Topics

A Strong Foundation: Securing Accounts and Devices

Secure Accounts: Passwords and Two-Factor Authentication

Last Updated: September 2022

In today’s world, it is likely that your parliament and its staff have dozens if not hundreds of accounts that, if breached, could expose sensitive information or even get at-risk individuals hurt. Think about the different accounts that individual staff and parliament as a whole may have: email, chat apps, social media, online banking, cloud data storage, as well as clothing stores, the local restaurants, newspapers, and many other websites or apps that you log into. Good security in today’s world requires a diligent approach to protecting all of these accounts from attacks. That starts with ensuring good password hygiene and the use of two-factor authentication by everyone.

Secure Accounts and Parliaments

Secure Accounts and Political Parties

The widely publicized SolarWinds hack revealed in late 2020, which compromised over 250 organizations, including most United States government departments, technology vendors like Microsoft and Cisco, and NGOs, was partly a result of hackers guessing poor passwords that were used on important administrator accounts. Overall, about 80 percent of all hacking-related breaches occur because of weak or reused passwords.

With the increasing prevalence of password breaches like this and easier access for all kinds of adversaries to sophisticated password hacking tools, password best practices and two-factor authentication are security must-haves for all organizations, including parliaments. No incident more clearly illustrates this than the 2017 attack against the British parliament’s email system. In this incident, poor password practices from a small but meaningful number of MPs led to exposed email accounts and conversations, thousands of leaked credentials, and tremendous disruption to parliamentary operations. According to the British parliament’s press office, the breached accounts were “compromised as a result of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.”

What makes a good password?

There are three keys to a good, strong password: length, randomness, and uniqueness.

Length:The longer the password is, the harder it is for an adversary to guess it. Most password hacks are done by computer programs these days, and it does not take those nefarious programs long to crack a short password. As a result, it is essential that your passwords are at minimum 16 characters, or at least five words, and preferably longer.
Randomness:Even if a password is long, it is not very good if it is something that an adversary can easily guess about you. Avoid including information like your birthday, hometown, favorite activities, or other facts that someone could find out about you from a quick internet search.
Uniqueness:Perhaps the most common password “worst practice” is using the same password for multiple sites. Repeating passwords is a big problem because it means that when just one of those accounts is compromised, any other accounts using that same password are vulnerable too. If you use the same passphrase on multiple sites, it can greatly increase the impact of one mistake or data breach. While you may not care about your password for the local library, if it is hacked and you use the same password on a more sensitive account, important information could be stolen.

One easy way to achieve these goals of length, randomness, and uniqueness is picking three or four common but random words. For example, your password could be “flower lamp green bear” which is easy to remember but hard to guess. You can take a look at this website from Better Buys to see an estimate of just how quickly bad passwords can be cracked.

Use a Password Manager to help

So you know it is important for everyone in the organization to use a long, random, and different password for each of their personal and parliamentary accounts, but how do you actually do that? Memorizing a good password for dozens (if not hundreds) of accounts is impossible, so everyone has to cheat. The wrong way to do it is to reuse passwords. Luckily, we can turn to digital password managers to make our lives much easier (and our password practices much safer) instead. These applications, many of which can be accessed via computer or mobile device, can create, store, and manage passwords for you and your entire organization. Adopting a secure password manager means that you will only ever have to remember one very strong, long password called the primary password (historically referred to as a “master” password), while being able to get the security benefits of using good, unique passwords across all of your accounts. You will use this primary password (and ideally a second factor of authentication (2FA), which will be discussed in the next section) to open your password manager and unlock access to all your other passwords. Password managers can also be shared across multiple accounts to facilitate secure password sharing throughout parliament.

Why do we need to use something new? Can we not just write them down on paper or in a spreadsheet on the computer?

Unfortunately, there are many common approaches to managing passwords that are not secure. Storing passwords on sheets of paper (unless you keep them locked away in a safe) can expose them to physical theft, prying eyes, and easy loss and damage. Saving passwords on a document on your computer makes it much easier for a hacker to gain access – or for someone who steals your computer to not only have your device but also access to all of your accounts. Using a good password manager is just as easy as that document, but far more secure.

Why should we trust a password manager?

Quality password managers go to extraordinary lengths (and employ excellent security teams) to keep their systems secure. Good password management apps (a few are recommended below) are also set up so that they do not have the ability to “unlock” your accounts. This means that in most cases, even if they were hacked or legally compelled to hand over information, they would not be able to lose or give up your passwords. It is also important to remember that it is infinitely more likely that an adversary guesses one of your weak or repeated passwords, or finds one in a public data breach, than that a good password manager would have its security systems broken. It is important to be skeptical, and you definitely should not blindly trust all software and applications, but reputable password managers have all the right incentives to do the right thing.

What about storing passwords in the browser?

Saving passwords in your browser is not the same as using a secure password manager. In short, you should not use Chrome, Firefox, Safari or any other browser as your password manager. Although it is definitely an improvement over writing them on paper or saving them in a spreadsheet, the basic password-saving features of your web browser leave something to be desired from a security perspective. These shortcomings also rob you of much of the convenience that a good password manager brings. Losing this convenience makes it more likely that people across parliament will continue poor password creation and sharing practices.

