Passwords…Are they needed?

Tuesday, April 06, 2010

Katie Weaver-Johnson

Dd9902bc56a9d85cdc62c00083ea4871

This week I received an e-mail from a friend of mine saying he was in the UK to visit his ill sister and needed to borrow money…perhaps many of you have received an e-mail like this too?  In reality, my friend’s e-mail account had been hacked and the e-mail was a hoax.

Also this week, I was part of a Board meeting and we were talking about Internet security and e-mail security and I mentioned my friend’s e-mail account had been hacked and described the story within the e-mail.  Interestingly enough, nearly everyone in the meeting had seen a version of e-mail and a couple had experienced the pains of having their e-mail account hacked.

I took the opportunity to ask how many people in our Board meeting were using “strong passwords” to protect their e-mail account.  Everyone in the meeting looked at me like I had just asked them to figure out how many cubic feet there are in the universe.

I quickly explained that a strong password is a combination of letters, numbers and special characters that would make it much more difficult for hackers to guess their password and take over their e-mail and I gave them a couple examples too.  For example:

“Beer Man” could become a strong password with these changes:  B33R m@n

“SpaceShip” could become a strong password with these changes: Sp@ce5hip

Lessons learned continue to show that how lack of awareness can be very costly.

For more password lessons learned check out this recent survey:

http://www.theregister.co.uk/2010/03/30/password_security_still_pants/

Possibly Related Articles:
13228
Security Awareness Privacy
Passwords scams
Post Rating I Like this!
7ac151cecb6d5053d7cf4c7fa1ac596e
Ian Barrs Bit of an odd title, but a god, and very true article. The scary thing is, it's rife amongst the most senior bodies of a company, and often they manage to get administrator rights to their machine (which is just simply terrible administration, but a one man IT staff often gets kicked around by the senior execs in an SMB)

Your article goes hand-in-hand with one recently published on my blog, soon to be copied here. http://blog.ianbarrs.co.uk/draft-data-security-its-a-responsibility-not

I look forward to reading more of your posts.
1270577437
Default-avatar
Gary Baribault Excuse my corrections but replacing 'e' with '3' and 'a' with '@' wouldn't slow down a password cracker for a single picosecond! These are standard replacements executed by john the ripper or any other password guesser. Replacing 'i' or 'l' with '1' or 's' with '$' is no better. Please do a google search on strong passwords and read up. A typical good strong password would involve taking a phrase and using the second letter of every word and adding one of '*&$!#' somewhere in the middle of the password, and ensuring that the result is at least 8 characters in length. The next month repeat the process but use the third or last letter in the words of the phrase, and don't use the same phrase. Also, most people add the special character as first or last, try and avoid that by putting it near the middle of the password.
1270667271
Default-avatar
Cr00zng Around Passwords are still necessary for the lack of better, or more accurately financially feasible option. Yes, there are other authentication methods; however, they don't come cheap and certainly you won't get biometric, fob, etc, authentication from free web based email companies. For that matter, most corporations in US don't implement them either.

As corporations are required to implement strong password, due to SOX, HIPAA, etc, and not to mention local laws, these standards may trickle down to some of the employees' home accounts as well. The likeliness of that happening is rather small, but one can hope.

The problem with the password is that an average Internet user probably have about 25 account names and passwords. Managing that many accounts with their difference password policies is not easy. Most certainly the owner of the account will take the least resistance and use whatever he/she can get away.

Gary is also correct that most password crackers, if not all, will make provision for replaced letters and will substitute the "a" with "@" for example. As stated earlier, this is just a speed bump in cracking passwords. For the password cracker to work however, it needs to have a hash of the password. If the hash can be easily obtained, then you have a more serious issue than worrying about the password cracker.

1270670796
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson Gary is right that standard L337 spe@k susbsitutions are not going to slow down a password cracker all that much, but it's still a big leap forward for folks that are still stuck on passwords like 123456, PAssWOrd, their dog's name, their wife's birthdate, or the like. ...and yes there are a lot of folks in that category still.
Little steps. First we get people used to the idea that there are 4 basic character types (upper, lower, digits and special characters) and that they should have all of those types in their password. Thus getting them out of the realm of easy to guess passwords, then work on creating hard to crack passwords.
1273097320
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson The other thing that users should be made aware of is password keepers.

It's surprising and fun to watch the little lights go on when you tell a room full of users about KeePass and the BlackBerry Password Keeper.

The realization that they don't need to have an easy to remember (and guess) password that they use for everything just so that when they come back to a website in 6 months they will be able to get in just hits them so quickly, and the smiles light up. The idea that they can file all of their passwords away ENCRYPTED so no one else can see them, on a device they are already carrying with them everyday, and never have to remember another password for some random obscure website again, is just so comforting.
1273097807
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.