Passwords are probably the most important part of any network and frequently the weakest part of the chain.
Users
forget them. They write them down on
post-its, the put notes on the cork-boards next to their desks where everyone
can read them and they write note cards with all of the information any hacker
would ever need: the website address,
their username, and their password. In
the 35 years I have been working in Information Technology, I have seen the
situation below over and over again.
ME: “What’s your password?”
User: “It’s a ‘secret’”. Yes, her actual password was “secret.”
There are
multiple variations on the story I shared above, but they all end up the same
way: The user has a common, insecure, easily
guessable password, and they share it with, in many cases, a complete stranger.
First rule of passwords: The user
should never have told me her password – period – there are no exceptions to
that rule. Passwords should never be
divulged to anyone. While there are some
extremely rare exceptions, it is always preferable to ask a user to type his or
her password for you, not have them tell you.
After our
initial analysis of the customer’s network, we set some very stringent password
security requirements for their network and started requiring passwords which
met much more complex requirements.
Passwords
exist for a reason: to protect the data contained in a device or on a
network.
Whether personal, corporate, or
a store which sells goods to an online shopper, they are no longer an option,
but a requirement. Passwords are everyone’s
first line of defense against hackers, worms, ID theft, organized crime, and a litany
of other nefarious individuals who would like nothing better than to steal your
identity, your health history, money, business financial data or even or your
life.
Hackers
are well organized. Many operate under
organized crime groups and, whether you believe it or not, your data is worth
lots of money to them.
If you
are a network administrator who is responsible for a business network and you
have not done so already, you should immediately go into your network server
and change the password requirements to require secure passwords: This includes requiring passwords with a
minimum length of 8 characters – 12 is preferable; the inclusion of upper case,
lower case, numbers and special characters, and setting your network to allow
only 3 invalid login attempts before you lock out a user’s password for a
specific amount of time after the maximum number of bad password attempts have
been reached. If you don’t know how to
do this, contact me and I
will be glad to consult with you.
Whether
you are an end-user or an administrator, every computer, every laptop, every tablet, every SmartPhone, in fact, every device you use to connect to the internet has
the capability to set a password which must be entered prior to accessing the
device.
If you
have not already done so, you should set a password on these devices as soon as possible. Even if your computer is only
used at home, or your SmartPhone is a personal device, it should still be
password protected.
The
password you choose to protect your Internet connected device is one of the
most important decisions you will ever make.
Choose a Secure Password: Passwords are your first line of defense in setting up your protection
against fraud and the loss of confidential information, but few people choose passwords that are truly secure.
Make your password as long as possible: The longer a password is, the harder it is to guess or to find by
trying all possible combinations (IE: via a brute force attack). Passwords of
14 characters or more are vastly more difficult to crack than a password of 6
or 8 characters.
Use different types of characters: Include numbers, punctuation marks, symbols, and uppercase and
lowercase letters.
Don’t use words that are in
dictionaries: Don’t use words, names or place
names that are usually found in dictionaries. Hackers frequently use a
dictionary attacks (IE: trying all the words in the dictionary automatically)
to crack these passwords.
Don’t use personal information: Others are likely to know information such as your birthday, the name
of your partner, spouse or child, or your phone number, and they might guess
that you have used them as a password.
Don’t use your username: Don’t use a password that is the same as your user name or account number. Well written software should be
set to disallow this by default.
Use passwords that are difficult to
identify as you type them in: Make sure that you don’t use
repeated characters or keys spaced too close together on the keyboard.
Consider using a passphrase: A passphrase is a string of words, rather than a single word. Unlikely combinations of words can be hard to guess.
If your password is “bicycle” because you like to get out and exercise when you have
time, consider using “I like to cycle on
warm spring days”.
You can further
enhance this passphrase with, “1 liK3 2
psychle on w0R^^ $pr1n& daZe”.
Experiment with your password or pass phrase, and you will come up with
something which is hard to guess and easy to remember.
Try to memorize your password: Memorize your password rather than writing it down.
Use a string
of characters that is meaningful to you, or use mnemonic devices to help you
recall the password. There are good free programs available that will
help you manage your passwords.
While not
my first choice, if you have problems remembering passwords, you can use password management programs to help you choose unique passwords, encrypt them, and
store them securely on your computer. Examples of respected programs include KeePass,
and, 1
Password.
Remember, these programs will require a
password to keep the passwords you store in them safe so make certain you
choose a SECURE master password!
If you must write down your password, keep
it in a secure place: Don’t keep passwords attached to
your computer or in any easily accessible place. Put written password lists in a locked filing cabinet, drawer or safe - to which only YOU have access.
Use different passwords for each
account: If a hacker cracks one of your
passwords, at least only one account has been compromised.
Don’t tell anyone else your password: If you receive a request to confirm your password, even if it appears
to be from a trust worthy institution or someone within your organization, you should never disclose your password.
If
your organization has an IT support desk, immediately notify them of such a
request. If not, then let your
supervisor or boss know who requested your password and under what circumstances
it was requested so they can investigate.
Don’t use your password on a public
computer: Don’t enter your password on a
publicly available computer (IE: in a hotel or internet café). Such computers
may not be secure and may have keystroke loggers installed.
Change your passwords regularly: The shorter or simpler your password is, the more often you should
replace it.
NEVER save your password on any
computer using your browser’s “save my login information” capability.
All browsers store this information in either unencrypted, or easily hacked, formats.
Anyone who has access
to the computer potentially has access to your usernames and passwords if they
are stored in a browser.
If you regularly access eBay or
PayPal, check out their enhanced security options: You can either purchase a card or fob which presents you with a
single-login authorization code – to be used in conjunction with your username
and password, or link your SmartPhone to your account and they will send a
unique code to be entered every time you log in.
This will give you the flexibility to securely
login to those services from shared computers, so long as you DO NOT check the
KEEP ME LOGGED INTO THIS COMPUTER for 24 hours box on eBay.
To learn
more about the new Security Key options for PayPal and eBay, log into your
PayPal account and search for Security Key.
Then select the option for “PayPal’s Security Key: More Protection for
your Account"
Computer security is everyone's responsibility. Security, whether on a computer, tablet, SmartPhone, or other device, starts with the PASSWORD.
By using SECURE PASSWORDS, you will create a first line of defense in the ongoing battle against hackers and others who want access to whatever it is you are storing and viewing!
EDIT: 2012 01/28: 11.58 CST: Wisconsin Department of Consumer Protection Advises Password Security on Smart Phones and Tablets.
See: http://www.channel3000.com/technology/30322506/detail.html
Computer security is everyone's responsibility. Security, whether on a computer, tablet, SmartPhone, or other device, starts with the PASSWORD.
By using SECURE PASSWORDS, you will create a first line of defense in the ongoing battle against hackers and others who want access to whatever it is you are storing and viewing!
EDIT: 2012 01/28: 11.58 CST: Wisconsin Department of Consumer Protection Advises Password Security on Smart Phones and Tablets.
See: http://www.channel3000.com/technology/30322506/detail.html
================================================
If you have any questions, or are looking for hosted solutions, please feel free to contact me.
Copyright © 2012, Bruce Barnes, ChicagoNetTech Inc, All Rights Reserved