Secure passwords FTW|
by Andy Prow, MD, Aura Information Security
I was reading a tweet posted to @IITPnz last week (the Institute's Twiter account) complaining that the IITP's website's password policy was outrageous and TOO HARD. "Really?" I thought, so I made a few enquiries.
It's actually an age-old question that we at Aura InfoSec are asked all the time, "what's a good password policy, and why do they have to be so hard and complex?". Well I'm glad you asked!
In IITP's case, their answer came from IITP CEO Paul Matthews: "Our password policy is 6 chars minimum, with at least 1 number and 1 letter". Actually that's not in any way TOO complex, in fact while acceptable from a security standpoint, it's about as minimum as you want to get.
Why you should require complex passwords
So why do passwords have to be complex? The answer is simple: us poor developers and security consultants have to protect end users' data and privacy when they really, really, really seem to want to do everything they can to give their data away to the world!
What do I mean? Well, without two-factor-auth, passwords are the only protection between an attacker and your bank accounts, credit card details and private information about your pizza preferences, movie rentals and the alternate adult party gear that you hired last weekend…
Its no wonder we in the business stress the importance of setting a strong password. If your accounts are compromised then your online shopping, social networks, emails, company network and whole online life comes crashing down. So why is it that so many users feel the need to battle against what we see as basic security and have passwords like "password" and "123456"?
Weak passwords are weak
In the past 2 months there has been multiple hacks where users' passwords are posted publicly to the internet, some of the larger and more noteworthy attacks include; Yahoo Voice, LinkedIn and Stratfor. This equates to roughly 4 million passwords and usernames. When looking at the passwords that were leaked, on average, the password length was 8 and the top10 most commonly used passwords included:
- Linkedin - found 4369 times
- Password - found 3971 times
- Love - found 3073 times
- Iloveyou - found 2645 times
- 123456 - found 3572 times
- 1234 - found 2464 times
Based on the above passwords, its no wonder accounts get hacked on a regular basis! And here's the other wee issue that we find. So many people re-use passwords across multiple systems. At least in this day and age most users will set a unique password for their internet banking and main office passwords, but then re-use one other password for everything else.
Remember the other single most important password to have strong and unique is for your personal emails account(s). Why? Because just about every online system these days has a forgotten password reminder or reset feature. So if a hacker break into your personal email they can reset all of your other passwords and websites around the globe will email them your new passwords.
And remember if you re-use a password then that password is only as strong as the weakest website that stores it.
How to create a strong password you'll actually remember
So here's some clear and simple advice:
- When creating a password its recommended to create a password which is at least 12 characters, contains a combination of uppercase, lowercase, symbols and numbers and don't use dictionary based on personally identifiable passwords such as names, important dates and hobbies or in fact anything humanly memorable.
- To further ensure your bank accounts and emails are secure, don't re-use passwords among ANY of your online accounts. So that's potentially hundreds of complex passwords…
"Now hang on just a mo!" I hear most non-Stephen-Hawkins-brained people cry. Have crazy complex passwords that are unique for EVERY website - are you nuts? So you can use password storage systems, but be cautious. If you have complex passwords that you don't remember and you can't access your password vault then you're in trouble. And if it's stored in the cloud then that's one system you really don't want hacked.
So how's this for our TIP OF THE DAY for a complex, unique password recipe that you (hopefully) can remember.
1) Firstly, have ONE really strong password made from something you'll remember. As an example:
- the first letter of each word of your favourite song. Mine is Every Breath You Take by The Police. So let's start with the password of EBYTbTP.
- Next let's add the year I got married 1995, so we have EBYTbTP1995
- Let's stick a special character in for luck, I like $ personally (show me the money). So that's EBYTbTP1995$
2) Now how do I make it unique per website? How about taking the first two letters of the website I'm on after the www. E.g. LinkedIn (www.linkedin.com) = li, or mail.google.com = go. Then we end up with:
Now that's getting a little more like a strong password!
So put yourself to the test, thinking LinkedIn, Every Breath You Take by The Police, in 1995 and show me the $. Take a piece of paper and now see if you can remember this 14 char password with upper and lower, numeric and chars and special chars, that's unique per website…?
Now if that works for you the best approach is not to use EXACTLY what we have above - we're going to be bummed if we do a security review and find those exact passwords above sitting there, but come up with a variation on a theme that is either simpler or harder depending on your memory skills. If you have other suggestions then we're always researching into new strategies, so email us your ideas at strongpasswords@AuraInfoSec.com
We can never know which website will be attacked next, so the best defense to keep your personal accounts being compromised is to set STRONG, UNIQUE passwords.
[And if you're on the other side of the equation, looking at storing passwords, make sure you're doing it properly. See this previous Newsline piece for an example. - PM]
Andy Prow is Managing Director of Aura Information Security. Daniel Gadd, Aura's Security Consultant and Researcher, also contributed.
« Previous Article (Future shock)
Next Article (IITP Mentoring Programme - sign up now!) »« Return to Contents
Contributed content is the opinion of the author only, and not necessarily the view of IITP.