Find articles from my Blog Archive:

Sunday, 11 September 2011

Password Security

I admit it, my attitude to computer security has been blase. I haven't used a Windows computer for several years, preferring a mac. I'm in my own secure little world where viruses don't exist. Sure, there was macDefender, but you have to be positively stupid to get that installed on your system - like download and run the installer. I don't do that kind of thing, hence I've not really been bothered with security worries.

However, I've begun to notice there is something a little scary going on - and maybe I need to start worrying a bit more.

First, there was the Sony hack that seems to have affected a wide variety of Sony sites, including the PS3 network. I'm not a PS3 user, but even I took notice on this one: Personal details of 77 million users stolen - including name, address, birth-date, password, credit-card details. The breach was so bad that Sony had to shut the system down for nearly a month to investigate and increase security. That's actually quite bad.

To top it, a selection of the stolen data was then published online as a kind of 'trophy'. That was quite interesting because it allowed some otherwise impossible analysis work. Troy Hunt blogged some fascinating analysis: 50% of passwords had only one character type, presumably a-z. Less than 1% had a non-alphanumeric characters. Some people actually had "password" and "123456" as their password. Some even had just 4 numbers - maybe their bank pin codes? Not such a cool choice when the password database is hacked, stolen and posted on the internet! What was most fascinating (and probably not that surprising) is what was discovered when the stolen data was matched with previously hacked data. When a common userid was found between the Sony hack and the previous Gawker hack, 67% of people used the same password across the unrelated services. Lets just dwell on that one: 67% of people were using the same password across multiple unconnected web accounts. When one gets hacked, the hacker gets access to your id and password which you are also using elsewhere, so they can access all your accounts. I think that proves we all need to be a bit more selective about our password choices - you don't want the bad guys getting ALL your passwords to ALL your accounts in one go.

Think about your re-use of passwords across web sites. Are you absolutely sure of the provenance of every single site you've setup an id on? It would be a relatively simple process to setup a supposedly legitimate site with the sole purpose of collecting email addresses and preferred passwords - according to the data we have, there's a very strong likelihood that 60-70% of the ids and passwords collected would be identical to ones used by the customers on other sites. So, a few simple guesses and you're into people's bank, facebook & amazon accounts.

Maybe password bad practices shouldn't be a surprise. Back in 2003, The Register reported some decidedly dodgy security practices by office workers. Whilst 75% immediately revealed their password when asked (!), a staggering 90% revealed their password when offered a cheap pen as a bribe! One interviewee said, "I am the CEO, I will not give you my password - it could compromise my company's information". He later said that his password was his daughter's name. When asked what his daughter's name was he replied "Tasmin". Hmmmmm. No wonder social engineering tricks are used so successfully by hackers.
Another recent hack: Citi, a pretty large US bank. This time accounts for 360,000 individuals were accessed. Stolen information included: names of customers, account numbers and contact information, including email addresses.
Then we have the RSA hack. RSA, owned by EMC, provides a lot of IT security and digital signature infrastructure. RSA were hacked, losing key information for two-factor authentication "SecurID" data used by 40 million people. At the time of the hack there was concern the lost data meant the hackers might be able to generate the numbers used by SecurID as the basis for its security. Sure enough, this turned out to be a valid concern, with Lokheed Martin being hacked as a result and forcing RSA to offer to replace all SecurID tokens.
Next up, the IMF - yes, the International Monetary Fund. The exact nature of the breach hasn't been disclosed, but it was serious enough to cause the World Bank to sever all computer connections with the IMF.

Now for the really Big One: the UK 2011 Census. Only this one looks like it is a fake hack - i.e. the census didn't get hacked afterall. But what if it did get hacked - look at all the data that would be released if it did. Scary!

But who are the "Bad Guys"? Maybe they aren't the archetypal hackers. Take a look what the US Government has to say in its paper "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation": The depth of resources necessary to sustain the scope of computer network exploitation targeting the US and many countries around the world coupled with the extremely focused targeting of defense engineering data, US military operational information, and China-related policy information is beyond the capabilities or profile of virtually all organized cybercriminal enterprises and is difficult at best without some type of state-sponsorship. Apart from the dreadful grammar and the enormous sentence, that's a fairly heavy hint that there is more than a few individuals probing our systems.

So what should you do?
1. Check if you email address is associated with a hack at
2. Choose secure passwords - here's a good way to choose passwords that are difficult to guess.
3. MOST IMPORTANT: Make sure you don't reuse the same password across multiple accounts.
4. As the combination of (2) and (3) mean you have lots of different and probably hard to remember passwords, you are doomed without some way of managing passwords. Popular password managers include 1Password or keyPass - with solutions like these you only need to remember one password (but make sure that is a hard to guess one!).  I've just bought 1Password because it was on offer on the Apple App Store at 50% off, so seemed a good bargain.  It works well for me and helps me manage what has otherwise become an unmanageable security situation.

I for one am going to be looking more carefully at my use of passwords in the future. It does strike me that we are rapidly reaching the point where ids and passwords are no longer valid security credentials. We need something much more sophisticated and which acknowledges that a human being cannot reasonably be expected to remember lots of unconnected passwords, each with obscure non-alphanumeric characters. I'm not sure I know the answer, but I do know we have a problem - and the IT industry is usually pretty good at filling gaps like these once its clear there is demand for a solution.  1Password has solved the problem for me, I'm sure other solutions will emerge - it has to!

No comments :

Post a Comment