For example, unlike dedicated password managers, browsers’ built-in “save this password” or “remember this password” features do not provide simple mobile compatibility, cross-browser functionality, and strong password generation and auditing tools. These features are a big part of what makes a dedicated password manager so useful and beneficial to your parliament’s security. Password managers also include organization-specific features (such as password sharing) that provide not just individual security value, but value to your parliament as a whole.

If you have been saving passwords with your browser (intentionally or unintentionally), take a moment to remove them.

Save Password boxbitwarden

Instead of using your browser (such as Chrome, shown at left) to save your passwords, use a dedicated Password Manager (like Bitwarden, shown at right). Password Managers have features that make life both more secure and convenient for your parliament.

What password manager should we use?

Many good password management tools exist that can be set-up in less than 30 minutes. If you are looking for a trusted online option for your parliament that people can access from multiple devices at any time, 1Password (starts at $2.99 USD per user per month) or the free, open-source BitWarden are both well supported and recommended. 

An online option like Bitwardencan be great for both security and convenience.Bitwarden, for example, will help you create strong unique passwords and access passwords from multiple devices through browser extensions and a mobile app. With the paid version ($10 USD for a full year) Bitwarden also provides reports on reused, weak, and possibly breached passwords to help you stay on top of things. Once you set up your primary password (referred to as a master password), you should also turn on two-factor authentication to keep your password manager’s vault as secure as possible.

It is essential to practice good security when using your password manager too. For instance, if you use your password manager’s browser extension or log in to Bitwarden(or any other password manager) on a device, remember to log out after use if you are sharing that device or believe that you might be at heightened risk of physical device theft. This includes logging out from your password manager if you leave a computer or mobile device unattended. If sharing passwords across teams or parliament as a whole, also be sure to revoke access to passwords (and change the passwords themselves) when people leave. You do not want a former staffer to keep access to your parliament’s Facebook password, for example.

What if someone forgets their primary password?

It is essential to remember your primary password. Good password management systems like the ones recommended above will not remember your primary password for you or allow you to reset it directly via email the way you might be able to for websites. This is a good security feature, but also makes it essential to commit your primary password to memory when you first set up your password manager. To help with this, consider setting up a daily reminder to recall your primary password when you first create a password manager account.

Advanced: Using a Password Manager for your Parliament

You can strengthen your entire parliament’s password practices and ensure all individual staff have access to (and use) a password manager by implementing one across the entire organization. Instead of having each individual staff member set up their own, consider investing in a “team” or “business” plan. For example, BitWarden’s “teams organization” plan costs $3 per user per month. With it (or other team plans from password managers like 1Password), you have the ability to manage all shared passwords across the "organization". The features of a parliament or team-wide password manager not only provide greater security but also convenience for staff. You can securely share credentials within the password manager itself to different user accounts. And Bitwarden, for example, also provides a convenient end-to-end encrypted text and file sharing feature called “ Bitwarden Send” within its team plan. Both of these features give your parliament more control over who can see and share which passwords, and provides a more secure option for sharing credentials for team-wide or group accounts. If you do set up a parliament-wide password manager, be sure that someone is specifically in charge of removing staff accounts and changing any shared passwords when someone leaves the team.

Two Factor Authentication

What is two-factor authentication?

However good your password hygiene, it is all too common for hackers to get around passwords. Keeping your accounts secure from some common threat actors in today’s world requires another layer of protection. That is where multi-factor or two-factor authentication comes into play – referred to as MFA or 2FA.

There are many great guides and resources explaining two-factor authentication, including Martin Shelton’s Two-Factor Authentication for Beginners article and the Center for Democracy & Technology’s Election Cybersecurity 101 Field Guide. This section borrows heavily from both of those resources to help explain why 2FA is so important to implement across parliament.

In short, 2FA strengthens account security by requiring a second piece of information – something more than just a password – to gain access. The second piece of information is usually something that you have, like a code from an app on your phone or a physical token or key. This second piece of information acts as a second layer of defense. If a hacker steals your password or gains access to it via a dump of passwords from a major data breach, effective 2FA can keep them from accessing your account (and therefore away from private and sensitive information). Ensuring that everyone in parliament puts 2FA in place on their accounts is critically important.

How can we set up two-factor authentication?

There are three common methods for 2FA: security keys, authentication apps, and one-time SMS codes.

Security Keys

Security keys are the best option, in part because they are almost completely phishing proof. These “keys” are hardware tokens (think mini USB drives) that can attach to your keychain (or stay in your computer) for easy access and safekeeping. When it is time to use the key to unlock a given account, you simply insert it into your device and physically tap it when prompted during login. There are a wide range of models that you can purchase online ($20-50 USD), including highly regarded YubiKeys. The New York Times’ Wirecutter has a helpful guide with some recommendations for which keys to purchase. Keep in mind that the same security key can be used for as many accounts as you would like.

Security Keys in the Real World

A hand holding an actual key with a key ring attached to a 2 f a device

By providing physical security keys for two factor authentication to all 85,000+ of its employees, Google (a very high risk, highly targeted organization) effectively eliminated any successful phishing attacks against the organization. This case shows just how effective security keys can be for even the most at-risk organizations.

