Rossander’s Security Reader

These days, keeping all your passwords straight can be an almost impossible task. Every website and application needs a password. Do you pick the same password and use it everywhere or do you write them down? If you use the same password, you’ll lose them all as soon as any one of those systems gets compromised. But if you write them down, you lose them all when your sticky-note gets lost or stolen.

Here’s a trick for making semi-customized passwords that will be easy to memorize but still unique to each site.

Pick a "static" password. (For this example, I’ll use "Bluebird" but a passphrase is much better.) Now look at the website or application that you’re signing onto. Make up a personal rule about the website name such as:

1. The first digit of my password will always be the second letter of the website’s name.
2. The second digit of my password will always be the number of characters in the website’s name.
3. The third digit will be a dash.

The password at Amazon would be "m6-Bluebird" and at eBay would be "b4-Bluebird". The password on your home Dell computer might be "e4-Bluebird". A password in this pattern is reasonably strong because it has all four character classes (uppercase, lowercase, number, punctuation) and because it doesn’t follow the predictable tendency for English speakers to capitalize the first letter and put the number(s) at the end. Best of all, every password is different but you only have the one phrase to memorize and one rule.

There are a couple of limitations to this technique.

• You must be the only person who knows your exact rules. Do not use the exact rules above. Make your own choices about which letter, punctuation, etc.
• Some systems won’t allow special characters (like the dash) or may have size limits on the password. Unfortunately, there’s no easy way around those problems. Make the best choice you can given the limits of the system and write down only enough to remind yourself what’s different (such as "401k – no dash"). If it’s an important system (like your online bank), lobby the company to allow stronger passphrases.

As a user, you should never share your password with anyone. It is used to track who had access and made changes to specific information. You are responsible for everything done on the system using your ID and password.

As a manager, you must set up the processes and procedures so that your staff and customers do not need to share their passwords. They need a simple rule that anyone asking for their password is running a con.

• The user’s co-workers should never have access to each others’ passwords. If work needs to be shared, use shared folders or other collaboration tools that maintain tracabilty in the logs about who did what. If a co-worker needs temporary access to the user’s files (for example, if covering for someone on vacation or emergency medical leave), have IT use their administrative tools to grant the access rights under their own ID, not by compromising the ID of the person who is out of the office.
• Not even your own IT staff should ask for a user’s password. If IT needs the password to complete a repair, the IT person should insist that the user type in the password.
• You don’t need their password either. If you need to access their files, you should have IT set up your rights so that you can monitor their work under your own ID and password. No one ever wants to be in the middle of an investigation but, if you are, you really don’t want to have counter-accusations that the chain of evidence was compromised.

Too many people are running phishing and other cons that try to trick people into sharing their passwords. Make it possible to say with confidence that no one at your organization will ever ask you for your password.

According to a non-scientific survey I just conducted, the most common question this time of year is “How were your holidays?” The second most common question is “Have you broken your New Year’s resolutions yet?”

Here’s a trick to help keep at least a few of those resolutions by choosing stronger passwords. As we’ve talked about before, passwords are fairly easy to break because most of us pick an English word, capitalize the first character and add a number at the end. That’s a statistically common trend among English-speakers. It meets the minimum complexity rules but will fail to a password cracking tool in 30 seconds or less.

If your New Year’s resolution is your passphrase, you’ll get a strong password that is hard for an outsider to break. (Microsoft’s password rules allow up to 127 characters and permit any character on the keyboard, including the spacebar. You can pick a whole sentence including spaces and punctuation for your password.) And by typing it several times a day, well, maybe repetition will help me actually live up to the resolution. For example, I need to eat less and exercise more. If my password for the month is “Take the Stairs.“, I’m reminding myself several times a day that I shouldn’t be lazy – that those extra steps are good for me.

A couple of thoughts, though. First, don’t make your password obvious to others. If your password is “Spend more time with your Kids!“, don’t make a poster with the same phrase and hang it in your office. Second, add unusual capitalization or swap a letter for a number in the middle of the phrase. For example, “Give more time 2 Charity.” Even if someone does guess your resolution, they won’t know what little change you’ve made to the way you type it. Put together, you’ll have a strong password that’s easy to remember and might actually help you keep that resolution a little longer.

Passwords are only useful if they are kept secret. That sounds obvious but we are still finding users who tape their passwords to the computer or "hide" them in an unlocked desk drawer.

Laptop and desktop computers represent the single greatest risk to the computer systems and customer private information of most organizations. A stolen or lost laptop is a gold mine for an identity thief. Laptops and desktops hold all kinds of private information (often including the access rights and certificates necessary for a hack to get onto the rest of the network).

In order to mitigate the risk, many organizations have encrypted their computers – scrambled the content so that, in theory, if a computer is stolen, the thief gets away with a $2000 doorstop. Unfortunately, that encryption is often completely dependent on the password. If the thief also gets away with the password, they have access to everything and all the organization’s defenses are for naught.

Make it very clear to your staff that leaving a password unprotected is a very serious violation of your security policies. If they see an unsecured password, have them report it immediately to their manager or supervisor.

If you have a home network or wireless router, it can add a layer of security to your computer. But if you haven’t changed the default password on your home router, that can be worse than doing nothing. Hackers have recently developed some new tricks to automatically attack your computer’s router just because you were at an infected site. It might not even be the primary site you were visiting – it could be the site hosting one of the ads on the page.

In this attack, hackers use small bits of code that automatically try to log in to the router using the default password. The default password is the one that came on the router when you got it from the manufacturer. It’s usually something like “admin”, “password”, “1234″ or sometimes blank. Default passwords are printed in the user manual (which is also available online). An online search for “default password list” turned up over 60,000 sites sharing this information, most of them hacker sites.

In a variation, some local hackers will try the same default password against your wireless router as they drive through your neighborhood.

Once the bit of code has successfully logged into the router, it opens a port. The hacker will later come back to your computer and attack it through that port. One common attack is to send false directions to the computer so that when you attempt to log in to your bank’s website, the compromised router instead sends your request to a fraudulent site designed to look and feel like your bank’s website. Read this CSOonline article for more.

If you haven’t changed the default password, do it today! Follow the router manufacturer’s instructions to change the password. Make sure you pick a strong password when you change it.