Revised 06/22/2009 (V1.1)
I’ve been thinking about passwords lately due to recent cybercrime that involved default passwords, and phishing attacks on Facebook which stole passwords from users.
Stronger passwords have been repeatedly talked about by InfoSec personnel since time immemorial. We have repeatedly asked users to make stronger passwords, to the point that users are probably sick and tired of hearing the same thing. However, recent incidents show that we haven’t been effective enough since people still use simple or default passwords, probably because it’s thought to be inconvenient to make one — It isn’t — All it takes is a few extra minutes of your time and creativity.
Lockdown.co.uk** gives the following example of how long it takes to crack the following passwords using a dual processor PC:
darren = 30 seconds
Land3rz = 4 days
B33r&Mug = 23 years
Until two-factor authentication costs become less prohibitive — hopefully sooner than later (i.e. PhoneFactor is a new service which unfortunately charges $.14 per transaction for the Philippines) — we will have to rely on passwords for authentication.
I try not to rely on password programs which reside on my computer (i.e. Password Safe), but instead try to have strong passwords for each site.
Since the number one site in the Philippines is a Social Networking site, this will have a Social Networking slant (specifically Facebook).
Here are a couple of Tips:
First of all, DO NOT SHARE YOUR PASSWORDS, PUT IT ON A STICKY NOTE ON YOUR MONITOR (UNDER YOUR KEYBOARD, SEAT, ETC)
Now that the common sense ones are out of the way, on with the tips…
Use EV-SSL (Extended Validation SSL)
How: Mozilla Firefox address bar turns green on the left side. For IE, the whole address bar turns green.
Reason: Users who just click through warnings can actually be on a fake https site. EV-SSL makes it more difficult for phishers to fake a site. Also, the strongest passwords are useless if you’re already on a fake site.
Bookmark your favorite site, and use the keyword feature (for Firefox) or equivalent.
How: On your bookmark, right click on it and then left click on “Properties”. Type a few letters or a word in the “Keyword” category. For this example I used “fb” so that all I need type on the address bar are the letters “f” and “b” to access https://www.facebook.com.
Reason: This mitigates your risk of user error and saves you time. The 2nd reason stated for EV-SSL, also applies here.
Change some Browser Settings to not remember what are in forms, and not remember passwords for sites.
How: Mozilla Firefox: Go to Tools, Options, Privacy then uncheck, “Remember what I enter in forms and the search bar”; Go to Tools, Options, Security and uncheck, “Remember passwords for sites”. Additionally you might want to click on “Saved Passwords” in case there are already saved passwords in your browser that you may wish to delete.
Reason: Not showing your “Username” to any user on a particular computer is another layer of defense. There have also been some hacks in the past (though already mitigated) on how browsers store passwords.
Use Best Password Practice, which is typically composed of the following:
– Must be at least 8 characters.
– Must not be a dictionary word.
– Must be complex – (thank Microsoft for making this popular) at least 3 of 4 of the following: Uppercase character, lowercase character, number, special character)… my take is that use all 4.
– Change your password at least every 60 days.
– Do not re-use any of your passwords for at least a year.
– Do not have the same word or character/number order in your subsequent passwords.
– Use different passwords for different applications and different sites.
All of the above “Best Practices” can be a pain. Security Professionals are human and we also get annoyed by some or all of the above. So I’ll break this down on how this could be easier.
Must be at least 8 characters, Must not be a dictionary word*, Must be complex:
How: You can deliberately misspell words, or use a phrase then shortcut that phrase. For example, the sentence, “Jekyll is a big lying bastard with no integrity whatsoever” can become “jIaBlBwNiW”. Yes, I do realize that this is not complex, but bear with me. As you can see, uppercase and lowercase takes turns here so that it makes it easier for me to remember.
To include numbers, I will change “B” to “8” therefore making it, “jIa8l8wNiW”. You can also change numbers to letters (e.g. 06/19/2009 can be Og/Ip/Zoop) but of course you will have to come up with your own formula on what numbers and letters you can interchange.