Authentication Apps

The second-best option for 2FA is authentication apps. These services allow you to receive a temporary two-factor login code through a mobile app or push notification on your smartphone. Some popular and trusted options include Google Authenticator, Authy, and Duo Mobile. Authenticator apps are also great because they work when you do not have access to your cellular network and are free to use for individuals. However, authenticator apps are more susceptible to phishing than security keys because users can be tricked into entering security codes from an authentication app into a fake website. Take care to only enter login codes on legitimate websites. And do not “accept” login push notifications unless you are sure that you are the one who made the login request. It is also essential when using an authenticator app to be prepared with backup codes (discussed below) in case your phone is lost or stolen.

Codes via SMS

The least secure but unfortunately still most common form of 2FA are codes sent via SMS. Because SMS can be intercepted and phone numbers can be spoofed or hacked via your mobile carrier, SMS leaves a lot to be desired as a method for requesting 2FA codes. It is better than only using a password, but authenticator apps or a physical security key are recommended when at all possible. A determined adversary can get access to SMS 2FA codes, usually just by calling the phone company and swapping your SIM card.

When you are ready to start enabling 2FA for all of your parliament’s various accounts, make use of this website (https://2fa.directory/) to quickly look up information and instructions for specific services (like Gmail, Office 365, Facebook, Twitter, etc.) and to see which services allow for which types of 2FA.

2FA and Parliaments

Parliament chambers

According to reports released in 2020, hackers infiltrated Norway’s parliamentary email system, compromising email accounts belonging to several parliamentary officials and even downloading some information from parliamentary systems. While full details of the hack were not released to the public, Norway did attribute the intrusion to APT28, a hacking group affiliated with Russia’s security services. While highly sophisticated, APT28 and other hackers often use less complex tactics such as “brute-force attacks'' (wherein the attacker uses tools to try many passwords with the hope of eventually guessing the right one) to gain account access. This tactic allows hackers to guess even solid passwords - such as was believed to be the case in Norway. The good news? The types of attacks are much less likely to succeed with proper key or app-based two factor authentication in place!

What if someone loses a 2FA device?

If using a security key, treat it the same way you would treat a key for your house or apartment, if you have one. In short, do not lose it. Just like your house keys though, it is always a good idea to have a backup key registered to your account that stays locked away in a safe place (like a safe at home or a safe deposit box) just in case of loss or theft.

Alternatively you should create backup codes for accounts that allow it. You should keep these codes saved in a very secure place, like your password manager or a physical safe. Such backup codes can be generated within most sites’ 2FA settings (the same place where you enable 2FA in the first place), and can act as a backup key in case of emergency.

The most common 2FA mishap occurs when people replace or lose phones which they use for authentication apps. If using Google Authenticator, you are out of luck if your phone is stolen, unless you save the backup codes that are generated at the time you connect an account to Google Authenticator. Therefore, if you are using Google Authenticator as a 2FA app, be sure to save the backup codes for all accounts that you connect in a secure place.

If using Authy or Duo, both apps have built-in backup features with strong security settings that you can enable. If you choose either of those apps, you can configure those backup options in case of device breakage, loss, or theft. See Authy’s instructions here, and Duo’s here.

Be sure that everyone is aware of these steps as they start to enable 2FA across all of their accounts.

Advanced: Enforcing 2FA across your Parliament

If your parliament provides email accounts to all staff through Google Workspace (formerly known as GSuite) or Microsoft 365 using your own domain (for example, @ndi.org), you can enforce 2FA and strong security settings for all accounts. Such enforcement not only helps protect these accounts, but it also acts as a way to introduce and normalize 2FA to your members and staff so that they are more comfortable with adopting it for personal accounts as well. As a Google Workspace administrator, you can follow these instructions to enforce 2FA for your domain. You can do something similar in Microsoft 365 following these steps as a domain admin. 

Consider also enrolling your parliament’s accounts in the Advanced Protection Program (Google) or AccountGuard (Microsoft) to enforce additional security controls and require physical security keys for two-factor authentication.

Secure Accounts

  • Require strong passwords for all parliamentary accounts; encourage the same for member, staff and volunteer’s personal accounts.
  • Implement a trusted password manager for parliament (and encourage use in staff’s personal lives as well).
    • Require a strong primary password and 2FA for all password manager accounts.
    • Remind everyone to log out of a password manager on shared devices or when at heightened risk of device theft or confiscation.
  • Change shared passwords when staff and members leave parliament.
  • Only share passwords securely, such as through your parliament’s password manager or end-to-end encrypted apps.
  • Require 2FA on all parliament accounts, and encourage staff to set up 2FA on all personal accounts as well.
    • If possible, provide physical security keys to all members and staff.
    • If security keys are not in your budget, encourage the use of authenticator apps instead of SMS or phone calls for 2FA.
  • Hold regular training to ensure everyone is aware of password and 2FA best practices, including what makes a strong password and the importance of never reusing passwords, only accepting legitimate 2FA requests, and generating backup 2FA codes.