mfa

The Dangers of Reusing Passwords and Password Security Tips

You don’t need to tell me how annoying keeping track of your passwords is, and you really shouldn’t be expected to remember a subset of unique passwords for every login that you have; that might be a lot of passwords. So why is it then, that passwords are still the primary authentication mechanism for most of our logins?

The first use of password authentication is suspected to date back to the 1960’s at the Massachusetts Institute of Technology (MIT) during the development of a time-sharing computer, the Compatible Time-Sharing System (CTSS). Even then, passwords were not very effective and they have only gotten worse.

Risks of Reusing Passwords

I know many people who have a few passwords that they use over and over again on the different accounts that they need passwords for. This includes both work accounts and personal accounts. This wouldn’t normally be a problem if it weren’t for the almost 7 billion people in the world, very powerful computers, and data breaches. Let me explain.

How Data Breaches Increase Password Reuse Risk

Every time a data breach occurs there is the risk that an attacker will obtain usernames and passwords. What is increasingly happening is that these password repositories (both encrypted and unencrypted) are being sold, or traded between cyber criminals. This allows a cyber criminal to obtain large subsets of possibly legitimate credentials without doing much work.

Using these credential repositories cyber criminals can automate checks and logins to determine if any of the credentials are still valid. Once they’ve determined if any of the credentials still work, they can either use it to continue the cyber attack or sell the credentials to other criminals including nation states such as Russia and China.

Moore’s Law and Increasing Microprocessor Capabilities

Moore’s Law is an observation that the density of transistors in microprocessors doubling approximately every two years. This increase in density has lead to a direct effect of the increase of microprocessor capabilities

Passwords can only be as complex as our language, as well as any other limits we place on passwords (i.e. special characters), thus our passwords have limits. As computers become more and more powerful, they become more and more capable of performing a lot of calculations in a short period of time. Cracking or guessing a password involves using hardware in order to try and recover passwords.

There are a number of different methods and applications for password cracking but they also work similarly. They attempt to take a given input, cryptographically hash it, and compare it to the hash of an encrypted password that we have. If they match, then we’ve guessed the password.

Due to this increase in power, passwords have actually become weaker over time in terms of how quickly a certain length can be cracked. Here are some estimates from betterbuys.com.

Password cracking times decreasing between 2000 to 2016.

As you can see, a 9 character alphanumeric password in the year 2000 would take almost 4 years to crack. As of 2016, this same 9 character password takes just under 3 months.

Password Security

As I mentioned earlier, it’s not feasible to remember a large subset of unique passwords for every account that we may have. So stop trying to remember them!

Password Managers

Password Managers such as LastPass and BitWarden not only allow you to store passwords, but they also allow you to generate random passwords based on needs. Your password manager will have a single password to access, and then will provide you with complete plain-text access to all of your passwords.

By using your password manager, generating a random password for every login, and storing it securely, you will never have to remember any of your passwords other then the one that you use to login to your password manager.

Even if your password is stolen, it’s uniqueness prevents it from being used on any of your other accounts.

Multi-factor Authentication

I’ve mentioned Multi-factor Authentication (MFA) many times before. In short, MFA adds a second and even third authentication method that must be successfully entered, along with the password.

Authentication methods fall under three categories; something you know, something you have, and something you are. A true MFA solution must have at least two of these methods involved. Here are some examples of authentication types that fall under these categories.

Something You KnowSomething You HaveSomething You Are
PasswordSmart CardFingerprint
Software RSA Token (Mobile Phone)Voice
Hardware RSA TokenRetina/Iris
Face

Length Is More Important Than Complexity

Although it’s recommended that we include not just letters, but also numbers and special characters in our passwords. At the end of the day, the length of your passwords is going to be more important then the complexity. An 8-character complex password will still be cracked before a 20-character simple one.

Government of Canada Quietly Rolls Out Multi-Factor Authentication

Authentication

I don’t quite know when, but the Government of Canada seems to have quietly rolled out multi-factor authentication (MFA) on its CRA portal. I expect this happened at sometime within the last week, at least for me it did. The only information I found on their website is detailed in this post.

This new service, named GCVerify, is a phone/SMS-based MFA solution that is now required after logging in to your CRA Account with either your GCKey credentials or Sign-In Partner.

If it’s the first time that you’ve logged in since the implementation you’ll be walked through setting up MFA by providing your phone number. You’ll receive a code via telephone call or SMS to confirm your identity.

InfoSec Check

Identity Validation

This identity validation confirms that your phone number should be associated with your username.

You should never allow anyone to access your telephone or text messages. A threat actor with access to your text messages can bypass text message based two-factor authentication (2FA) very easily. If given the choice, you should use a 2FA application such as Google Authenticator.

After your setup you’ll be prompted to enter a one-time passcode every time that you login to CRA account. This includes both Personal and Business accounts.

Multi-factor Authentication page on the Government of Canada CRA Login
Multi-factor Authentication page as seen during the Government of Canada CRA Login

The Personal Information Collection Statement page, has also been updated (third paragraph) to reflect the changes, although the information itself leaves little to be desired. I’ve copied the specific paragraph that talks specifically about multi-factor authentication, below.

We have a multi-factor authentication process for our online services. We collect the telephone number (landline or cell), method of delivery of the one-time passcode (telephone call or Short Message Service (SMS)) and language of choice to receive the one-time passcode that you provide when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending you the code. The code you enter is also shared with the third party to ensure it matches before allowing you access to our online services.

It doesn’t specifically mention which vendor, however, when I dug through the Public Works and Government Services Canada website, I came accross a tender notice title: Invitation to Qualify (ITQ) Identity and Access Management (IdAM) Software Solution, posted 2020/06/22, that has several mentions of multi-factor authentication. A bit of an assumption but I wasn’t able to find anything that was any more relevant. It lists N7030:ADP Software as the Goods and Services Identification Number (GSIN).

This is definitely a step forward, but hopefully not a stopping point for the Government of Canada. As mentioned, phone-based and SMS-based MFA does have it’s own issues, but at least it’s something, right? The fact that it’s enforced on each and every login is great, and the tokens definitely timeout, although I’m unsure of how long that timeout is. But, you can’t currently manage any part of that service, so if you want to update your telephone number you will have to contact the CRA helpdesk at 1-800-959-8281.

And no, you can’t disable it. But, I wouldn’t suggest that you did anyway.


Additional Resources:

Multi-factor authentication to access CRA login services