Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Jackie, a newly hired HR database administrator (DBA) at a major state university, has several years’ professional experience working with big data. In her first week Jackie is “on-boarded” into the position. She is immediately granted full access to a large number of university systems and databases, which have disparate password and access requirements. Because of an absence of coherence across departments and university subunits (which is typical of large organizations), Jackie has to learn several new logon procedures for these assets. Some of the more sensitive systems at the university depend on “two-factor” authentication, requiring Jackie to use a physical identity (sometimes called an authentication or cryptographic) token in combination with a password.

In order to keep all of these passwords and protocols straight as she learns the ins and outs of her new position, Jackie writes them down under the desk blotter at her workstation. Jackie’s physical work space is an open cubicle. Because cubicles keep no secrets, one of her coworkers notices this practice. She warns Jackie that, in addition to being extremely dangerous practice, writing down passwords in an unsecured location is actually grounds for termination from the university. She shows Jackie how to use a password app on her smartphone, protected with a master password. This app can be used to secure the passwords and logon procedures required for Jackie’s job. If the phone is secured with a personal identification number (PIN), and the app is secured with a master password, this password management scheme is approved by her university.

Where Did Passwords Come From?

The first computer passwords were likely used in the mid-1960s on the mainframe system at the Massachusetts Institute of Technology (MIT).Footnote 1 In the earliest days of personal computing, protective gates like passwords were essentially irrelevant because of the small numbers of sophisticated users actually involved in this emerging technology. Early broadly publicly available computers purchased by civilian end users, such as the Apple II series, the first Macintosh, and the IBM PC and PCjr didn’t even incorporate a logon password option. End users simply turned on the computer and the machine automatically loaded the desktop, no questions asked. Everything on the machine was immediately available to anyone who could push the “on” button.

Microsoft Windows versions 95, 98, and Me allowed for the adoption of a security password, but didn’t actually require users to enter the password to log on to the machine! These operating systems simply allowed users to press Esc at the login window, which then granted immediate access to files, software, and data (see Figure 2-1)—literally at the push of a button. Functionally, passwords became a much more critical operational finger-in-the-dike with the emergence of early online services (AOL, CompuServe) and the increased, broad-scale usage of e-mail and other on-line services through the Internet.

Figure 2-1.
figure 1figure 1

The logon box for Microsoft Windows 95, 98, and Me allowed the user to simply press Cancel (or the Esc key) at this dialog, and full access to the operating system was granted, without a password

Full size image

Passwords became increasingly necessary to protect end users’ identity as Internet communications became more common. Passwords are, in part, intended to ensure the integrity of online identity. Early password protection offered some assurance that if an incoming e-mail was identified as having come from “Jackie” that the recipient could have confidence it was coming from Jackie. As the nature of the ways we use our computers has continued to evolve, and the transmission and storage of more—and more critical—information is increasingly taken for granted, passwords have become more important to us.

Their importance is matched by our dependence on the data and information they protect. As technology and computing tools have become integral to modern work performance and broad-spectrum social activity in society, passwords have become much more essential, and as a consequence they’ve also become more vulnerable to attack. As a fact of modern information exchange we use e-mail for everything. If the password to an e-mail account is compromised, a criminal can potentially gain access to checking accounts, credit card information, and other vital personal and customer-related data. Because of an inflated sense of personal privacy, the ease of use inherent in the interface, and a general complacency about personal security, e-mail has become a favored point of entry for hackers to essentially limitless access to private information.

Password Threats and New Solutions

Hackers have a wide range of tools and points of leverage with which to gain illicit access to e-mail accounts. However, there are several mostattacks criminals use to crack security precautions. The “brute force attack” leverages a dedicated computer, or series of integrated computers, to apply a mathematical algorithm that essentially guesses and tries all possible passwords within a system. This approach tends to work very well against shorter passwords but is much too time-consuming for longer passwords. This is one of the reasons that IT administrators are increasingly requiring 12-character (or longer) codes. The entry hurdle increases as password complexity and system security are heightened.

