Password hygiene

By now, we probably all know that we should have different passwords for every account we have, and use different ones for each website.  You probably also know that they should be a mix of upper and lower case letters, numbers and special symbols. They should be more than 8 characters – and no that doesn’t mean $now White and the 7 Dwarves.  This is what’s known as password hygiene.

That’s all well and good, but how do you remember them all?  Most security professionals would express horror at the suggestion that you have to write them down, but unless the bad guys are actually in your house, they have no access to them if you do. One word of caution before you go and document everything – be sensible.

It might seem like a good idea having a book like the one in the image, but then the bad guys in your house know exactly what they’re taking!  If you are going to write your passwords down, make sure you lock the book away in a secure location where it’s not easily found by intruders.

An alternative is to use one of the many password management apps that are around, but as that’s connected to the Internet then by definition it is vulnerable – especially as it tends to require a master password and if you’ve not chosen a good one of those then your other passwords are easily found.  At the very least, make sure it encrypts your passwords with something like 128 or 256 bit AES.

As with all things, the choice is yours and based on your level of risk appetite.  Personally, I like the flexibility of the electronic app, but I’d combine it with a master password and another token, eg a PIN number sent to my mobile or use of a fingerprint reader.

The Code Book

Having seen Simon Singh explaining how the Enigma machine worked while at a conference, I picked up this book. It charts the history of codes and ciphers from well before Roman times to the current day, and shows how they have developed over time. It was also very useful to read the difference between code (replacing words) and ciphers (replacing letters): most of what was discussed in the book fell into the latter category.

Singh writes in a very clear and informative manner, and makes the history of the topic interesting and at times exciting. I have to confess that some of the maths which was used went over my head, though I understood the general meaning in what was being said.

I was fascinated by the work done to understand the Linear A and Linear B languages, and the fact that initially scholars of Ancient Greek were convinced that neither text were part of that language: it must have been incredible for the person who finally worked out that Linear A was indeed Greek, albeit 500 years older than that used by Homer 3000 years ago.

The assertion that the most unbreakable code was that used by the Navajo code talkers in the Second World War is quite an interesting one. I understand that if you use a language that no-one else understands, then you improve the chances of it not being understood, but the fact that new phrases had to be introduced for English words which don’t appear in the native language must introduce some opportunities for the code breakers to make a start. Some form of frequency analysis would have some effect, but I think that the differences between Japanese kanji and English Roman script had something to do with it too.

The development of near-identical public key cryptography technologies by mathematicians in the US and the U.K. at approximately the same time is also an interesting revelation. (Diffie-Helman and RSA were both more or less simultaneously discovered on either side of the Atlantic, though GCHQ were slightly ahead in each case.) The fact that the cryptologists in the UK were based at GCHQ and therefore unable to share any of their work externally (or to review external solutions) shows I think that given enough time any technology can be “discovered” by different people in different locations.

In summary, I believe that this book is a good introduction to many different concepts, along with many good examples of each concept. It is well worth reading.

What are backups, and when / why are they needed?

As I’m keeping this simple, I guess I should start by explaining what a backup is, and why it’s necessary. (Apologies to those who know, but if my blog item on Patching was Security 101, then this is surely part of IT 101!)

A backup is simply a copy of one or more files kept on a different device than your working version. You need one so that if the original file is lost, damaged or deleted, then you won’t have to recreate it from the beginning. Some files are irreplaceable e.g. family photos in the digital age (because we no longer get film negatives with our snaps) so we need to be careful.

Here’s a question: do you backup your home PC, laptop, smartphone, tablet etc on a regular basis?

  • Those of you using the iCloud or something similar – well done. (As an aside, and not part of this discussion – have you thought about how secure the data is there: after all, you don’t control who has access do you?) You probably just need to worry about how often you back up to that cloud storage and whether you have an Internet connection at the time you need it.
  • Those using iTunes or similar – that’s great, your device is backed up, but what if the place you backing up to e.g. your home PC dies?
  • As for the rest – do you use a thumb drive or external hard drive of some sort?

Another question to consider is: how often do your files change? If you have a document which you work on regularly e.g. accounts for a social club, it may be something you need to backup regularly. If it’s a treasured family photograph, or an invoice for an online purchase, the file won’t change but you should really have at least one backup copy.

There are many backup solutions available. Perhaps the simplest is to use an external hard drive or a thumb drive (also called a memory stick, USB drive, pen drive etc) and simply copy the files you want across to it. Make sure you keep the drive in a safe place (not next to your computer though: if the computer goes up in flames during a house fire, having files copied on a device sitting next to it probably won’t be any use) and, if the data on it is sensitive you may want to encrypt it. (Hmm, I think I’ll need to write a separate post on encryption!)

As you can infer from above, there are many cloud based services like the Apple iCloud or Microsoft’s Office 365 where you can hold all your files and not have to worry about messing around with thumb drives etc. Personally, if I was going to use them for some of my own sensitive files, I’d ensure I used some of their more secure services like two factor authentication.

That sounds scary and technical, but it’s basically a combination of a password and a code generated on a separate device (as they say in the trade, it’s something you know and something you have, which “proves” you are you). That device may be software on a phone, a pin code that’s sent to your phone or email, or it may be a physical thing like a fob which your bank provides: I have one which looks a bit like a small calculator which I have to slide my bank card into, and it gives a code which I have to type in on the website before I can access my account details.

There’s another time when you should seriously consider making sure you have backed up your data properly, and if you don’t do it at any other time then you should make sure you do it when … upgrading your device and / or the operating system software on it. Apple tend to force the backup if you use iTunes, because that’s the first thing they do before upgrading the software. Given that right now many people will be eligible to upgrade their Windows version for free (if it’s a personal device which is compatible and running specific earlier versions, it’s worth making sure your essential files are backed up before you start.