• Tracy Camp

A harsh truth: No amount of good password hygiene can protect your accounts

Updated: Nov 2

I have worked in the 'cyber security industry' for decades. If I had a nickel for every time I've been chastised about picking "strong" passwords and not re-using them etc. I'd have at least an extra $10. All this harassing us about picking good passwords is just that - harassment, it isn't your fault, passwords suck and don't really protect your account that well.

The harsh truth is that the modern 'Cloud' doesn't really use passwords, it uses 'tokens'. Cloud applications such as Discord and Steam are broken out into a dizzying array of small 'services' that specialize in doing one or two things. Checking passwords is a specialty, and what typically happens when you login, is the password checking service issues 'a token'. Tokens can take many forms, but they are basically little notes that if translated to english would read something like this:

"The bearer of this note gave me a good password at some point in time and should be granted the privileges of user X - signed, your friendly authentication service".

The purpose of a token is that your application can present it to other services to do work on your behalf. These other services only need to understand how to read the note from the friendly authentication service.

Tokens are sort of like having a driver's license without a photo...

There are some really IMPORTANT key words in that sentence ... "the bearer of this note". I.e. _anybody_ with the token is effectively 'User X' now. If you have the token, you are whoever it says you are. As such tokens are equally important if NOT MORE SO than passwords to keeping your account secure!

If I'm after your account... I _could_ guess your password.... but I'm just going to take your token.

The weak link in web applications is the token. Tokens do expire.. but if you've noticed you don't have to login with your password to Discord that often.. this is because the tokens Discord uses don't expire for a very, very long time (at least in computing terms) and they don't seem to perform other checks like geo-location correlation. If I have your token, I have quite a lot of time to do things with it; like post as you, change your email address, your phone number, and ironically enough - your password.

How does "Hank The Hacker" get my token?!

Basically, all it takes is one little slip-up. It happens; even to professionals. Discord, Steam, Chrome and just about any other application stores tokens in database files on your computer. All Hank needs to do is to read one of those files and Hank has your token. Chrome, Discord and Steam are not doing something wrong here... they even encrypt the token! However, if Discord, Chrome or Steam can read the token to use it... so can Hank (remember you aren't asked for a password every time you start any of Chrome, Steam or Discord are you?). Hank might even read it directly out of the memory of the Discord, Steam or Chrome processes. You might be running an anti-virus application and it might pick up on some specific bit of code that Hank the Hacker happens to be using to read your tokens.. but all Hank really needs to do is read a file. Hank can use built in windows applications to read files. No anti-virus is going to stop Hank from stealing your tokens. Hank isn't even really attacking your computer after all.

What can I do about this?!

Install UpSight of course! UpSight is not anti-virus, UpSight doesn't care if a program is a virus or not, it cares about if your tokens are being stolen.

64 views0 comments

Recent Posts

See All