Home Whiskey Tango Foxtrot! Simple security for small business – part 1

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Let's consider passwords – the first line of defence in any computer system.

First the TL;DR summary. For important access, keep your passwords complex; for trivial access, not so much. Also, many of the 'rules' around passwords don't always make sense.

A few weeks ago, I wrote about IT journalism's fixation with the latest and greatest hacks, intrusions and other bad behaviour, generally to the detriment of simpler aspects of security.  In that article, I suggested that there would a series of follow-up pieces that would offer useful advice to smaller users. This is the first.

As much as they are maligned; as much as the "death of the password" has long been predicted, passwords are still with us and probably will be for some time to come.

In most situations passwords are not stored in so-called "plain text". In other words, the characters you typed when entering a password are not what is stored. Instead, a one-way "hashing algorithm" is applied to the text to produce the stored version. This hashing algorithm is not reversible – anyone knowing the 'hash' cannot recover the plain-test password. At some later point, when you use the password again, the same hashing is applied and the result is compared with the stored password.

Let me start by saying that a lot of what you hear about passwords is quite correct. But conversely a lot of well-meaning advice is wrong.

Let's offer some thoughts on what is correct.

Yes, passwords should be complex.

There are a couple of reasons for this. Firstly, there are plenty of programs out there that are excellent are cracking passwords, with JohnTheRipper being an obvious example. JohnTheRipper is very quick to attempt multiple passwords against a password hash. JohnTheRipper (and pretty much all the others) will try every dictionary word, every line of most popular songs, they will insert numbers and they also understand "leet-speak" (the habit of substituting numbers for similar-looking letters - 'E' for '3' etc.). Further, they will make use of databases of previously hacked passwords.

Secondly, beyond these "cracking" programs, we also have "rainbow tables" which comprise a database of matching hashes and plain-text passwords. If the hash exists in the table, so does the password. Fortunately (for us average punters) any useful rainbow table is huge, occupying many terabytes, making them relatively unwieldy for all but the most determined "n'er do well". Mostly, rainbow tables are created by generating passwords and hashing them; storing both.

So, you should make your password too complex to either appear in a rainbow table, or to be discovered by a cracking program.

But how?

Broadly, the rules we typically see that specify minimum length (to annoy the rainbow tables) and a variety of complexity (to annoy the cracking programs) are sensible. So, any password of at least 10 characters, that includes a mix of upper and lower case, a few digits and some other characters is currently about the minimum you should have when you care about the access being managed.

But please, don't confine yourself to capitalising the first letter of a word or substituting a couple of 'leet' characters. Be a little more creative!

• password (pointless)
• Password1 (very slightly less pointless)
• MyPa55sword (marginally better, but still trivial to crack)
• aNAp91ef0RmytE#ch3R (pretty good – if you couldn't read it, it's a "AnAppleForMyTeacher" with all manner of variation). However, good luck remembering how to type it!

As an alternate, you might consider taking a line from a favourite song and "modifying" it. Perhaps something like "And!findItk1NDafuNnyiFinDitKindaSad" – significantly easier to type that the 'teacher,' perhaps a little longer and definitely tougher for the nasty dudes.

In parallel with passwords, we also have biometrics (fingerprint, face, voice, iris etc.), but most such systems are required to release a text password to the system that validates the access, so not a lot of improvement, really.

The last advice I will give here is that you should use none of my suggestions here. They are guidance and examples only. Rest assured that the "bad dudes" will add them to all the quick-access intrusion tools available. They are also entirely unrelated to any password I have ever used!

So, with all that in mind, what advice have people received that is entirely pointless?

My first irritation is the insistence that passwords be changed regularly. Why? If the password is so good that it conforms to all the rules, and there's no evidence that it has been compromised, why change it? Why create the possibility (probability!) that the user will forget it? That rule makes no sense at all.

Next, we have the insistence that you should use a different password for every location that requires one. This rule belongs in the final circle of hell!

There are two likely outcomes from this: firstly that people will probably create some kind of pattern that links a password stub with the name of the web site. If one of the passwords is hacked, then the method is revealed and access to every other site is simple (for the intruder). The other is that people will create great passwords every time, and then forget them. I'd love to see password reset statistics for a range of major websites.

In parallel to this are the websites that insist on the most amazingly convoluted password rules merely to access a document that ought to be freely available. I've regularly seen this with the "big four" consultancy firms. They are adding to the problem, not helping!

So, you might ask, "after all this negativity, what is a good password? Are there good rules for creating and using them?"

First, some "motherhood" statements:

  • Passwords are a useful form of identification, but not the best.
  • The strong password you remember is better than the very strong password that you forget.
  • Longer (and more complex) passwords are better than shorter and simpler ones. Twelve characters is a useful minimum, although that will increase as cracking hardware improves.
  • The places that demand a password for no good reason are deserving of a weak one.

My first recommendation is to select a simple, easy to remember password that can be used in places where neither you nor the website care about any level of security. Ensure this password is only used in places where no personal information is stored (beyond your email address and name).

For somewhat more secure uses, create a password root structure that can be modified and extended for each location it is used. As an example, Your password root might be "B@ck!n8lack" (that's related to "Back in Black" for AC/DC aficionados) to which you might insert a number that represents the third letter of the domain name (e.g. iTWire.com would be 23 for the 'w') along with a letter three places further along the alphabet from the last letter of the domain name. Thus the final password might be B@ck23h!n8lack. Of course now published, this scheme should never be seen again! Use your own.

For highly secure access, your online banking for instance, you will need to create similarly "difficult" and lengthy passwords, but each must have unique construction rules – no extension rules as described in the previous paragraph.

In my next article, we will look at password managers and alternate authentication technologies.

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect