Dec 182013
 

Nearly all of us use accounts on numerous web sites. Hopefully we are all paying attention to best practices as far as security goes and have a different password on each site – no I don’t always do that either!

Over time there has been numerous account leaks from web sites whose security measures have not always been as it should. Whilst some of us try to keep up with the news on such matters, it is hardly surprising that people may not be aware that their long forgotten account credentials on a web site have been disclosed.

The easy way of checking is to use a site like http://haveibeenpwned.com/ which allows you to enter an email address and find out whether it has had a password disclosed in the past.

What If My Account Was Compromised ?

The first thing to do is try and produce a list of sites whose password is likely to be the same as that of the compromised web sites. If you are anything like me, you may well have no idea on what those sites may be, so you may have to resort to producing a list of web sites whose account passwords may be the same as that of the compromised site.

Once you have that list, work through it and change the password for each one.

It is probably a good idea to :-

  1. Change the account password on every web site you use at least every 2 years. With any luck your appreciation of what makes a strong password will improve over time.
  2. Review the importance of each web site account you use. Sometimes people may set a weak password on an account they believe isn’t too important … and the importance of an account may well change over time.
  3. For web accounts that you no longer use, it is still worth changing their password. Set it to something insanely difficult (and store it in a password store such as KeePass).
Oct 262011
 

I needed a password eight characters long so I picked Snow White and the Seven Dwarves.

Password security and the need for strong passwords (as required by the University Password Policy) is being promoted at the moment, for a variety of reasons. Not least is that a number of security incidents relating to weak passwords have come to light over the last few months. Passwords are tedious to generate, difficult to remember, and not even a particularly good solution to the problem of authentication, but unfortunately we are somewhat stuck with them. And despite the best efforts of those trying to provide single sign on solutions, the number of passwords we have seems to be increasing. Whilst we are concerned mainly with the security of University accounts, these tips also apply to your own private account passwords. Everyone keeps banging on about the need for strong passwords, but why ?

Why Strong Passwords ?

The short answer is that weak passwords can be “guessed” by people whose business is compromising accounts. Not by actually guessing what a password is but by using automated tools for cracking passwords. There are two ways of “guessing” passwords with automated tools.

  1. By obtaining a “password hash”, an attacker can run through a list of candidate passwords and comparing the generated hash with that they obtained. If a candidate password generates a hash that matches a password hash obtained in some way, then the password is known. Password hashes can often be obtained by capturing network packets containing a login between a user and an application with weak security (and there are lots).
  2. By running through a list of candidate passwords and attempting to use an authenticated service, an attacker may be able to determine which are valid passwords.

When people hear about this, they often assume that the list of candidate passwords is quite small because they can imagine how hard it would be to run through a list of candidate passwords. Actually it is surprisingly easy, and relatively fast. Especially considering how poor many passwords are. Attackers also operate with unusual dictionaries specially tuned for finding words used in passwords. Whilst it is possible that the word in your password is not in an attacker’s dictionary, it is unwise to assume that it is not there. Having seen some attackers dictionaries, I can tell you that you will be quite surprised just how many words (and in languages other than English) appear in such dictionaries. In addition, many of the simple transformations that have been historically used to make words less obvious – such as changing vowels for digits (“p3ssw0rd”) – are well known to the attackers, and password cracking software usually makes some attempt to try those transformations. In summary, almost any simple password based around a word (whatever kind of word!) can be counted as a weak password that an attacker can obtain relatively easily. Strong passwords are essential.

How To Remember Passwords

The standard advice for passwords is to remember them and not write them down. Generating strong and memorable passwords is a bit of an art (but certainly possible), but remembering dozens of even memorable strong passwords is not something that comes easily to many people. Not even me! Writing down passwords can be done safely if it is done properly. The classic mistake of writing down a password on a postit note and sticking to the underside of your keyboard is not the right method. The right method is to use an application (such as KeePass) which records passwords in a strongly encrypted file.

Don’t Share Passwords

This phrase has two meanings … Firstly account passwords should not be shared with other people. This inculdes but is not limited to :-

  1. Don’t email them when you are asked to.
  2. Don’t fill in a web form asking for your password if you received the link in an email (no matter how legitimate it looks).
  3. Don’t tell people what your password is when asked. No matter who asks.
  4. Avoid entering your password where people may be overlooking you. This may seem excessively paranoid when you are entering your password in your office, but it is not so paranoid when you are entering your password in a crowded cyber café.

Secondly, it is also inadvisable to share your passwords across multiple different systems. Your banking passwords should not be the same as your social networking passwords, which in turn should not be the same as your work password. This limits the amount of damage that can be caused by one password being compromised.

So How Do I Generate A Strong Password ?

There are many, many different pages suggesting how you might generate a strong password. There are even cartoons :- (Source: XKCD) Whatever method you use, you need a method that works for you. However our suggestion is a variation on the method suggested above :-

  1. Pick three to four words of at least three letters in length.
  2. Capitalise one of the letters in some of the words … and the first letter is not a good choice.
  3. String the words together with a random punctuation symbol (“-”, “=”, “+”, “@”, “#”, etc.). There is no need to use different symbols; just pick a favourite symbol.

This leads to the kind of password that meets policy criteria (which more usually encourages passwords such as “zup12#$$9zz”), is easier to remember, and most importantly of all is strong. Some examples of the kind of password this generates include :-

  1. kift-bellow-bonE
  2. quick#purple#trumpeT
  3. optionS%Bullet%tree%gum
  4. kiN*Boggle*zap*Bug

These all look long and difficult to type; however in practice they are much easier than they look, and can be surprisingly quick to type.