World Password Day

Did you know that today, May 2nd, is World Password Day?  To mark the event, I thought I’d post a quick update, based on a new approach to password management.

Both the UK National Cyber Security Centre (NCSC) and US National Institute of Standards and Technology (NIST) have published changes to their recommendations for managing passwords in the past two or three years.

  1. Whereas previously we were advised that changing passwords regularly eg every 30 or 60 days was a good thing, they both now suggest only changing them when they are compromised (i.e. if you think someone else might know your password). I have to confess this doesn’t sit easily with me, but I understand their reasoning. We all have so many passwords to remember that changing them less often means we’ll have a better chance of remembering them.
  2. Use a different password for every account, for every website etc. This is more tricky, and both NIST and NCSC suggest using a Password Manager (this is an app for your phone or that you can run from your laptop / desktop) which helps you track and maintain your passwords.
  3. Rather than using long, difficult to remember collections of upper and lower case letters, numbers and symbols, use three unrelated words and make sure the total length is more than 12 or 14 characters (I prefer a minimum of 15). The reasoning for this is simple. Suppose you used P4$$w0rd as your password: it meets all the criteria for complexity, but it’s obviously not secure. A simple to remember phrase like SunnyTreeRoad is not as easy to guess, and is less likely to appear on one of the many lists of known / common passwords.
  4. Enable Two Factor Authentication on your key accounts like email and banking / finance. This means the bad guys would have to have your phone or other source for 2FA as well as your password to get in to your account.

If you’d like to know more, check out the NCSC article here, or the NIST video here. They’re both short and won’t take much time.

Also, if you want to see examples of bad passwords, the NCSC have published details of the most hacked passwords here.

Finally, if you want to see whether your email password has already been hacked, head to https://haveibeenpwned.com/ and sign up. This free service will tell you if your account has ever been compromised, and will also alert you in future if someone hacks it in future,

Should we be worried about our MPs security awareness?

Over the weekend a couple of tweets by a UK Member of Parliament (MP) have generated a wave of outrage and comment amongst the security community. Nadine Dorries mentioned that she routinely shares her password with her staff and often has to ask them what it is. (Incidentally, Nadine should make sure all her other accounts don’t use the same password eg her online banking and shopping accounts.) The big question appears to be “is this a big deal”? I think it is, and here’s why.

Earlier this year there was a cyber security attack on MPs by an unknown government – variously reported as Russia or Iran – and a number of MPs fell for phishing attempts. You have to ask now whether it was the MP or a member of their staff: either way it shows that more awareness and better controls are needed.

In the last couple of weeks an MP was accused of viewing pornography on his work PC, a charge which he has denied despite the investigating police officer presenting comments which might indicate it was likely. Nadine Dorries’ comments were (I’m sure) meant to illustrate that just because the MPs credentials had been used to log on to the computer it didn’t necessarily mean that he had accessed the material. And this is the main point, why it’s important for individuals to take ownership of and responsibility for their log on credentials (their user name and password), why they should keep the password secret.

In the staff handbook at Parliament, section 5.8 states clearly that “you must not… share your password”. One of the reasons why we’re advised (told) not to share passwords is to protect us. If any wrongdoing is discovered or suspected using our user name, we are responsible. If someone else has had access to your machine using your details – you are still responsible.

If you have colleagues who you think should have access to your email, give them delegated access, which means they can access it using their own credentials. If they need to access documents etc, put them on a shared network drive where again they use their own credentials. This protects both parties and is more in line with industry best practice.

I’m hoping that the events of the weekend will encourage MPs and their staff to improve their working practice, but I’m not sure it’ll happen because there doesn’t seem to be anyone holding them to account, taking them to task for these flagrant breaches of policy. I’m also hoping that those in charge of systems in Parliament (who I know are very capable and knowledgeable) will get the backing they need to bring working practices more in line with the rest of industry. Finally, I’m also hoping that all passwords will be reset over the next day or two.

