The “airline seatmate” version of personal security
There’s a common experience among folks who work in the field of computer security. Upon hearing your profession, people ask: “what can I do to protect myself?” This question usually follows an account of a time they got hacked (which usually means that they got phished). Whether we’ve heard this question from an airline seatmate, taxi driver, or our uncle at a family gathering, we’ve had many occasions to share this spiel and wanted to share it with you as well.
When it comes to keeping your accounts safe from misdeeds, we have two simple answers:
- Use two-factor authentication
- Use different passwords for each service, and a password manager to help you keep track of them
Fundamentally, both of these are about reducing the value of a specific password — a password you’ve reused is more useful to an attacker than one that is only valid on a single service. Using unique passwords eliminates “password reuse attacks,” something we have been seeing a lot of it lately, as there are hundreds of millions of compromised passwords floating around the “dark web” right now.
Why passwords are important
A password is a credential. Credentials are used to help authenticate you to a service or site — to prove that you are who you say you are. When an attacker obtains both your username and password by tricking you to sharing that information with them (“phishing”) or through other means such as by hacking into another service on which you’ve used that same password, they could theoretically authenticate as you.
This is where two-factor authentication comes in, which Slack supports — adding an additional roadblock to an attacker who has your password. To be successful, an attacker would need to have not just your password, but your second factor — which is typically either access to your cell phone, a cryptographic secret stored in a special app, or a physical device like a Yubikey. We’ll go into more detail on this later.
Make your passwords extra special
The physical keys you have in your purse or pocket are used with locks, and authenticated when the lock’s configuration matches the one with the key inserted. One of the best ways to protect your online accounts it to use unique-per-service passwords, meaning a different password for every account.
Unfortunately, many people don’t do this, and effectively carry only a few keys (passwords) in their pocket to unlock Facebook, Twitter, Google, and Corporate-Branded Sock Lover Forum accounts. When you think about it, using the same key unlock your apartment, workplace, car, mailbox, filing cabinet, and gym locker sounds a bit ridiculous. This situation is great news for attackers, as they now only need to break into the least-secured service that you use (perhaps that Sock Forum) to get the key you use for more critical accounts (say, your bank, or your work email).
Putting all your passwords in one super-secure basket
There are many ways for a service to store your account password, ranging from absolutely terrible (storing the complete password in plain text), to very strong (correctly cryptographically hashed and salted). By using unique passwords for every service, you don’t have to gamble on how well each one deals with your credential, and instead can rest assured that even if one gets compromised and also happens to be treating your password with less care than it deserves, an attacker would not be able to use the credential from that service to get into another one of your accounts.
Generating — and remembering! — unique passwords may sound like a difficult task given the number of accounts we all have. Fortunately, tools called password managers exist to make this process much easier. 1Password, LastPass, and KeePass are a couple of the most popular ones. By remembering one very strong and unguessable password, you unlock an encrypted password “vault” which contains all of your other passwords. If you’ve used identical or similar passwords for multiple sites and services before, it is worth the time to change each to a unique password while setting up your new password vault. Many password managers also auto-fill forms — so you’re not only dramatically increasing the security of your accounts, you’re also saving lots of time.
Adding that extra lock
Provided you’ve used a very strong password for your password manager (bonus points if this password is also a randomly generated password), the next step to full security kudos is to enable two-factor authentication (2FA) for all of the services that you use that support it — or at least for the important ones. https://twofactorauth.org/ has a handy list of who currently supports what.
There are several types of two-factor implementations, but most revolve around a code that is either sent to you via an unrelated channel from the service you’re logging in to, like a text message, or by a code that is generated by an app on your phone and changes every minute or so. These codes help defend your account if you are in a situation where an attacker has your password, but not your cell phone. We usually recommend that users add 2FA to their main identity-proving accounts, such as Google, Facebook, and Twitter, and also for any online banking or otherwise sensitive accounts.
When you enable 2FA on services that support it, most will ask you for a phone number and/or provide you with backup codes. If you go with codes rather than a phone number for backup, it is important that you print out the codes and save them in a safe place that is not on your computer, as many services will refuse to unlock your account if you lose both the backup codes and the 2FA app.
Why steal passwords?
There are two main reasons attackers go after your passwords, rather than trying to find weaknesses in software and break in that way. The first is that, while writing secure code is definitely still very difficult, practices have improved somewhat over the years. From Microsoft’s ten-plus years of Patch Tuesdays to security bug bounty programs like our own, companies are more rigorous and disciplined than ever about fixing bugs when they are found. This, combined with the ready availability of compromised data — databases of usernames and passwords stolen from historical breaches — have changed the tradeoffs somewhat for attackers, making stealing your “keys” more enticing than breaking your “windows”.
The more subtle factor is that an attacker with a stolen password looks like a regular user. They don’t go knocking around the perimeter of the house, they just walk right in through the front door using the same key you normally use. This is very appealing to an attacker who just wants to read your chat logs or steal a bit of money here and there — and where two-factor authentication really shines as a defense. So we hope that you’ll turn it on (either as an individual user or for your whole team), start using a password manager and fancy unique passwords, and stay safe out there. We’ll do our best on our side, too.
Ari Rubinstein is Slack’s Senior Staff Engineer, helping to keep the locks safe.
Leigh Honeywell is Slack’s Senior Staff Engineer and still remembers the password for her GeoCities account.