How many passwords do you have? How do you keep track of them? Ever forget one? Ever forget one when you were away from home and all of your “memory tricks” (e.g., the sticky note on the back of the computer)? In the course my conversations with people about the Cloud and security, it seems not a week goes by that I don’t get a question about passwords.
I have passwords for at least 175 different web sites, portals and other remote activities. These include government agencies, companies I do business with as part of “work”, data repositories that my company uses or our customers use to share data, and companies my wife and I do business with as part of running a household.
This includes a few really strange situations. I have one financial institution that I deal with a lot that requires five different logons – there is no way they will let me access everything through a single sign on. Corporate accounts, personal accounts, bill paying, and two separate personal credit cards for my wife and me (their idea, not mine) each require a separate logon. This is much like the US Homeland Security’s Terrorist Support Agency – a whole lot more annoyance than security.
There is an interesting short article “Password Prevented” by David Pogue in the September 2011 issue of Scientific American that makes an important point. David is the personal-technology columnist for the New York Times and describes a new security initiative at his daughter’s school. Student’s passwords must be at least 8 characters long, a mix of letters, numbers and punctuation, contain no recognizable English word, and be changed every 30 days. This security policy covers the download page for fifth-grade homework. Imagine the international consequences of someone stealing fifth-grade homework assignments.
Many years ago I was in one of those special facilities around Washington D.C. known for its security. I had the need to get access into one of their systems, and I was authorized to do it. The guy in whose office I was visiting left without giving me a password. He was right handed. So I lifted up the left corner of his blotter and there it was. Yes, it was the first place I looked. No, he hadn’t told me where to look and I hadn’t been in his office before. I knew it was a long and system-generated password so it had to be written somewhere close.
I was working at a customer site on a project that only lasted two weeks. They gave me my own username and password so I could access some of their systems during the project. Two years later, I was back for a meeting on a different subject. My username and password still worked.
If you are responsible for setting up passwords, there are three messages in these stories.
- The first is to not use a vault when a desk drawer will work. Always think about why you are securing something and what is the worst-case scenario if the information leaks. In the case of the homework download page, there is no bad effect from leakage. You might want to have each student login so you can determine who actually is getting their homework, but you don’t need a strong password policy to support that.
- The second is that the harder you make the password to remember, the less secure it really is. I guarantee that if you make someone have multiple passwords that are mixed letters, numbers and special characters and change them with any frequency, those passwords are written down. Most people will make some effort to secure the place they are written, but that is balanced by convenience concerns. They are not going to open up a safe to get the passwords. Some people keep the list in an encrypted file on their laptop, but that has no more security than their laptop does, and if someone breaks that security they have all of the person’s passwords. I have seen many people put them in their wallet. That seems to be a really bad idea since there are evil folk going after your wallet for other reasons. Your passwords are just a bonus to them.
- The third is that access control is not a “set it and forget it” activity. When someone’s role changes, that person’s access needs to also change.
The more restrictions you place on a password’s creation, the more you frustrate your customers; many will give up after just a couple of tries getting the response “invalid password, please try again.” Also, the more restrictions that you document about the password, the easier it is to break. Restricting a password to six to eight characters eliminates the need to try any potential password less than six or more than eight characters. If I know it must contain a digit, then I won’t try anything that doesn’t.
If something really needs to be protected, then the best thing to do is to use two-factor authentication. The first factor is something the person knows, like a password. The second factor is something the person has, like a fingerprint or a physical device. If some evil person steals one, they still cannot get in.
Any kind of access control scenario must also include the appropriate processes and policy to quickly react to changes. If someone’s password is compromised, that person needs to tell the security office immediately and that account must be frozen until new credentials are issued. If the person is reassigned or leaves, then all of that person’s access rights need to be immediately re-evaluated. It is far better to treat a reassignment as a resignation – turn off all of that person’s access immediately. Then figure out what access is really appropriate and give that to them. 17% of successful attacks come from internal people with inappropriate access privilege.
However, most of us do not get to set the password policy, we just get to live with it. How do you select passwords? The key point is, again, to pay attention to what the password is protecting. For example, we have logons to a number of companies we do business with over the Internet. Usually we do this for the convenience of tracking orders and not having to enter name and address each time we order. We very rarely let them keep a “credit card on file.” There are a few critical exceptions (e.g., iTunes, Amazon). Without a credit card number, there is nothing to protect. Gee, what if someone got in and saw what we ordered? These passwords can be trivial. One idea I like is just use something easy to remember (maybe your house number) followed by the company name? Or even just the first four characters of the company name. So “555Will” for Williams Sonoma, “555Cold” for Coldwater creek. (None of the example passwords in this blog are ones we actually use. Duh.)
If they are storing your credit card information, then you need a reasonably strong password.
There are lots ways to create these passwords. I could tell you my mechanism, but it probably would not work for you just as whatever you come up with wouldn’t work for me. There are some obvious comments:
- Using your name is not a good idea.
- Using any normal English (or French or German) word makes it easier to crack.
- Combining real words doesn’t help.
- Making cute substitutions is also easy to crack (e.g., “goGir!”).
- Any password can be cracked. The only question is how long it will take. The length of time it takes to crack increases exponentially as the password gets longer.
If you are really paranoid, there is a program called PWGen for both Windows and Linux. It generates cryptographically secure passwords. Pick ones that are at least 25 characters long – these are very difficult to break. And just as difficult to remember.
Of course, if somehow you got spyware on your system that is sending all your keystrokes to Romania, it does not matter how secure your passwords are. So always make sure your virus software is up-to-date.
You have probably seen those security images of characters strangely drawn. They are not there to protect you as much as they are there to protect the web site. Their purpose is to insure that the information you are entering is actually entered by a person, not a robot program that is trying to attack a site. At the moment, a computer cannot accurately read these. However, that does not stop the attackers. There are companies in Eastern Europe and the Far East where people sit in front of computer. The robot program displays the security image it sees and the person has 2-3 seconds to enter what it says. If right, the person earns the equivalent of a few pennies. This provides hundreds of people more than a living wage in those countries. The bottom line: these security images will slow down an attack, not prevent it.
The last word:
Not only do you need to manage all of your passwords, it is just as important to make sure that your passwords survive you. Someday your spouse or executor is going to have to find all of your online accounts and deal with them. I wrote about this aspect of the password conundrum in Death in the Cloud almost exactly one year ago.
Keep your sense of humor.