Are Your Password Habits on Par?
October 08, 2013
FishNet Security is joining the National Cyber Security Alliance, the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center for National Cyber Security Awareness Month. Now in its tenth year, NCSAM is a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.
Are your login credentials a bit funky? Not Bootsy Collins funky, but bottom of your farm boots funky? Have a seat, let’s talk.
This topic is, of course, much larger than Network Security. It’s part of security as a whole at the cellular level. Poor password habits on networking equipment can carry a nuclear payload if exploited. Total infrastructure pwnage.
You won’t just lose control of the device that’s been snatched from your clammy hands. You’ll lose control of everything that goes through it, too. What passes through your firewalls? All your organizational traffic. All. Of. It.
What to do, what to do…
Bad password hygiene can take many forms. Let's cover a few of these in more detail. And let’s make it a game. We’ll call it Credential Golf, the lower your score, the better off you are.
Fix: Disconnect it, flash the rom and sell it on eBay in “as is” condition. Do not pass go, do not collect a red stapler. Add 8 strokes.
- Simple passwords - Okay, at least you changed your passwords. But you changed it to something with six characters or less or with all the same case letters. Without getting into factorial math, let’s just say there are a finite number of options of six character passwords, and they are all known. You get a pat on the head for at least trying.
Fix: Make ‘em longer, make ‘em stronger. Eight characters is a start, but you make guessing/bruting/cracking/hashing more difficult with each character you add. 16 characters is a good length to shoot for. Use a random mix of upper and lower case, numbers and special characters. I still believe in the correcthorsebatterystaple as well. Lengthy passphrases are less effective against GPU hashing, but good for many uses nonetheless. Add 3 strokes.
- Easy-to-guess passwords - If your passwords involve any of the following elements, you’re busted: birthdays, company names, vendor names, product names, addresses, pet names, password123, qwerasdf, 1234567890, etc.
Fix: At least include some special chars or something, sheesh. Add 2 strokes.
- Serialized passwords – Do you find it easier to use just one password for all your accounts? That does simplify things greatly, and frankly, I can identify with you. I can only throw small rocks of hypocrisy on this one. But, it is still a bad habit. The fact is, if you or I use the same username and password on one site, and those become known, attackers will try to use them on other common sites.
Fix: Don’t use any password in more than one place. Add 4 strokes.
- Passwords saved in insecure places - This one is a killer because people are just so dang clever about it. Here’s a few common ones off to top of my head: on a post-it note, under your keyboard, on a slip of paper in your desk drawer, in a plain-text file saved on your workstation, in an excel file on a network shared drive, in a saved email, in your purse/wallet, in your phone or in one of these. If you have unencrypted passwords in any of these places, it’s like putting your prized poodle on a hook and dangling it over shark infested waters. To be fair, the sharks do not have laser beams on their heads. Laser or not, they will devour your dog.
Fix: Never save passwords in unencrypted format. At a very minimum, use Axcrypt or a similar solution to encrypt your saved password files if they don’t have built-in encryption. Add 8 strokes, unless you named your dog Chum, in which case, just add 7 for your macabre self-awareness.
- Bad ideas I haven’t even thought of yet - The pioneer spirit is alive in all of us and given boundless time, a few shakes of creativity, a dash of laziness and a bent for not thinking things through, or perhaps just naivety, I’m confident new and astounding ways will be found in which passwords can be mismanaged. Perhaps you can be the bad-password Neo. Point values to be determined.
Score Card Check
Let’s see how you did. Add up all your offenses, and see where you land:
0-3: You are well on your way to not having to explain a massive breach. Keep it up!
4-7: You heart is in the right place, we just need to fix you up a bit.
8+: Password overhaul needed. Don't say we didn't warn you.
Just for some perspective: this inexhaustive list only targets good old fashioned single factor passwords. Which as we know, are about as safe as a gravy-drenched lamb at WolfCon. Single-factor authentication will always have weaknesses due to the static nature of the credential. But, if they must be used, password management tools are the best option for using single factor credentials. I prefer KeePass, but there are apparently around 241,000,000 other options according to Larry Page.
To use a password manager optimally, follow these guidelines:
- Choose the longest, most complex password the system will allow.
- Use a random password generator.
- Use different passwords for each site or application.
- Use a long, strong, memorable master passphrase to lock the database – no shorter than 16 characters.
- Save your database in at least two places. In theory, the database file is useless without the passphrase, but I wouldn’t suggest posting it to Facebook.