Not only you know your password

Fernando Denis Ramírez Guerrero
Chief Executive Officer (CEO) at HISPASEC SISTEMAS S.L.

Article published in Diario Sur (Spanish)

11 Mar 2020

Are you sure that only you know your passwords? Yes? Let me tell you a story. One of those stories that always happens to others. Before, so that you can understand the story that I’m going to tell you, let me introduce you to some concepts.

  1. LEAK. A leak is a leak of information of a private nature. And you are going to love this: there is a website that is responsible for storing all the ‘leaks’ that are made public so that a user can know if their password has been compromised. This site is called ‘Have I Been Pwned?’ And if you did not know it, I recommend that you enter and check if your email is in any public ‘leak’. On this website there is data that comes from 431 web leaks. It is a total of 9 and a half billion records and at least 134 million people are affected by these leaks.
  2. HASH. To prevent passwords from being readable in leaks, among other things, a hash is generated through some encryption system, so that an attacker cannot know the original password. Finding passwords without hashing would be very rare, in fact it would be reckless from the point of view of computer security. Well, there are dictionaries generated from hashes with the most common passwords, of little length or that have been used previously by others. And there are services that contain these dictionaries. This is surprising and real: if we try to use common words with simple mutations in one of these sites, for example passwords such as: malaga2020 or m4l4g42020, these are already available on these websites.

Ok, once you know these two concepts, I have to tell you that there are many ‘leaks’ of information from websites in which we register daily and we leave an association between our users and our passwords. The fact that someone can access this association not only affects the website itself, but it would affect all the websites in which we have used the same relationship, since an attacker could test these correlations in bulk. elsewhere.

At this point, you are ready to hear my story. My friend has a few passwords memorized, three or four at most. His passwords, depending on how important they are to him, have some variation, an incremental number, a date he will never forget, or even some sequence of uppercase, lowercase, numbers, and characters. But, as many of us do, he does not always know which one he used on the websites where he is registered.

The story begins after receiving an email informing him that someone has managed to access his email from a location other than where he is located. I give him a hand and we start to investigate what happened. The first thing I ask is if you use your password in some other service, to find out if it could have been obtained from a ‘leak’ leak. He says no. It says that password is only used for that email account. At this point suspicions focus on some ‘phishing’ that you may have received by posing as your email provider and that your credentials have been stolen. My friend, who knows about these types of threats, does not remember anything suspicious and does not believe that they could have defrauded him. But any of us can fall for these types of threats if they are well professionalized.

With all these precedents, I access a private service that allows me to check whether your email has been in a leak or to see the leaked information associated with my friend’s email. With access to this information, I can see all my friend’s passwords that have appeared in this type of leak. Eureka !, the password he used was there, in a leak that had several passwords associated with his email.

At first, I thought it was the old passwords I had used on that platform. But when I saw it, my friend confirmed something much worse: it was his wrong attempts to access the platform. The platform was storing all access attempts, with its respective password; And there, in one of those records, was the password that he used in his email. The same password that you did not use in any other service.

My friend, although he is already our friend by now, did not remember the password he used and, in a hurry, he began to test all his passwords, to find out what he used in that service. Their haste and brutally unconscious or malicious intent developers allowed all their passwords to be made public. Thus died his security and therefore his privacy.

How then should we manage our passwords? There are a few cautious beings, many of them guided by what their eyes have seen, who make use of password managers. These managers not only store the password chosen to enter the service

Know the advantages of being associated

Smart City Cluster enhances collaboration among its partners, favoring research, development and innovation in the different solutions and technologies aimed at the development of smart cities.

Smart City Cluster is an alliance of private companies and institutions that work for the development of smart cities.

Share This