Are your passwords good, are they secure?

There’s been a lot of chatter around password security lately. It’s an important discussion given our increasing exposure to the world of digital crime.

Despite advances in biometric and multi factor authentication, traditional username-password combinations continue to be the primary means of securing access to a growing multitude of accounts.

Over the last 20 years in my work as a forensic investigator I make the following observations:

• Inboxes are littered with password reset requests, especially so for personal email accounts
• Most email users have a multitude of online accounts secured only by passwords.
• It’s not uncommon to find passwords transmitted by email or other unsecured communications or saved in text and spreadsheet files.

It seems to be the norm rather than the exception that people struggle with password management. It’s easy to see why this may be the case where people have:

• Multiple accounts
• Multiple passwords
• Complex passwords
• Accounts that require frequent password changes
• Accounts with inconsistent password complexity requirements

Think about your own accounts. It’s likely that they will include many of the following:

• Social media (such as LinkedIn)
• Bank accounts (broking and online banking)
• Superannuation accounts
• Payment gateways (such as PayPal)
• Entertainment (such as Playstation Network)
• Work email (such as Exchange Server)
• Personal email (such as Gmail)
• Document, photo and other cloud based file storage (such as Dropbox)
• Auction Sites (such as eBay)
• Subscriptions (such as SMH)
• Catering (such as Menulog and Munch Monitor)
• Retail sites (such as CatchOfTheDay)

You can probably count scores of accounts you own, some of which you can no longer recall the password for!

Be aware, passwords by themselves are not a security solution

In an ideal world you would have a different unbreakable password for every account and you could commit them all to memory.

Here’s the rub though, the more complex and the more numerous our passwords the more likely it is we are going to forget them and therefore the more likely to record them, often all in one place with limited security.

One of the key weaknesses in password security is you. A well-known information security mantra is that ‘You are only as secure as the weakest link’. That weakest link is often going to be a person rather than technology.

Securing the human is one of the pillars of information security – while the maths of encryption is exact, humans are fallible.

Kevin Mitnick, a hacker of international renown, relied on his social engineering skills to compromise some of the most secure information systems in the world. Oftentimes he was provided passwords simply by asking for them (but he asked very convincingly).

It is now common for hacker call centres to cold call users from phone lists, engineering their way into a level of trust with the pretence of helping you and eventually gaining access to your computer.

You are the custodian of your own security so be careful with it.  Have a healthy scepticism about why a stranger wants your information. If in doubt ring back on a trusted number that you source, not one you are provided.

Not all accounts require good passwords

For online accounts that store no confidential information and may have limited information security resources, such as a food delivery service, its ok in my view to have a rubbish password. Security should be commensurate with the asset being protected. If somebody breaks into the site where you order lunch for the kids, the worst they can probably do is order too many sushi rolls with your remaining credit (as long as your card details are not stored). However, your password credentials for the site may become exposed. If these credentials also protect your PayPal account, then that exposes a critical account. For this reason it is good practice to have multiple passwords and never use a password that protects a site with questionable security to protect a critical account.

Review your accounts and be aware of the risks each one poses to you. You need to think like a hacker. What could somebody do with access to each account? Identify your important accounts that store credit card details or other confidential information.

A good secure password

You need good secure passwords to protect your critical accounts. Ideally different good secure passwords for each account.

A good password is one that is easily remembered but hard to guess.

Single dictionary words or their derivatives can be guessed (very quickly by automated programs) and strings of random characters can be brute forced if they are too short.

The  “password strength” infographic  by Randall Munroe  exposes a common misconception of what a good password is:

People understand words better than symbols and what we thought may have been a good password using letter substitutions is often easy to break.

a secure password is one that is known only to you (or those authorised to use it)

Ideally you could commit all your passwords to memory and recall all your user IDs and associated passwords. With the average user managing more than 20 accounts this is problematic.

A password manager allows you to secure all your accounts inside a locked digital vault, ideally, for convenience, the vault would be cloud based and accessible from all your devices.  This makes sense for many of us but it relies on vigilance around the master password securing that vault.

A better tactic would be to use the password manager but don’t store your entire password in there, store only enough of it to give you the memory jog you need to regenerate it. With this approach you don’t really need a secure vault - a spreadsheet would actually be ok, but an encrypted spreadsheet would be better.

Password managers like Apple Keychain are already built into many operating systems by default but they have limitations and are poorly understood by the average user. Because they are poorly understood they can pose a risk. If for example you allow somebody to log into your MacBook, you may not realise that the same password opens up all the stored passwords in Keychain including access to critical accounts.

Designing good passwords

It's good practice to create passwords that will be accepted on even the most secure sites. Some sites enforce passwords including at least one symbol, uppercase and lowercase letter and a minimum of 8-10 characters.

In making a password be aware that you should be able to commit it to memory – or at least be able to recall it from cues.

The strategy that works for one person may not work for another – it depends on how you think. For example, I read somewhere about an interesting creation strategy by taking facts you know, converting them to a phrase and then to an abbreviated form suitable for a password. For example, “My first car was a 1974 Valiant and it cost $2000”. This may for example be converted to ‘Mfcwa74Vaic$2k’. This a good password that is hard to break if you can remember the phrase and the method of conversion. You could save the phrase of origin unencrypted somewhere without too much risk.

I find books to be a good source of passwords.  Taking a short sentence or phrase from a book you can create unbreakable passwords that are easy to remember. These passwords may also be inspirational to you making them even easier to recall. Books provide an ongoing abundance of memorable passages from which to derive passwords.

Using the book or phrase approach you will likely be using passwords in the order of at least 15 characters or so – “Once more unto the breach, dear friends, once more.” is a bit longish at 50 or so characters. This may be reduced to something more manageable like “1Moreuntothebreach.”, satisfying most password complexity requirements with the use of a digit, an uppercase character and a symbol.  I find passwords derived this way easy to remember and easy to type. Being primarily based on the alphabetic characters these passwords are quicker to type than shorter, symbol heavy passwords.

It’s up to you if you then highlight the relevant phrase of origin in your book or ebook but be aware this weakens the password security somewhat, just knowing where to look in a book may be all you need:

Final thoughts

Passwords are with us for some time to come but there are promising developments with new authentication methods such as fingerprint scanners, pattern matching and voice recognition.  The following article is a very good one on the alternative options becoming available including their strengths and weaknesses .. https://www.smashingmagazine.com/2016/06/the-current-state-of-authentication-we-have-a-password-problem/

The simplest thing you can do immediately to protect your online identity and critical accounts is to enable two-factor authentication using the security settings of accounts that support it. This is very simple and very secure. You don’t need any fancy equipment as most accounts enable this by sending codes to your smartphone when you first log on from an untrusted device.

It seems fitting to sum up with advice from information security guru Bruce Schneier when it comes to choosing secure passwords:

“There's more to passwords than simply choosing a good one:

1. Never reuse a password you care about. Even if you choose a secure password, the site it's for could leak it because of its own incompetence. You don't want someone who gets your password for one application or site to be able to use it for another.
2. Don't bother updating your password regularly. Sites that require 90-day -- or whatever -- password upgrades do more harm than good. Unless you think your password might be compromised, don't change it.
3. Beware the "secret question." You don't want a backup system for when you forget your password to be easier to break than your password. Really, it's smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
4. One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It's almost certainly a security improvement.”

As a final thought…

“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”

– Chris Pirillo