Security has long been a ground for concern among many companies with each one of these businesses presenting its own vision and thoughts on the most, and the least, effective procedures to follow. This article is written by YLD Software Engineer Joe Schofield where he reflects on the reality of how secure our systems actually are. By no means it is a critique of any of the methods used — the article merely aims to provide food for thought and create some space for critical thinking on the topic of security.
So I am Joe, and lately I have been interested in getting to know more about online security. Today I want to look into the subject of password security which I believe to be a very important topic to discuss. Passwords are critical to our system’s security; someone gaining access to a list of only a few passwords can open many doors.
Let’s start by looking at a use case in which I want to access my AWS account.
As this is such an important part of security I want it properly locked down, right? Let’s add as many layers of security as possible (and then let’s add one more please!). In this case, we’ll imagine I’m using the following:
- A password manager (i.e. Dashlane, 1Password, LastPass)
- Access available only via a VPN
- MFA (Multi-Factor Authentication)
Although it might look pretty secure let’s think about it a little further.
The password manager generates a very strong password and stores it — you couldn’t brute force this one in a million years. It then saves the password for me because I have a memory like a sieve.
For the next step I store my login credentials to the VPN in the same password manager, (because no-one uses multiple password managers); and so the configuration is just kept on my laptop.
Then I configure my phone as the MFA device, so that every time I want to connect to the VPN and every time I want to login to AWS I need to enter a one-time passcode generated from the MFA app.
Woah — no one is getting in here! Or are they?
I use my phone as much as I use my laptop, so I have the password manager installed on there too; both of which can be unlocked with my thumbprint, or — more importantly — my passcode. So just by knowing my passcode you can unlock my phone and then access the MFA app and the password manager app.
Or better yet, a feature of some password managers is to also act as an MFA device, so if I use it this way, all you need is access to my computer…
So let’s follow the login process, imagining you — the hacker — have just my unlocked laptop (or have my laptop password).
You open the laptop and connect to the VPN, using the credentials stored in the password manager and the MFA code from the same password manager. You then go to AWS and log in using… you guessed it — the password manager, and the MFA code.
Hey presto, just by stumbling across my laptop, you’re into my production AWS account and can take down joeschosamazingwebapp.com (if the link doesn’t work, someone probably hacked me…).
Now maybe you use a Yubikey as an extra layer of security. Great idea, but then again, if someone has access to your laptop is it likely that they’ll be too far from the key itself? Hopefully — but maybe not always the case.
I hope you can see how adding multiple layers of the same security (multiple passwords stored in the same manager, multiple MFA codes from the same device) does not necessarily increase security. In this case, once you’re through one layer of security, you’re through them all.
To be clear — I’m not discouraging the use of a password manager. They are a very valuable tool, but I wanted to start a conversation on how using them as every layer of security is maybe not the best idea.
What about you? How do you keep your passwords secure?