And to put special characters in our shortened phrase, you can put a comma or a period somewhere there and you can make the big letter “I” to “!” to make it “j!a8l8,wNiW”. As with the above opinion on numbers and letters, you have to come up with your own formula for what special characters can be interchanged for letters and numbers (e.g. 06/19/2009 can be )^/!(/@))( which really looks nuts but that’s how it can look like).
I would personally not use the above examples since I don’t know a person named Jekyll, nor would I recommend leaving one finger pressed on the Shift key as one types what is essentially an all special character password that a shoulder surfer might easily be able to see — I have only given the above and below examples to show the thought process on how to make strong passwords.
Reasons: The unrelenting increases in processing power, also means it’s becoming faster and faster to break passwords. A PC Mag list from back in 2007 of the most common passwords are all woefully lacking in complexity. Aside from having a password that takes longer to break, being able to type complex passwords fast, with your fingers in the correct typing position and having to use the Shift key once every few characters, can actually mitigate the threat of shoulder surfing.
Change your password at least every 60 days, Do not re-use any of your passwords for at least a year, Do not have the same word or character/number order in your subsequent passwords:
How: Now this is definitely a bone-of-contention. To mitigate risk some Security Professionals would rather use long passphrases instead of passwords, than have to change their passwords every 60 days. I however, would rather change it. This totally depends on you because this is a much bigger pain that the one above. I would actually suggest writing down your password then putting it in a secure physical space, or if not, put a part of it in your phone or in your wallet. Emphasize on “a part” since if someone steals your phone or wallet, and knows your username, then bye bye to privacy in your account.
Use different passwords for different applications and different sites:
How: What some InfoSec people do, is use something site specific built into their password. For example one can use a complex iteration of their birthday (I’ll use Jose Rizal’s) “June 19, 1861” to “dYun!9,eS1”; and then append it to what one may change the word “Facebook” to, “p@c3sbuks” — to have the really long password of “dYun!9,eS1p@c3sbuks”. You could also of course put “p@c3sbuks” in the middle or in front of your password.
Reason: I included this because a Sophos report states that about 33 percent of people in their survey use one password for everything they have. A Gartner survey done in September 2008 says that 2/3 (66%) of their survey respondents use only 1 or 2 passwords for all the websites they use.
Other things NOT TO DO:
– Don’t use your name or part of your username in your password.
– Don’t use multiple spaces, multiple repeating characters or numbers that are beside each other
– Don’t use any information that is readily identifiable (i.e. name of kids, spouse, girlfriend, etc)
– Don’t use letters or numbers beside or near each other on the keyboard
So that does it for Passwords.
A note on Security Questions:
Deliberately give something false that you can always remember. One wouldn’t want to be the victim of a Sarah Palin like attack wherein the attacker just searched for publicly available information about her to answer the security question that enabled him to access her e-mail. An example would be, “What is your Mother’s Maiden Name?” Your answer could be, “Sorry but I don’t talk to strangers” or some other phrase or sentence that doesn’t make sense but you won’t easily forget.
So those are my tips. I’ll be the first to admit that I don’t know everything, so if you would happen to know any great password tips that I have failed to mention, please do share in the comments section or write me an e-mail if you would like to remain anonymous. Thanks in advance.
* Most Filipinos know at least two different languages/dialects (English-Tagalog, English-Bisaya, English-Waray, etc) so I won’t even tackle that here, just put a (your other language here)-English word together or if you’re Conyo, go put your complex iteration of the the word, “Pare” or “Tol” before, in the middle or after your English word, or put your iteration of “Dude” or “Bro” before, in the middle or after your Tagalog word. Peace to the Conyos out there 🙂
** Many many thanks to a Security Mentor of mine (who may wish to remain anonymous) for sending this link on passwords.
InfoSec Philippines 