25 January 2012

PASSWORDS: The Bane of IT Managers!


Passwords are probably the most important part of any network and  frequently the weakest part of the chain.

Users forget them.  They write them down on post-its, the put notes on the cork-boards next to their desks where everyone can read them and they write note cards with all of the information any hacker would ever need:  the website address, their username, and their password.  In the 35 years I have been working in Information Technology, I have seen the situation below over and over again.

ME: “What’s your password?”
User: “It’s a ‘secret’”.  Yes, her actual password was “secret.”

There are multiple variations on the story I shared above, but they all end up the same way:  The user has a common, insecure, easily guessable password, and they share it with, in many cases, a complete stranger.

First rule of passwords: The user should never have told me her password – period – there are no exceptions to that rule.  Passwords should never be divulged to anyone.  While there are some extremely rare exceptions, it is always preferable to ask a user to type his or her password for you, not have them tell you.

After our initial analysis of the customer’s network, we set some very stringent password security requirements for their network and started requiring passwords which met much more complex requirements.

Passwords exist for a reason: to protect the data contained in a device or on a network.   

Whether personal, corporate, or a store which sells goods to an online shopper, they are no longer an option, but a requirement.   Passwords are everyone’s first line of defense against hackers, worms, ID theft, organized crime, and a litany of other nefarious individuals who would like nothing better than to steal your identity, your health history, money, business financial data or even or your life.

Hackers are well organized.  Many operate under organized crime groups and, whether you believe it or not, your data is worth lots of money to them.

If you are a network administrator who is responsible for a business network and you have not done so already, you should immediately go into your network server and change the password requirements to require secure passwords:  This includes requiring passwords with a minimum length of 8 characters – 12 is preferable; the inclusion of upper case, lower case, numbers and special characters, and setting your network to allow only 3 invalid login attempts before you lock out a user’s password for a specific amount of time after the maximum number of bad password attempts have been reached.  If you don’t know how to do this, contact me and I will be glad to consult with you.

Whether you are an end-user or an administrator, every computer, every laptop, every tablet,  every SmartPhone, in fact, every device you use to connect to the internet has the capability to set a password which must be entered prior to accessing the device.

If you have not already done so, you should set a password on these devices as soon as possible.  Even if your computer is only used at home, or your SmartPhone is a personal device, it should still be password protected.

The password you choose to protect your Internet connected device is one of the most important decisions you will ever make.

Choose a Secure Password: Passwords are your first line of defense in setting up your protection against fraud and the loss of confidential information, but few people choose passwords that are truly secure.

Make your password as long as possible: The longer a password is, the harder it is to guess or to find by trying all possible combinations (IE: via a brute force attack). Passwords of 14 characters or more are vastly more difficult to crack than a password of 6 or 8 characters.

Use different types of characters: Include numbers, punctuation marks, symbols, and uppercase and lowercase letters.

Don’t use words that are in dictionaries: Don’t use words, names or place names that are usually found in dictionaries.  Hackers frequently use a dictionary attacks (IE: trying all the words in the dictionary automatically) to crack these passwords.

Don’t use personal information: Others are likely to know information such as your birthday, the name of your partner, spouse or child, or your phone number, and they might guess that you have used them as a password.

Don’t use your username: Don’t use a password that is the same as your user name or account number.  Well written software should be set to disallow this by default.

Use passwords that are difficult to identify as you type them in: Make sure that you don’t use repeated characters or keys spaced too close together on the keyboard.

Consider using a passphrase: A passphrase is a string of words, rather than a single word.  Unlikely combinations of words can be hard to guess.  

If your password is “bicycle” because you like to get out and exercise when you have time, consider using “I like to cycle on warm spring days”.  

You can further enhance this passphrase with, “1 liK3 2 psychle on w0R^^ $pr1n& daZe”.  

Experiment with your password or pass phrase, and you will come up with something which is hard to guess and easy to remember.

Try to memorize your password: Memorize your password rather than writing it down.

Use a string of characters that is meaningful to you, or use mnemonic devices to help you recall the password.  There are good free programs available that will help you manage your passwords. 

While not my first choice, if you have problems remembering passwords, you can use password management programs to help you choose unique passwords, encrypt them, and store them securely on your computer.  Examples of respected programs include KeePass, and, 1 Password.  

Remember, these programs will require a password to keep the passwords you store in them safe so make certain you choose a SECURE master password!

If you must write down your password, keep it in a secure place: Don’t keep passwords attached to your computer or in any easily accessible place.  Put written password lists in a locked filing cabinet, drawer or safe - to which only YOU have access.

Use different passwords for each account: If a hacker cracks one of your passwords, at least only one account has been compromised.

Don’t tell anyone else your password: If you receive a request to confirm your password, even if it appears to be from a trust worthy institution or someone within your organization, you should never disclose your password.  

If your organization has an IT support desk, immediately notify them of such a request.  If not, then let your supervisor or boss know who requested your password and under what circumstances it was requested so they can investigate.

Don’t use your password on a public computer: Don’t enter your password on a publicly available computer (IE: in a hotel or internet cafĂ©). Such computers may not be secure and may have keystroke loggers installed.

Change your passwords regularly: The shorter or simpler your password is, the more often you should replace it.

NEVER save your password on any computer using your browser’s “save my login information” capability.  All browsers store this information in either unencrypted, or easily hacked, formats.  

Anyone who has access to the computer potentially has access to your usernames and passwords if they are stored in a browser.