Episode 4 – Passwords

I’ve posted several articles about passwords on here, including this one on password hygiene, this one on passwords in general and this one on common passwords. I thought I’d do a brief podcast to provide a précis, so here it is!

EasyCyber Episode 4

If you like the podcast, why not subscribe to my You Tube channel so you can get new releases as they come out. Also, please do let me have any questions / comments. For example, are there any topics I haven’t covered yet which you would like more information on?

What’s the deal with passwords?

In an earlier post I talked about password hygiene, and about the challenges we have in keeping passwords secret.  I realised that I’d missed the opportunity to talk about why we need passwords – so I thought I’d cover it now.

Computers will – if set up “normally” – ask for a username and password after you switch it on.  This is a process called authentication (though more commonly we call it logging in or logging on), and in the early days (before the Internet existed) was seen as quite a good way of ensuring that the person entering the username is who they say they are.  One reason why this is important is so that there is some accountability on systems: if something bad has happened, it can often be tracked back to a specific username. The person who “owns” that user name can be held accountable – and those who don’t “own” it can be discounted as the culprit.  It’s therefore quite a good protection mechanism for the other users.

Once that single computer was connected to lots of others, and particularly when connected over the Internet, some people found a challenge in trying to access those remote systems by trying to guess usernames and passwords (at a very basic level this is what hackers try to do).  Passwords which are easy to guess mean that the bad guys don’t have to work very hard to access your account.  Once they have access to your computer, they will often try to see what else they can get access to, such as your bank account, financial details, holiday plans etc.

Have a look at the image below:

image

It’s obvious that the most common passwords (and therefore the easiest to guess) haven’t changed much over the previous 5 years.  This is bad!

The bad guys use a range of software tools to try to break (or crack) passwords, and generally speaking the longer the password, the better.  But, length alone isn’t the answer.  If the password is just numbers, the bad guys “only” need to try combinations of 0 to 9 in increasing lengths i.e. 0,00,01,02,03 etc. If it’s just lower or upper case letters ie a to z or A to Z, then there are 26 variables which they need to try before moving on to a longer length.

Mixing numbers, upper and lower case letters and special characters (eg !@£$%^) gives a much longer set of variables which need to be tried, and this mix is what is called a complex password.  In all cases, the longer the combination of these the better, but the industry standard is a minimum of 8 characters long.  Personally, I prefer at least 15 characters, because the maths shows that with current computing power complex passwords of that length are very, very difficult to crack

Obviously, the longer and more complex the password, the more likely you are to forget it, which is why good password hygiene is required.  Password hygiene can be compared to personal hygiene, and more particularly your underwear.

image

So – keep your passwords to yourself, change them regularly, and don’t show them to anyone else!

Password hygiene

By now, we probably all know that we should have different passwords for every account we have, and use different ones for each website.  You probably also know that they should be a mix of upper and lower case letters, numbers and special symbols. They should be more than 8 characters – and no that doesn’t mean $now White and the 7 Dwarves.  This is what’s known as password hygiene.

That’s all well and good, but how do you remember them all?  Most security professionals would express horror at the suggestion that you have to write them down, but unless the bad guys are actually in your house, they have no access to them if you do. One word of caution before you go and document everything – be sensible.

It might seem like a good idea having a book like the one in the image, but then the bad guys in your house know exactly what they’re taking!  If you are going to write your passwords down, make sure you lock the book away in a secure location where it’s not easily found by intruders.

An alternative is to use one of the many password management apps that are around, but as that’s connected to the Internet then by definition it is vulnerable – especially as it tends to require a master password and if you’ve not chosen a good one of those then your other passwords are easily found.  At the very least, make sure it encrypts your passwords with something like 128 or 256 bit AES.

As with all things, the choice is yours and based on your level of risk appetite.  Personally, I like the flexibility of the electronic app, but I’d combine it with a master password and another token, eg a PIN number sent to my mobile or use of a fingerprint reader.