
Pa$$Word Doesn't Matter - gregmac
https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984
======
cr0sh
I didn't see anything in there that XKCD-936 wouldn't fix. Combine such a
password generation system (note: words MUST be chosen randomly for it to have
value), with a password manager, and finally, don't use the most commonly used
operating system (hint, hint) - and you'll likely be "safe".

Perfectly safe? No. If the attackers are trying to get at you specifically,
and know you use TempleOS - then they can target for that.

Practically safe? Yes.

Most attackers aren't going at specific targets, and most people aren't going
to become or be "specific targets". Most attackers are going for the lower
hanging fruit, who use the most common software stacks, because they comprise
the largest attack surface.

Get out of that "rut" \- and your odds of being a victim will go down
drastically. Of course, you'll have to guard against potential phishing
attacks and such, but most of those even will be trying exploits against the
"common stack".

What I find funny, though, is every time there is some kind of breach, the
only time the software on the system is mentioned - if at all - is when it
-isn't- running on the "common stack". I think this does a real disservice,
and I wonder why it seems like this is what is happening. Maybe it's just
confirmation bias on my part?

But - if every time there was a ransomware attack, or some other kind of
breach via phishing or whatnot - if the reporting said something to the effect
that it occured on a system running the "common stack" \- maybe those affected
by the breach would think to themselves, "Hmm - maybe we should be using this
stack of software, it seems to get breached multiple times all over the world
every year now for 25+ years running - maybe we should try something
different?"

But that wouldn't bode well for that "common stack", would it?

And certainly, I'm glad that the focus of the attackers is over there, and not
on the software stack that I use daily at home, and less so on the stack I use
for work. It means I am safer (except again, against a directed attack - and I
am a nobody, so unlikely to be targeted). Not perfectly safe (after all, there
have been the odd-duck attacks directed at these other platforms) - but safe
enough.

Ultimately - especially on the level of the world as an "attack surface" \-
the greatest threat has come from this virtual mono-culture of the "common
stack" of software. It has been a boon otherwise, but like any monoculture, it
is subject to massive failures should an invader/attacker succeed against its
defenses. We see this kind of thing nearly every day. If your system is a part
of a large enough such monoculture "attack surface", you can expect to
potentially become a victim.

But even on such system(s), using an XKCD-936 password generation scheme,
coupled with a password manager - and then following other security "best
practices" \- you can ultimately limit your exposure. Not as great as coupling
that with a lesser used software stack, but probably good enough for the
common user.

The one area though (which is growing at a fast rate, and is being more
frequently targeted) that a lot of this breaks down is that of "walled
gardens". While in theory such systems, with app stores and whatnot, should be
able to keep issues to a minimum, in practice we have seen there are still
vulnerabilities. With people more and more using these kinds of systems,
mainly with their phones, it is proving to be a very ripe target for
attackers. People don't generally think of their phones as computers, and
their attitudes and education (if they had any at all) from the PC world
doesn't translate or carry over. So their security on that front is lagging.

What I imagine we'll see in the future (likely it already exists) is an
underground market for "popular apps" \- where programmers create certain apps
that everyone wants (imagine if "flappy bird" had been this way?), downloaded
millions of times, then the developer sells it on a black market list (code
and everything) for others to continue to update with malware, etc - but the
reputation on the app store is already established. If these updates to the
code base are done slowly enough and stealthily enough (piecemeal), a large
malware base attack surface could be realized; by the time it is found out and
removed from the store, tons of users would already have it on their devices.
Even if some uninstall it because they heard about it being such an issue,
many if not most won't - especially if it is very useful software otherwise.
Alternatively, the software might exploit other weaknesses to install other
bits in places that won't be removed by an uninstall...

The problem is multi-faceted of course, but I have to disagree with the
conclusion of the article that passwords are worthless.

Weak passwords are worthless. Easily guessable passwords are worthless. Reused
passwords are worthless. But passwords, with a great enough length (XKCD-936),
combined with a password manager, and ideally de-coupled from the "common
stack" of software - and use of commonly known other security techniques
(mainly, be wary of phishing attacks) - and you will greatly reduce your level
of vulnerability, likely into the sub-single digit range.

Of course, the authors of this piece would not likely want to tell people
that, for obvious reasons.

------
SCdF
This article is weird and contradicts itself.

Having a strong password reduces the likelihood that your password can be
brute forced if the hash is purchased online. This helps with "Credential
Stuffing", "Password spray" and "Brute force" on their list.

Not re-using passwords means that if one account is successfully compromised
it doesn't then mean that others are too. This helps with basically the entire
list.

(Maybe it's addressed further down, but the first item in the first table
contradicts the premise so I didn't spend any time reading any further.)

~~~
cr0sh
There was also weirdness like this:

"So, as far as password spray is concerned – your password doesn’t matter – as
long as it isn’t in the “most common passwords” top 50 list!"

Shouldn't that actually read:

"So, as far as password spray is concerned – your password doesn’t matter – if
it is in the “most common passwords” top 50 list!"

That is - don't use a common password (and don't reuse passwords), and your
chances of a compromise go down greatly?

But this wording (and it's repeated similarly elsewhere in the article) seems
backwards, unless I'm misinterpreting it?

------
stochastimus
Right? I’m tired of ridiculous-still-inadequate hoops some websites try to
make you jump through such as “add a number”, or “add an uppercase letter”,
etc. - it really doesn’t matter. If this is an account I need to protect, I’ll
use a password manager.

~~~
jkoudys
Security theatre, plain and simple. The harder something feels to guess to the
human brain, the more secure it is.

------
pstch
> So, as far as password spray is concerned – your password doesn’t matter –
> as long as it isn’t in the “most common passwords” top 50 list!

That's a matter of point of view. Microsoft may not care that users have
passwords in the top 1000 list because, say, only 99.9% of the attacks were
made with passwords in the top 50 list, but this .01% of users is still at a
higher risk of being victim of password spraying than others. I'm worried that
this line could be misinterpreted : banning common passwords is still
important (and not just the top 50).

Also, the line saying that password managers should be used "if you are really
nervous" is very weird. Password managers are a good way to apply the given
recommendations (except for MFA, of course), and on top of that, they allow
you to not have to remember all of these unique passwords. It's even more
weird since the major point of the article is that the complexity of the
password doesn't matter as much as its uniqueness.

~~~
mhkool
the big picture of this excellent article is: to be safe, have a never-used-
before 12-character password _and_ use MFA.

The article is not against password managers and if one reads the whole
article, the "really nervous" will not be misinterpreted by the average
reader.

~~~
jkoudys
Yeah, it's not saying "your Yg^V2jw,C~8fpVnq doesn't matter", just your
"Pa$$Word". Don't be a human being who tries to remember these things.

A password manager also protects you against phishing attacks, for example,
because it's savvy enough to check for things that could fool a human.

