year! – For those rarely used accounts, consider an annual change schedule. This will also give you the opportunity to see if the service has added any 2FA methods or other options to secure your account.
- Audit your accounts for activity! – Some providers give the option of “seeing where you’re logged in” or “Devices associated to your account”, so take advantage of it and have a look. De-authorize devices you don’t recognize.
- Deactivate unused accounts! – If you haven’t logged into a site in a long time, maybe consider terminating the account.
- Don’t be lazy! – If you find an old or weak password, fix it right then. Don’t let cruft languish about, the more data that’s out there, the higher the risk.
One final thing… No password manager will save you in the event of a password breach, but how you manage your passwords can help you mitigate the total damage you experience from it and turn a potentially catastrophic situation into a mild inconvenience. We are in the time that breaches are not a rare thing, it is not a matter of “if” but “when” your passwords will get leaked.
Happy hacking!
FIRESTORM_v1