Password security in the age of Cloud
How many passwords do you have? Do you remember them all? Do you use a password manager tool? Are your passwords complex and secure, or easy to guess dictionary words? What is your weakest point?
I bet that last question threw you a bit. Your entire security and identity could be tied to your weakest password.
For most systems and services, there is a password reset/retrieve facility. This capability sends an email, and this is the only account that hackers need to break into. Once this password reset email account (let me guess, you use a free Cloud-based account like Gmail or Hotmail?) is cracked, then you might as well not have a password on any other account – including your password manager tool.
Password security in the age of Cloud
So, your passwords could be highly complex and difficult to guess, but this means nothing if the email account you use for password recovery is less complex.
But I hear you cry “wait, I answer security questions”. Well, these are easily found out. We publish our lives on Facebook and other social media sites – listing where we went to school, where we grew up and other information that is frequently asked for in security questions.
How about “mother’s maiden name”? You can find this out from relatives linked to you on Facebook or Google+, and there is even have a 1 in 20 chance that it is the same name as yours – because your mother retained her maiden name when married, or returned to it after divorce (or never got married).
There are techniques for answering security questions – it even helps with those security questions that are not applicable to you (can YOU remember your primary school teacher’s name? I’ve never had a pet…). The trick is to have a phrase that could be completely wrong, but only you know it. Be careful though, remember the capitalisation and spelling of these answers – I came undone when I put in my school as “St Mark’s Secondary school for boys”; did I put in St. or Saint, and did I put in ‘for boys’ or was that too long for the box? Did I put in the apostrophe, or did I capitalise the second S?
When Cloud based accounts are linked, the risk goes up – the famous story of the theft of @N will demonstrate that one cracked account can be used to leverage access to another, to gain access to a third…
Really, when we use more and more Cloud services, and reveal more about ourselves, the complexity of passwords needs to increase. Of course, you should not be using dictionary words (including avoiding other dictionary words like Star Trek character names or places from Mythology). However, we are also advised to not use anything that is related to you or can be worked out from knowing you – this may be true for someone trying to hack YOU, but the truth is that most attacks do not care one bit about who they are attacking – they just want your money or your accounts.
So, we should stop being focussed on the shoulder surfer, and instead protect from the GPU enhanced password crackers that are hacking thousands of accounts.
Password techniques
The best way to come up with a password is to choose something that is easy to remember, but difficult for a computer to guess/crack. Look at these techniques for tips – but don’t just follow one, mix it up a bit!
- Passphrases – these are well reported (Google it) as being the way to go – a sentence that you then convert into either a long password, or a mixture of uppercase and numbers – “Mary had a little lamb” becomes “m4RyhaaLLm”
- Password themes – try all your banking using words that are fruits and vegetables, all email accounts using colours and sounds, all discussion groups using animals and countries. For example (ind%IAn@caT3
- Never more than 3 letters – make sure your passwords never contain 3 letters next to each other that can make a word – break them with a random symbol, punctuation or number
- Avoid the most common passwords of course
- Don’t use these PINs (and learn why they are bad…)
- Write down your passwords – controversial, I know, but I agree with this one. If you write down a few complex passwords on paper – perhaps missing a character and definitely not listing what site/service they are for – you can keep this detail in your wallet/purse like cash.
- Non-typeable characters. OK, strange one I know, but try Alt + Numeric keypad 5 to get ♣ – it may be shown as a empty square when you type it. Be careful with this one though – you will have difficulty doing these through non-Windows system and on a laptop without a numeric keypad.
- Avoid basic substitution (A = 4, S=$, O = 0, i = 1) because the cracking tools and hackers know about these.
- Size matters. Make it as long as you are comfortable with. You still have to remember it though! Of course make it unique, not correct horse battery staple
Forced password policies
There are some systems which force particular password policies, sometimes in the belief that they are making you choose a more secure password. This is not always the case as some systems insist on passwords of an exact length (like 8 characters) and some restrict special characters to just a few.
- VMware has it right with the ESXi password policy – if the password starts with a capital letter, then you need to add more complexity
- Beware of using a space (or non-typable character), as these may cause problems for a system
- Don’t just pad your password with 1234 at the end to make it long enough! Add another memorable component.
- Microsoft encourage you to NOT force password changes
Tales from the trenches
There was a “loyalty card” site that encouraged people to register on their site to get points for benefits – during registration, it would gather information from them – including where they shop, where they bank, mother’s maiden name … and then all their passwords. Each time a user entered a password, it would tell them that it was not secure enough, asking them to try again. The point of the site was not to provide a loyalty system, but to instead gather personal information (like address and username and other questions like above), and of course passwords. When people were challenged that their selected password was not complex enough, they would try one of their other passwords and cycle through all passwords that they use. The site then had their full details, including the results of a survey that asked them where they like to shop – allowing online purchases to be hidden amongst other valid purchases.