Password Security:
I don't want to change my password

As a cybersecurity expert, I often hear the phrase: I don’t want to change my password. I get it, changing passwords is never fun, but a weak, reused, or potentially breached password is too big a risk to ignore.

And let’s be clear: advising someone to change a password is not something I do because I want to make their lives more difficult, to test their memory, or because I like to see them suffer. In fact, I love the NIST guidelines on passwords, which are far more user-friendly. These guidelines include best practices such as reducing complexity, removing periodic change requirements, and allowing spaces to use easy-to-remember phrases. These rules make a lot more sense than the ridiculous requirements that passwords must include at least one number, at least one letter, a capital letter, and a symbol.

Not only were these previous password guidelines based on a white paper written in the mid-1980s, but the man who wrote the guidelines, Bill Burr, admits he wrote it without knowing how passwords work. That’s right, all of this suffering with complexity rules and constantly changing passwords was based on bad information. So, after several decades of painfully dealing with these password requirements, the password security rules have evolved.

Unfortunately, evolution is a slow process, and it will still be a while before these new guidelines are fully adopted. Also, there are other security components to consider, such as Multi-Factor Authentication. and Password Managers. But for me, the best part of this rule is that passwords only need to be changed if there is evidence of a potential breach.

So let’s talk about that.

What is a Potential Breach?

This past weekend, one my relatives had their Facebook account hijacked, sending a YouTube video link to those on his friend list. Like most people, I wanted to see what internet fun he chose to send me, but…

1. He never has sent me a video link before
2. The link didn’t generate a video preview
3. A YouTube logo was included but wasn’t in the link

That was enough for me to hit the brakes. Instead of clicking on the link, I went to Norton Safe Web and typed in the web address.

DO NOT copy and paste suspicious links. I always share this piece of advice because it’s too easy to accidentally paste the link into a browser.

After running the scan and seeing it marked as malicious, I decided to dig a little further and used an old laptop connected to a segregated network to see what would happen when I clicked on the link.

I discovered that clicking the link takes you to a fake login page that looks remarkably similar to the real one, prompting you to enter your Facebook username and password. Except that the URL was not for Facebook, and entering your credentials sends that information to cybercriminals, who will then use it to send malicious links to your friends and family.

But we’re not done yet. The page also includes malicious code that runs in your computer’s memory, scanning for passwords and collecting them into a hidden temporary file. So even if you don’t fall for the credential theft or close the browser, it keeps running. After a preset period of time, any data put into that temporary file is sent to a remote server operated by cybercriminals.

This is a common example of a potential breach. And what did we say above about a potential breach: the passwords need to be changed.

why reusing passwords is bad

After receiving that fake YouTube video, I sent a message to the relative who sent it and asked her to post a message for her friends to change their passwords if they clicked on the link. While I have no way of knowing how many took my advice, I did get responses from people who clicked on the link and said nothing happened, so they saw no need to change their password. Now let’s take this response and amplify it a little because not only is it necessary to change the Facebook password, but any account that uses that password also needs to be changed.

Why?

Because while most companies go to great pains to protect passwords, user names are much easier for hackers to get. On top of this, most people use our first or last names as part of the user name for official accounts, such as finances and business. That practice has trickled down into social media and entertainment accounts. This means that if cybercriminals get your social media password, they have bots that will then run that password against other user accounts that belong to you. This process is called credential stuffing.

That makes sense, right? Yet, many people simply refuse to go through the effort to secure their accounts. This is why cybercriminals still use these tactics and continue to be so successful.

How do I know if my username or password has been breached?

Believe it or not, you don’t need to be a cybersecurity expert to determine if your username or password has been involved in a breach. There are two simple websites available to anyone that tracks information about breaches found on the dark web. Of course, not every breach gets put up for sale on the dark web, but if you’re wondering about a particular email address or password, these are great tools.

The website to check your email address is Have I Been Pwned?, and the one to check your password is Pwned Passwords.

There have been so many data breaches that anyone who spends time online should take an active role in protecting their digital identity. It all starts with finding out whether your information has been involved in a breach and then taking steps to resolve it. In other words, change your password!

At Clark Computer Services, we understand the pain of passwords and know how quickly a compromised password can result in a full-scale data breach. If you want help securing your business and training employees, give us a call at 301-456-6931 or email [email protected].