Security firm Okta warns of an unprecendented password stuffing attack that is piggybacking on regular user’s mobile and home devices, the UK is banning obvious passwords, Chrome has moved to “post quantum” encryption and maybe the cure for password issues is to finally get rid of passwords.
All this and more on the “QuertyUIOP” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.
May 2 is World Password Day, and I refuse to run the same old story about how the most popular passwords are 123456 and password. If you still have an obvious or easily guessed password, whatever happens is your fault.
For all of you seeking to advise users or friends on how to generate good passwords, remember the rules:
- Longer is better – 12 to 14 characters. The rules of math make these much harder to crack.
- While length is strength, combining non-obvious use of uppercase and special characters and symbols is helpful. But the obvious ones
- Try to avoid words from the dictionary or names of people, products or organizations
- When you change your password, make it radically different. Incrementing numbers or other predictable patterns make it easy.
- And you can make a password easy to remember but hard to guess by taking an imaginative and non-sensical phrase. A blog at Microsoft gave an example as 6MonkeysRLooking^ with a letter R for the word are and I think it’s called a caret for the word at. I guess it’s an example of using the caret instead of the stick.
- Never reuse passwords – ever, but especially don’t mix your work and personal banking passwords.
- Find them hard to remember? You can keep them written in a safe place, but a password manager may be the best bet. Yes, even they’ve had problems, but they are a lot safer than duplicated or easy to guess passwords.
So we got that out of the way.
And here’s some stories that I found this week and saved for this show.
Authentication service Okta is warning about an unprecedented credential-stuffing attack campaign that routes fraudulent login attempts through regular users’ mobile devices, browsers and home networks.
The attackers are using residential proxy services that enlist users’ devices (sometimes without their knowledge through malware) to route the malicious traffic and hide its true origin.
This masks the login attempts as coming from trusted devices/IP addresses rather than typical virtual private servers used by attackers.
The large-scale campaign attempts to compromise accounts by trying login credentials leaked from past data breaches.
It builds on a recently reported wave of indiscriminate login attacks observed by Cisco’s Talos hitting VPN, SSH and web application accounts.
Okta says the spike in proxy-based credential stuffing lasted from April 19-26.
Residential proxies can enlist users’ devices through shady apps that embed proxy software or by infecting devices with malware.
Okta advises using strong unique passwords, multi-factor authentication, and blocking traffic from known anonymizing proxy services to mitigate the threat.
Sources include: Okta and ArsTechnica
One of the easy ways to hack residential and even commercial sites uses the default and easy to guess passwords of devices ranging form cameras to doorbells.
But the UK is taking a leadership position in ending this attack vector. Starting April 29, 2024, manufacturers of internet-connected smart devices like phones, TVs, and smart doorbells will be legally required to meet minimum security standards in the UK.
The laws ban devices from using easy-to-guess default passwords like “admin” or “12345”. Users must be prompted to change common passwords when setting up new devices.
Brands must publish contact details to report security bugs/issues and be transparent about when security updates will be provided.
The goal is to better protect consumers from hacking and cyber attacks by ensuring basic security measures are in place for smart devices out-of-the-box.
Consumer groups are welcoming the changes after pushing for improved smart device security regulations. But they also want clear enforcement against non-compliant manufacturers.
The new “product security and telecommunications infrastructure” (PSTI) laws aim to strengthen the UK’s overall resilience against cybercrime threats targeting consumer tech products.
UK government officials state these first in the world laws will give consumers greater peace of mind that their personal data, privacy and finances are protected in smart devices.
Sources include: The Guardian
Some users of Google’s Chrome web browser are reporting issues connecting to websites and online services after a recent update enabled new post-quantum encryption technology.
Google introduced an experimental post-quantum cryptography algorithm in Chrome version 124 to protect internet traffic against future decryption by quantum computers.
The new encryption is meant to safeguard TLS connections from so-called “store now, decrypt later” attacks where encrypted data is collected today to be cracked by more powerful computers down the line.
However, the rollout is causing some compatibility issues. System administrators are reporting problems connecting Chrome browsers to websites, servers and firewalls after enabling the post-quantum key exchange mechanism.
The issue stems from some network devices and servers being unable to properly handle the larger encrypted ClientHello handshake messages required for the new standard. Instead of falling back to classic encryption if post-quantum isn’t supported, the connections are being dropped.
Affected products include firewalls and security appliances from vendors like Fortinet, SonicWall and Palo Alto Networks, as well as AWS cloud services.
To mitigate the problem, Google has provided an option in Chrome to disable the new post-quantum encryption temporarily. But the company warns this workaround will eventually be removed, as post-quantum cryptography becomes a requirement.
Website owners should test if their servers are impacted and contact vendors for product updates to ensure compliance with post-quantum key exchanges going forward.
While protecting against future quantum decryption is important, the rollout highlights the challenges of deploying new encryption standards that break older implementations.
Sources include: Google and Bleeping Computer
But a friend of mine from identity company Okta, certainly regarded as an authority on identity management thinks it’s time to do more than admire the problem of easy to guess passwords by completely retiring the idea of password. Why?
One reason? They’re outdated and simply don’t work.
An Okta survey last year found that Canadians are struggling to manage their passwords, putting their data and security at risk.
- 68% of Canadians feel overwhelmed by the sheer volume of online accounts they have;
- 29% of Canadians find password entry too time-consuming;
- 37% experience monthly login failures due to forgotten credentials, and 18% face this ordeal weekly.
My friend Dan Kagan, Senior Vice President and Country Manager at Okta Canada, said it best:
The entire concept is flawed. We shouldn’t be changing our passwords, we should be getting rid of them entirely.
Passwords are an old fashioned tool. They’re becoming more complicated to create, while becoming more vulnerable to increasingly sophisticated cyberattacks. 37% of Canadians experience login failures due to forgotten credentials on a monthly basis.
Going passwordless is the future of security. The technology already exists– biometrics, passkeys, and social logins are both easier and more secure than passwords. Now is the time to make it a reality.”
And aside from the fact that I’m sort of “anti-social” about identity management, I couldn’t agree more. Let’s celebrate what we all might hope is our last “international password day.”
And that’s our show.
Hashtag trending goes to air five days a week with a weekend interview show. And we are also on YouTube. If you catch us there, please give us a like or a subscribe and help us build that audience.
Find us at our new home at technewsday.ca or .com – you pick. And you can reach me with comments, suggestions or even criticism at therealjimlove@gmail.com or at editorial@technewsday.ca
Our redesign should happen this week, but for now you can find us in the top stories each day.
I’m your host Jim Love, have a Thrilling Thursday.
