Saturday, March 12, 2016

Managing your passwords

I am continuing my series of posts on security topics of primary interest to businesses, as I mentioned in my first post on this blog. In this post, I focus on making sure you manage your online passwords carefully.

If you spend any time online, you will probably encounter many websites that require some kind of username and password in order to log into the website. This includes websites for e-commerce, financial institutions, social media, blogs, and other websites that require credentials in order to protect the data contained within and/or identify you in order to complete some kind of transaction. 

Your username is usually pretty easy to determine:  most websites use your email address as the username. What's not so easy, or at least it shouldn't be, is determining your password. If someone else knows your password with your username / email address, they can gain access to a website and potentially cause havoc. So, managing passwords carefully is one of the most important things we can do for personal and business security.

What's your password?

For several years, reports have been published each year about the worst passwords of the previous year. This data is mostly collected from data breaches and other leaked password information. The amount of this leaked data now totals around 2 million passwords. Out of this data, the top 25 common and insecure passwords are noted. As you might imagine, the top two bad passwords of the list for many years have been "123456" and "password". These are obviously not very secure as anyone can guess these passwords. You can read of the reports yourself: top 25 worst passwords of 2015.

Obviously, if any of your passwords are similar to what's on the list, you need to change them immediately. We understand passwords are necessary, but there are complaints about using them as well.

One of the biggest complaints about passwords is they are not easy to remember if we try to make them secure. Easy passwords are easy to guess or look up in dictionaries or online encyclopedia articles (think Wikipedia). This includes passwords with substituted numbers for letters (think "passw0rd" or "s3cr3t" (instead of "secret"), for example) or well known sentences or phrases from books or articles. Many books and articles are online now so it would be easy for an attacker to check possible passwords and password sentences from those resources.

Another complaint is because it is hard to remember a lot of passwords, most people use one password in many places. This introduces the problem that if one website is compromised and passwords are obtained, the attacker would know your password (and probably username = email) at all of your other websites, including, perhaps, your bank. So, what can we do?

Managing your passwords

There are a couple of good recommendations for managing passwords. One recommendation is to use what's called a "passphrase" that is made up of mixed words not usually found together. This kind of password provides enough characters in order not to be easily guessed and it is not easily found in dictionaries or online encyclopedia articles. Here are some examples:




Here, I take words you would never suspect or imagine to be together and put them together in something easy enough to remember (mainly because they are silly - we tend to remember the silly things!). I included the "3%" and "#5" to match a password policy you may see sometimes that require passwords to contain: a capital letter, a lower case letter, a symbol, and a number. You could come up with several of these pass phrases with variations of words and symbols and numbers - the possibilities are nearly endless! Be creative!

Another recommendation is to use what's called a "password manager". These are applications allowing you to create one password which in turn unlocks all the generated passwords you may have and can use with different websites. All the generated passwords are considered to be secure - all you need to do is remember the original one password to unlock the password manager vault of passwords. Generally, this method is considered to be the safest way to keep track of the many passwords you may use. There are lots of options for password managers. You have to evaluate each company to determine how they are storing your passwords (on your machine or somewhere in the "cloud"), how or if they track when you are re-using passwords or keeping the same password for a long time, and price (most passwords managers are not free). One example of a password manager is 1Password.

Next steps

Whatever method you use, think carefully about how you manage passwords. They really are one of the most important security tools you use on the internet today. Give it some thought and consider one of the recommendations above to better secure your own passwords and password usage. 

Next month, I will continue to talk about the kinds of policies your company should use for passwords as well as how two-factor authentication can be used for further increased password security. If I can be of help in setting up your own password policy, or evaluating it, please get in touch. If you have any general questions about passwords, please let me know below.

About Robert Hurlbut

Robert Hurlbut, owner of Robert Hurlbut Consulting Services, based in Enfield, CT, provides software security consulting, architecture, and training. This includes software development, threat modeling, secure code reviews, and other kinds of security audits for your company. If Robert can be of assistance to your company, please get in touch through the below contacts.

Twitter: @RobertHurlbut

1 comment: