Posted by & filed under General, Hot Topics.

Online password security needs updated advice

Online password security and protection – what’s the latest advice?

Every time there’s a breach (think Ashley Madison where 11 million encrypted passwords were decoded) there’re calls for password tightening, heightened security, more frequent changes and more complicated passwords.

However, hackers can just keep churning until your password is hacked, especially if they can add in your free social media data to help – favourite foods, first pet, primary school, date of birth/marriage/whatever.

The problem with any password system is twofold – a) creating something that is hard to guess and b) remembering it along with lots of passwords for other sites.

Latest UK Gov Advice

They reckon the average UK citizen has 22 online passwords to remember! To say that we’re suffering online password overload is an understatement.

Experts also say that we are lulled into a false sense of security if we believe we’re safe with so many passwords.

The Government’s spy agency GCHQ has published Password Guidance: Simplifying Your Approach recommendations which challenge common and outdated ideas about password security.

The report summarises how online password security is breached:

  • Attackers use many techniques to discover passwords, including: social engineering eg phishing; coercion
  • manual password guessing, using personal information such as name, date of birth, or pet names
  • intercepting a password as it’s transmitted over a network
  • ‘shoulder surfing’, observing someone typing in their password at their desk
  • installing a keylogger to intercept passwords when they’re entered into a device
  • searching an enterprise’s IT infrastructure for electronically stored password information
  • brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found
  • finding passwords stored insecurely, such as handwritten on paper and hidden close to a device
  • compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords

Straightforward Online Password Tips

The BBC’s Technology reporter Chris Foxx discussed the issue by quoting Dr Steven Murdoch of the Department of Computer Science at University College, London, who said ‘secure systems should not just rely on a single password, but have additional technical controls which the system owner can use to detect abnormal behaviour and protect the user’s account.’

These are the tips from the Government report:

  • Tip 1: Change all default passwords

Immediately change factory-set default passwords, particularly in routers, wireless access points and firewalls.

  • Tip 2: Help users cope with password overload

Don’t share passwords, re-use them, or write them down.
Only use passwords where they’re really needed.
Use technical solutions to reduce the burden on users.
Allow users to securely record and store their passwords.
Only ask users to change their passwords on indication or suspicion of compromise.
Allow users to reset passwords easily, quickly and cheaply.
Password management software can help users, but carries risks.

  • Tip 3: Understand limitations of user-generated passwords

User-generated password schemes are more common, cheaper and quicker than machine-generated ones. Most dictionaries for brute-force attacks prioritise frequently used words and character substitutions.                                                                 Technical controls to defend against automated guessing attacks are far more effective than relying on users to generate (and remember) complex passwords.
Put technical defences in place so that simpler password policies can be used.
Reinforce with good user training. Steer users away from choosing predictable passwords, blacklist most common.
Never re-use passwords between work and home.
Be aware of the limitations of password strength meters.

  • Tip 4: Understand limitations of machine-generated passwords

Machine-generated passwords can produce passwords that are fairly easy to remember, but often they’re not.
Account lockout, throttling or protective monitoring are still relevant when using machine-generated passwords.
Choose a scheme that produces easy to recall online passwords.
Offer a choice of passwords, so users can select one they find memorable. Examples of these include passphrases, 4 random dictionary words, and CVC-CVC-CVC style passwords (cvc = consonant-vowel-consonant).
Never re-use passwords between work and home.

  • Tip 5: Prioritise administrator and remote user accounts

Administrator accounts with highly privileged access to systems and services are often a threat to the wider system, so are  attractive to attackers.
Administrators must use different passwords for their administrative and non-administrative accounts.
Do not routinely grant administrator privileges to standard users.
Consider implementing two factor authentication for all remote accounts.
Make sure that absolutely no default administrator passwords are used.

  • Tip 6: Use account lockout and protective monitoring

Account lockout, throttling, and protective monitoring are powerful defences against brute-force attacks – limited attempts to enter password before account locked and time delay between successive login attempts – known as ‘throttling’.
Allow users limited login attempts before locking out.
Password blacklisting works well.
Protective monitoring is a powerful defence against brute-force attacks.
When outsourcing, contractual agreements should stipulate how user credentials are protected.

  • Tip 7: Don’t store passwords as plain text

Periodically search systems for password information stored in plain text.
Produce hashed representations of passwords using a unique salt for each account.
Store passwords in hashed format, produced using a cryptographic function capable of multiple iterations (such as SHA 256).
Ensure you protect files containing encrypted or hashed passwords from unauthorised system or user access.
When implementing password solutions use public standards, such as PBKDF2, which use multiple iterated hashes.

Related blogs:

Oh No! Another Hacker Danger to Worry About, 26 May 2015

Passwords and Passcodes Are Too Much to Swallow These Days, 16 July 2013

Image: Intel Free Press