If you regularly access eBay or PayPal, check out their enhanced security options:  You can either purchase a card or fob which presents you with a single-login authorization code – to be used in conjunction with your username and password, or link your SmartPhone to your account and they will send a unique code to be entered every time you log in.  

This will give you the flexibility to securely login to those services from shared computers, so long as you DO NOT check the KEEP ME LOGGED INTO THIS COMPUTER for 24 hours box on eBay.

To learn more about the new Security Key options for PayPal and eBay, log into your PayPal account and search for Security Key.  Then select the option for “PayPal’s Security Key: More Protection for your Account"


Computer security is everyone's responsibility.  Security, whether on a computer, tablet, SmartPhone, or other device, starts with the PASSWORD. 


By using SECURE PASSWORDS, you will create a first line of defense in the ongoing battle against hackers and others who want access to whatever it is you are storing and viewing!


EDIT: 2012 01/28: 11.58 CST:  Wisconsin Department of Consumer Protection Advises Password Security on Smart Phones and Tablets.


See: http://www.channel3000.com/technology/30322506/detail.html

================================================
If you have any questions, or are looking for hosted solutions, please feel free to contact me.


Copyright © 2012, Bruce Barnes, ChicagoNetTech Inc, All Rights Reserved



24 January 2012

Welcome to Network Bastion – a blog for, and about, security as it relates to the Internet, computers, and telecommunications.

Before we get into any kind of discussion about security, however, I believe we must
address the idea of standards and how standards affect what we do in not only
security, but in everything else we do in our lives.

While standards are the backbone of why the Internet functions as well as it does, they are not new. Standards surround us in our everyday lives. They govern how we drive an automobile; why we can purchase an appliance from any manufacturer, take it home, plug it in and it will work; route our telephone calls; and govern our day because the day is standardized as 24 hours, with 60 minutes in every hour and 60 seconds in every minute. Without standards our very existence would be called into question because Mother Nature invokes standards in the world in which we exist.

Standards, as applied to the telecommunications industry, have made it possible for
long-distance telephone calls to be automatically routed and connected in less
than a second in most cases. Prior to network automation and standards, simply placing a long-distance call could take hours. Have a listen to this audio
as
Sgt Friday places a long distance telephone call in 1949. The entire process takes several minutes to complete. Today we can direct dial the same call and, as soon as we press the DIAL key on our cell phone, or take our finger off the last digit on our Touch Tone© keypad on our phone, the called number begins to ring.

Instead of having to call a long-distance operator, wait for an available trunk, and have the long-distance operator route the call through several other operators, one in each of the several cities through which the call will travel, automated digital equipment, following rules of standardization, developed by the telecommunications industry, takes the data entered via our telephone keypad and does all of the work once done by several people – in less than 1/10,000th of the time previously required.
Standardization and automation have both cut the amount of time required to complete a telephone call as well as the cost of processing the call. This has led to lower telephone rates, more calls being completed, higher profits for the
telephone companies, and better overall service for the consumer.

In technology, many of the standards we abide by were established by the
Internet Engineering Task Force [IETF]. Membership in the IETF, which was initially established by a group of 21 US government funded researchers, on 16 January, 1986, is open to anyone who wants to participate. While most participants in the IETF are engineers with knowledge of networking protocols and software,many of them know a lot about networking hardware too.

By gathering the collective input of those who work in the Internet as a vocation, the IETF can establish standards and practices which will help to ensure that the Internet will always be available to anyone who wants to use it.

Those standards developed by the IETF govern every aspect of the Internet as we know it.


The key to all of the IEFT working groups, however, the one group which must, by the very nature of the IETF, interact with every other working group, at every level, is the WEB SECURITY working group. The Web Security working group is the home for working groups focused on security protocols. They provide one or more of the security services: integrity, authentication, non-repudiation, confidentiality, and access control. Since many of the security mechanisms needed to provide these security services employ cryptography, key management is also vital.

Ivolvement of the participants of the IETF Security Area focuses upon practical application of Security Area protocols and technologies to the protocols of other Areas.

Within the Web Security are of the IEFT, there are several
active sub-groups, including:

  • Application Bridging for Federated Access Beyond web
  • DNS-based Authentication of Named Entities
  • EAP Method Update
  • Handover Keying
  • IP Security Maintenance and Extensions
  • Javascript Object Signing and Encryption
  • Common Authentication Technology Next Generation
  • Kerberos
  • Managed Incident Lightweight Exchange
  • Network Endpoint Assessment
  • Web Authorization Protocol
  • Public-Key Infrastructure (X.509)
  • Transport Layer Security
Just as the standards for the electrical appliances we use in our homes is important, the standards for both the protocols and security we effect in our Internet and telecommunications networks are important.

Without both the security standards currently in use, and those being developed by the IEFT, we have nothing to base our network on, and open ourselves to the mercy of those who will, at whatever cost, breach those networks to both steal and/or corrupt the data in those networks.

As we move forward in the overhaul of healthcare, the development of new services and technologies, and attempt to maintain some semblance of integrity in both our lives and our networks these standards, although they may be inconvenient at times, serve a valid purpose in protecting our Internet, our communications, and, in many cases, our lives.

I look forward to hearing your thoughts regarding the issues surrounding both standards and security as we move forward together in this blog.

Copyright © 2012, Bruce Barnes, ChicagoNetTech Inc, All Rights Reserved