NCSAM post 2–passwords
National Cyber Security Awareness Month is October, and after a brief interruption, I’m continuing my series of posts that dump out some of the basic parts of security that make all the advanced stuff worthwhile.
Passwords are quite a challenge for many people, because they embody a number of things that people are bad at.
A password should be unique, or at the very least sufficiently unusual as to be unguessable. It should also be different from passwords you use at other sites or applications.
We know that a good password is not predictable, and is generally best when it is chosen at random, rather than using any kind of pattern that might be guessed.
We’re all predictable by those that know us best. So a password has to be something that we made up ourselves, but that no one can imagine that we would make up.
The longer you can make a password, the better – but then you have to type it. Practice typing your password quickly. Resist the temptation to use a password made of letters close to one another on the keyboard, because those are words that are guessable. Strange as it may sound, it’s easier to make a password more secure by making it longer than it is to do so by adding funky characters.
You shouldn’t share your password with anyone else. You should strongly question anyone who tells you that they need your password. In general, they don’t need it. If they are sufficiently powerful technical support folks, they won’t need your password, and if they aren’t sufficiently powerful, why are you asking them for help?
What is a password?
A password is a proof of identity. It confirms, or validates, who you have already claimed to be. It’s a secret quantity, and the operating system and applications you use spend significant effort to keep that password secret.
What isn’t a password?
Your username, by contrast, is a claim of identity – it’s who you are claiming to be. Your username is not a secret part of your security, just as your name isn’t a secret. It’s all over the place, in public places, and even if you spend the effort to go “off grid”, or to hide your name from the phone books, nobody else is geared up to help you with that process. Similarly, the operating system and applications will not try to hide your username.
This is why renaming the Administrator account, or generating usernames from random sequences of letters and numbers, will not increase security as significantly as the simple act of extending the minimum length of passwords.
What’s like a password?
There are many other concepts that are like a password, such as private keys on a certificate, or the combination to a safe, the key to a drawer or a door.
What’s not like a password?
Other things that you’d think are like a password, but aren’t, include:
- Social Security Number
This is an identifier. You share it with every organisation that collects taxes or reports on your taxes. Although many companies may behave as if this is a secret like a password, it’s not randomly selected, it’s not unpredictable, it’s short, and it’s shared with a large number of people and organisations. It’s certainly something that companies should keep private, but that’s largely because enough organisations treat it as a secret proof of identity that the exposure of an SSN is enough to allow for ‘identity theft’
- Credit Card Number
Again, although everyone, including the credit card companies, treat this as a secret, it’s a secret that you give out to everyone with whom you do business. Some credit card companies provide the ability to generate temporary or single-use card numbers, which allows you to reduce how many people have your true card number.
How should I protect my password?
There are numerous password protection and storage programs, for users and for enterprises. The words used to describe these programs are generally things like “safe” or “vault”. Using these programs will allow you to have large numbers of different passwords, which is only a good thing.
Imagine that one of your web sites gets a vulnerability, or has an administrator go bad. They could steal your password – but only for that site. Do you use that password for any other site? It’s very tempting now that most sites use email addresses as identifiers to use the same password as you use for your email account itself, but then that would mean that anyone who stole your password from one web site would be able to have access to all your other web sites, and your email as well.
Next, and I know this goes against what many people will tell you, you need to write some passwords down on a piece of paper.
First, we all carry around a device whose job is to protect small pieces of paper from falling into other people’s hands – it’s called a wallet, or a purse, and we’re all well-used to protecting those small pieces of paper in this fashion. Put a value on each of your passwords, and use this to decide whether to carry it in your wallet, or leave it in the safe, or put it in a safe deposit box.
Second, there will come a time when you have forgotten a password. In a work situation, there are generally easy ways to get your password reset, and you probably won’t lose a whole lot of data as a result. But for your home life, there’s rarely a good recovery store or process, and it will save you time if there’s a lock-box you can go to in order to recover your precious secret.
True story – a friend of mine had an accident that gave him a fractured skull and left him in a dubious state of consciousness for many weeks. He never remembered the passwords he had before the accident, and as a result, had to wipe out several machines rather than log on to them and recover them. He hadn’t written the passwords down or stored them in a safe deposit box, so his family and friends could not maintain his systems for him while he was ‘out’. He even lost his domain name to some domain squatters (though his friends very nicely bought it back for him).
Think about what access you would lose in a similar situation – or what access your family would lose.
Don’t share your passwords, or at the very least, make sure that there’s no easy way for someone to have your passwords and access to use them.
A safe-deposit box, or some other device that can only be retrieved if you are killed, or incapacitated in some way, is really the only place to make your high-value passwords accessible to others.
If you share your passwords with other people, you immediately move any investigation into your computing behaviour from the realms of “innocent until proven guilty” (it couldn’t be you, because your account wasn’t being used) to “guilty until proven innocent” (not only were you disobeying rules by sharing your password, but the activity was traced to your account, making it incredibly difficult for you to prove it wasn’t you that controlled the account at the time).
Finally, and this is especially true if you are writing down passwords, you need to have a plan for changing your passwords in an emergency, and you need to exercise this plan regularly. This means you need to know how to change passwords, write down details of how to change passwords (except in the most obvious cases), and you need to make sure that your understanding of how to change passwords is still accurate.
I personally think that this is the biggest reason that you need to change your passwords regularly – although, if you are the sort of person who wantonly shares passwords, the fact of sharing passwords with another person is reason enough to frequently change them.