Note: Verizon Media is now known as Yahoo.
According to the Verizon Data Breach Investigation Report, an annual breakdown of the state of security incidents, phishing was a contributor to more than a third of last year’s breaches. The broadly ambiguous yet ominously familiar topic often leaves both security engineers and product consumers alike scratching their heads or wasting their effort trying to address the issue.
While there is no single solution for every flavor of cyber attack, if you want to feel more secure in your defenses against phishing, one of the most devastating social engineering attacks, you’ve found yourself in the right place.
The next time you hear about phishing and feel motivated to protect yourself, remember this: use a password manager.
I’m a member of the Paranoids, the roughly 200-person security team inside Verizon Media. If you have a Yahoo or AOL email account, we have your back. We protect customer data, corporate information, and newsrooms, as well as everything that goes along with a billion-dollar-plus advertising business.
And the most significant single piece of advice we give to everyone is to use a password manager to forget their passwords.
Password managers in action
To be clear, password managers aren’t a cybersecurity panacea, but they provide a strong first line of defense in a number of discrete situations. They’re simple pieces of software that can create unique random passwords that will autofill on each site. If they’re used as intended, they’ll exponentially decrease your chance of losing control of one of your accounts due to a phishing attack or data breach.
If you’re using a password manager correctly you will have a unique password for every login that has no association to your interests. So, the next time your favorite social media service gets breached, crooks can’t re-use your favorite childhood pet’s name — the one you’ve reused as a password since you were a teenager — to gain access to your bank account.
How phishing works
Now, back to phishing. The most popular misunderstanding around the topic is that phishing campaigns are all about clicking a link. In modern operating systems, exploits that lead to single-click compromises can cost big money to deploy (Read how much companies are willing to pay for them, here). The math doesn’t add up for most scammers.
It is far more effective for a scammer to set up a counterfeit website meant to trick you into giving up your password, as well as capture session information that enables criminals to stay logged in as you, even if you’ve enabled multi-factor authentication. The most effective phishing campaigns are designed to steal your password by pressuring you to log into a fake page. And, these phishing pages can look exactly like the login pages of popular websites. So instead of living in fear of the primary way you use the internet, clicking on links and logging in, rely on the systematic password hygiene improvements you get from using a password manager.
See, attackers rely on your automatic behavior; when presented with a login screen you type your password. But a password manager can help protect you, if you rely on it to autofill a unique password that you do not have memorized. The automatic response is interrupted when the password does not autofill and you can’t type it from memory either. This happens because password managers only autofill the credentials they store on URLs they recognize. The malicious site will always be new the first time you see it.
The risk is real
A study examining credential capture resulting from data breaches, phishing kits, and malware conducted from March 2016 to March 2017 between the University of California, Berkeley, and Google found the “risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials.”
Compared to “random” Google users:
Addressing Common Concerns with Password Managers
Here are the biggest password manager concerns we hear and how we answer them:
Question: What if I already have a ‘super-secure mnemonic system’ to remember my passwords?
Answer: First, the system still takes cognitive processing (that’s your brain power) away from other tasks you could be applying to solve bigger problems. Even with a good password creation strategy, it’s still challenging to maintain dozens of logins to have a genuinely unique password for each site.
Q: Isn’t putting all of my passwords in one place a bad idea? It’s a single point of failure, right?
A: While it’s true — a single point of failure is undoubtedly a bad thing when we think about building reliable systems — it’s a good thing in the context of a defensive system because there is only one point to focus on protecting.
Let’s say you have a bunch of expensive jewelry in your home. You could devise a clever system to remember a unique hiding place for each ring, necklace, and decorative brooch, or you could buy a safe to lock your jewelry in, making your would-be thief put in a lot more effort to steal your treasures. Now, yes, the safe is a single point of failure, but it’s the safe’s job to protect your stuff. Compared to the previous system, everything is covered consistently now and with much less effort, and there’s less chance of you forgetting how to access your valuables.
Q: What happens when the password manager gets hacked, and they have my passwords for everything?
A: By and large, password managers do not have access to your passwords or accounts. It’s a core part of the standard design. Most use end-to-end encryption to obscure your information from all devices that haven’t already been used to scramble that data. Remember protecting your passwords is the top priority for the folks who make the password managers.
About the Author
Josh Schwartz is a Senior Director of Technical Security for the Paranoids, the information security team at Verizon Media. He oversees an organization focused on offensive security assessments; red team methodology; building products that support security culture; and behavioral change initiatives.