Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.
Recovering From a Credential Breach, Part 1
A few years ago while on a business trip, I was out to dinner and left my luggage in my rental car (I had not yet checked in to my hotel). When I finished dinner and went back to my rental car, I found it had been broken into and my luggage was gone. My keyring with keys to my house, car and other places was in my luggage. It was a royal hassle having to get locks changed in various locations, and it was distressing knowing someone else had access to such personal aspects of my life and others’ lives, albeit for a short period of time. I never want to relive that experience.
Breaches of credential information brings a challenge not unlike that of stolen keys. A breach of credentials involves the loss of a password, PIN or other information used to log in to an application. In the hands of a criminal, stolen credentials can be used to conduct transactions in the account holder’s name. Except in limited circumstances, consumers may be responsible for those transactions, and getting them reversed can be time consuming, and possibly costly as well. For example, a few weeks ago the CEO of Securitas discovered that the state had him registered as being bankrupt, and also he was deregistered as the CEO of his company.
When credentials have been breached, it is important for affected users to change them as quickly as possible. Specific rules on changing credentials appear later in this post.
There is a particularly bad habit that many people, including myself at times, have when creating credentials: they use the same set of credentials for multiple sites. While the advantage of this practice is obvious (fewer sets of credentials to remember), the danger is considerable: if a criminal obtains login credentials for one site, said criminal will attempt to log in to dozens – and perhaps hundreds – of popular sites using the same credentials. And often, they are successful. I once presided over a breach where an intruder logged in to a business user’s account and caused some mischief. The affected user admitted that he (or she) used the very same credentials for several personal accounts as well. Company policy forbade that, but many people did it anyway. This is one type of policy that is extremely difficult to verify and enforce.
Whenever creating or updating user credentials, use the following rules:
- Use a complex password that is easy to remember but hard for others to guess. A password that is at least 12 characters long will be strong enough, particularly if it contains lower and upper case letters, numerals and symbols.
- When creating a password, think “pass phrase” instead of “password.” For example, the phrase “Surrender Dorothy” could be made into a password such as 5URRender;D0r0thy. The “S” is actually the number 5, and the O’s in Dorothy are zeroes.
- Use a different password for each site.
Rule #3 can be pretty challenging, as many of us have lots of user accounts. I recommend you employ a password vault such as Password Safe or KeePass. These handy tools can be used to store passwords, and as a bonus they will copy the user ID and password into the “paste buffer” so that you can just hit Ctrl-V when filling in the userid and password.
The best thing about password vaults like Password Safe and KeePass is that they can also easily generate highly complex and randomized passwords which, of course, you’ll never need to memorize. Generate a password for each site, and you’ll be assured of never having to worry about one site’s stolen credentials from affecting any other sites.
When using a password vault, you’ll have to come up with a master password to protect the vault itself. I highly recommend you use a complex password, but one that is not too difficult to memorize or type. You can’t keep that password in the vault, because you need that password to reach the vault.
I suggest you save a copy of your password vault in a few different locations such as a second computer or removable storage such as a USB drive. There are many different failure scenarios on a laptop/desktop computer (tablets and smartphones too) that can result in the loss of all of the information stored there. Losing your only copy of a password vault would be a big chore.
One last remark about password vaults – there are cloud-based password vaults, such as Last Pass, and the convenience of being able to access your vaults from anywhere on any device can be compelling. However, I have a moderate dislike for cloud-based password tools, and here is why: if a breach compromises your cloud-based password vault, all your credentials will be compromised and you’ll have to change them all, very quickly.
Whatever method you use to manage multiple sets of credentials, do so safely, and please don’t store them in a plaintext file (or document, or spreadsheet) where a criminal could easily find them and ruin your day.
In part 2 of this blog series, I discuss steps an organization needs to take when user accounts are compromised.