Passwords stand at the foundation of Internet and application security, but do they provide the safety so many of us seem to believe they do?
Thousands, nay millions, of passwords and digital identities are stolen every day by highly organised, richly funded criminal gangs that are reaping billions of dollars annually. In short, everyone on the Internet, from major multinationals, to government departments, companies big and small, down to individuals minding their own business in the suburbs, is vulnerable.
Many passwords are so simple they are easily guessed, such as names and anniversaries. Some trusting (read that stupidly careless) folk, even companies, use the word “password” and a couple of numbers as their password. Such people might have heard that it’s a good idea to change a passwords regularly, so they use a simple, easily remembered word, append two or three numbers and change those once a month.
They are easy prey for well-equipped cyber criminals who use every ploy from guesswork to automated password cracking software. They work on identities stolen from dumpsters. careless talk in coffee shops and hacked databases. or they use automated password crackers, computers that can generate and try out 100 billion 8-character passwords, per second! And you can buy one of those for around $20,000.
So here is some advice gleaned from “Password Guidance: Simplifying Your Approach”, a useful document published earlier this month by Britain’s Internet security and intelligence organisation, the Government Communications Headquarters (GCHQ). You can find the full 13-page document as a PDF at http://bit.ly/1K4PAag It’s an easy, good and calm approach to improving one’s security on the Web. Here is a brief rundown of its main points:
1. Change all default passwords, those the maker of bought-in equipment might have applied. Cisco, for example, used to set “password” as the default and a surprising number of companies didn’t change it.
2. Help users cope with password overload. Allow users to securely record and store their passwords.
3. Only implement passwords when they are needed. You don’t need a password on a system or a service that has no security requirement.
4. Never share passwords between users.
5. Use password management software, such as 1Passwsord, but be aware it carries risks, such as theft of the master password.
6. Think of using machine-generated passwords. They are harder to remember and thus require secure storage, but are more secure than user-generated passwords. The latter often turn out to be used across multiple systems because they are easier to remember and because in enterprises there are usually rules about passwords that tempt users to adopt insecure and easily cracked forms.
7. Make sure administrator accounts are very securely protected. Machine-generated passwords are to be preferred along with secure storage. Make sure administrators have standard accounts for normal business functions. Administrator accounts should not be used for high risk or day-to-day tasks.
8. Don’t store passwords as plain text. Hashing, a one-way cryptographic function, stops attackers finding actual passwords. Or use two-factor authentication where two of three recognised factors identify a user (a password, a token or chip-enabled credit card, and a fingerprint or voice print. Apple’s iPhones and iPads, can be set up to use fingerprints and passcodes and, soon, voiceprints.