DEV Community

loading...

Discussion on: How hackers steal your keys and secrets

Collapse
codemouse92 profile image
Jason C. McDonald

Mostly wise, but I have a couple of concerns.

Rotate keys and passwords constantly, employ and enforce rotation policies

Security researchers no longer recommend this with passwords. It doesn't work. Use a unique, complex password for each login that requires one...but understand that complex does not imply esoteric. Long phrases are currently considered the best strategy. If you have no reason to suspect a breach or significant possibility of a breach on an account, rotating the password does not decrease the chances of one. In fact, password rotation usually only leads to bad password strategies.

I could argue the same for keys, especially as they're even harder to crack than passwords, and far more likely to result in an unrecoverable account if you lose them.

That said, rotation policies may make more sense from a computer-to-computer perspective, if (and only if) there's any risk of exposure.

Enforce MFA everywhere - Google, GitHub, Cloud providers, VPNs, anywhere possible. If it's not optional, reconsider the system in use

While I mostly agree with MFA, it is also not a guarantee of security — see sim card attacks — and it has its own hazards. If the service provides MFA, e.g. a code sent to a specific device, but no secure account recovery method, you may want to think twice. If you lose or destroy your phone (not that anyone has ever done that!) or it gets stolen, you're permanently locked out of any account that lacks recovery means. (PayPal is a prime example. No, they will not help. They'll go out of their way to FRUSTRATE helping, in fact.)

(One more note on that topic: there have been multiple security researchers who have warned that most consumer biometrics are less secure than passwords. Many fingerprint readers and facial recognition only check for partial match, and can be fooled. Consumer-focused biometrics should only be paired with a more secure authentication method, e.g. a key or password. Yes, I just said password.)

Be secure. But also be certain you aren't locking yourself out of Fort Knox permanently. It sucks at least as much as a breach.

Collapse
omerxx profile image
Omer Hamerman Author

I actually agree with 100% of your points and it makes me think whether I should sharpen my message;
I'm discussing mostly software teams and companies (obviously not only but that's the target audience). With that in mind, I address both personal user passwords and authentication keys.
To answer your points directly:

  • Password complexity - completely right, when I talk about complexity it's important to stress the importance of length rather than complexity. I would argue however, that everyone are far better off with a personal password manager like 1Password instead of managing their own passwords. That's another key point when talking about rotation.

  • MFA - again, correct, this is brought in the context of web login profiles for the 3rd party services team use daily. This is most certainly not a replacement for a password but an extra layer of security. And again - the context is a password leaking out. MFA in that context makes it usually useless.

Summing up, yes, of course, everything should be done with reason. In my experience, 99% of the teams need the push towards better security strategy rather than limiting the layers of protection they put on their processes. That being said, it's a great and important discussion which I must agree with. TBH just thinking about it raises some cases I've dealt with before, mainly in large organizations where the authentication processes and policies were so extremely hard that it actually did hurt productivity and progress.

Thank you for taking the time to read and respond!

Collapse
codemouse92 profile image
Jason C. McDonald

Thanks for your response! I agree with you as well.

I'd add one thing to the topic of password managers: while you should definitely use one, it's best to still use phrase-based passwords that can be entered reasonably by a human. There are still times that situation occurs in the real world, as much as we like to pretend our password manager will always work perfectly. This is particularly true of central accounts like GitHub and email.

Besides that, you really should keep a copy of your most important passwords and keys on paper in a fire safe, in case of electronic catastrophe, or your own untimely demise.

In other words, the one time you need to enter your password by hand is the one time you're going to regret an esoteric password. false-overspend-foe-float-stack is going to be a better password for human use than 3FaqtgSr2T9pgVJRwGxauzDmn, as just as secure. (Bonus, you have a realistic chance to spot when the former is wrong or outdated.)

If websites are still demanding their numbers and special characters, you can incorporate a consistent pattern unique to you. Numbers and symbols don't actually reduce the probability of cracking as once thought, so merely adding them to the phrase you would have used is perfectly fine; it's the phrase that's the secret, ultimately.

Thread Thread
omerxx profile image
Omer Hamerman Author

Again - 100% :)
I remember a really good post explaining what you just mentioned scientifically, in terms of computation complexity and comparing short complex passwords to long sensible strings.
I'd try to find it and maybe add it here.

Thanks again!

Thread Thread
omerxx profile image
Omer Hamerman Author

I'd be happy to quote some of your responses and incorporate in the post. I think they're extremely valuable to the readers!
With credit of course. Would that be okay with you?

Thread Thread
codemouse92 profile image
Jason C. McDonald

Go for it! Thanks.

Collapse
vald0phoenix profile image
Vladyslav Krylasov

A good option is to use Yubikeys because in case of Google Authenticator if you lost phone then you're doomed but Yubikey stores codes on hardware what's really great. Moreover, you can have several backup keys, so if you even lose one you can insert another key into any machine, phone with type C and be happy.

Good password protection can be built on top of pass & xkcdpass utils.

  • pass can be used as storage
  • xkcdpass can be used as a strong thing against computer brute force but simple for a human being to remember
Collapse
omerxx profile image
Omer Hamerman Author

True!
I personally use 1Password as my 2FA store which makes it a bit more secure through the gate of the single passphrase or a fingerprint. The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

Thread Thread
vald0phoenix profile image
Vladyslav Krylasov

The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I store passwords in an encrypted format on my own Git server that only accessible through a specific IP address what's my own VPN + DNS that really don't store logs but SSH port still open, so I can push/pull updates from any machine but web interface only through VPN and again, ssh key stored on Yubikey, so an attacker needs physically to have access to my key and know the PIN. Remote vector of attack I cannot imagine due to my limited knowledge of security/crypto field but should be secure (I guess).

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

I talk here more about personal security and it's not so attractive for teams, indeed, but it's really secure security versus imposter security :) 1Password/LastPass should be good options for teams.

Thread Thread
omerxx profile image
Omer Hamerman Author

Got it.
Well about secret storage for teams I usually suggest Hashicorp's Vault. My experience with it is excellent. It's open-source, secure, and really thought through in terms of features.

For personal use - good thinking.. I'll consider it myself :)
Althrough someone a few comment above you mentioned they as a team where getting personal Yubikey's for everyone with a Vault specific namespace which was rotated everytime an employee left...

Thread Thread
vald0phoenix profile image
Vladyslav Krylasov

Sounds really great. I heard of Hashicorp's Vault many times but didn't have a chance to learn it more. Will add this to my todo list, thank you.
P.S. Great article.

Thread Thread
omerxx profile image
Thread Thread
organicnz profile image
Tarlan Isaev

Yeah, Vault is awesome especially when you deal with Terraform. I've just tried this practice on Digitalocean and it's pretty straightforward. digitalocean.com/community/tutoria... "You’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform. In the end, you’ll have an automated system for deploying Vault in place, allowing you to focus on working with Vault itself, and not on the underlying installation and provisioning process."