In contrast with the brute force attack, which requires substantial computing power (and time), with a “dictionary attack” an algorithm is employed to guess all of the most common passwords that can be found in a dictionary. This approach is very efficient. Because all possible combinations of letters aren’t being tried—only dictionary words—it can be executed much more quickly. The English language is estimated to encompass just over a million words. Deployed correctly, a “modern” computer can enter 1 million words into a security portal’s password checker in less than 24 hours. Daisy, rainforest, and butterfly (all common passwords) don’t stand a chance against a concerted attack.

There are substantial financial and reputational costs associated with the loss of critical customer data (i.e., social security numbers, credit card numbers, checking account information, home addresses, etc.) In early 2014, the online auction giant eBay suffered an alarming data breach when criminals stole the login credentials of several employees. This enabled access to eBay’s corporate databases where the thieves misappropriated the personal data (login names, passwords, addresses, and phone numbers) of as many as 200 million eBay customers.

Alternatives to the “Simple” Password: Biometrics and Two-Factor Authentication

Some cutting-edge systems are beginning to incorporate biometrics (most frequently fingerprint readers, but at higher levels of security in corporate or government contexts retinal scanners also are seeing increased use) as an alternative to conventional passwords. In the retail sector, for example, the Apple iPhone, as of September 2013’s “5S” model, leverages an integrated fingerprint reader that can actually be used in lieu of a pass-code. Phone manufacturers Samsung and HTC also have added this feature to their newest devices. Consistent with the broadening trend toward more sophisticated (or more convenient?) entry hurdles, many laptops now also incorporate fingerprint scanners as a security gate. These come with various packages of features, depending on the model and manufacturer, attached in conjunction with the scanner itself.

Credential-based attacks (i.e., a stolen password) have recently been waged against Adobe, Twitter, Kickstarter, and Apple. The “Data Breach Investigation Report” released by Verizon in April 2014 found that two of three data breaches in 2013 involved criminals using compromised or misused credentials. In light of these recent attacks (which depended on the compromise of a simple username/password), more and more organizations have begun to institute what is called “two-factor authentication” or TFA. TFA increases the information hurdle necessary for access to secured internal systems, requiring users to provide two of three (or more) system “factors.”

Users have to know something, typically a password or a pass-code, which represents an entry hurdle similar to that of a conventional password portal. Users also must have something. This could be a token of some kind, or a mobile app that provides a randomly assigned code at login, or a text message that includes login-specific information. Alternately, some TFAs incorporate something that end users are. This could be something physical or biometric and might be captured through fingerprint or retinal scan. In the future, this biometric factor might also even encompass DNA matching.

Because the TFA requires that two of these three factors be available for system access, the odds of random or unauthorized entry, or entry through a concerted illicit attack, decrease dramatically. If a criminal captures a password, via phishing attack or other means, the system is compromised for only one of these system elements. Thus, the system remains protected because access within TFA is precluded without two factors in place at login. If eBay had had two-factor authentication in place in February 2014, a stolen password alone would not have allowed attackers to access millions of users’ personal and financial data. However, as with “Jackie” at the beginning of the chapter, writing down passwords in an obvious location entirely negates one of the components of two-factor authentication! Two-factor authentication can function effectively only as a supplement to—not as a replacement for—a strong password policy.

Google introduced a retail-focused, optional, two-factor authentication system in 2012. Each time users who request this additional security protocol attempt to log in to Gmail (or any Google service) with their standard password, Google’s servers send them a random code via text message, voice message, or the Google app. If the random code isn’t entered correctly, system access is denied. Users also have the option of telling Google, essentially, “Don’t make me enter a code again when I log in from this device,” i.e., the user’s home or work computer. The “stand-down” option offers the convenience of logging on with fewer security steps from more frequently accessed computers while still protecting users against criminals who acquire their passwords and try to log on from their own (i.e., the criminal’s) computer.

Here, readers are likely to recognize that secondary backup security procedures can be somewhat…inconvenient. When different devices are used to check e-mail (for example, during travel or commuting), substantial time can be consumed serially surpassing secondary backup security protocols. This highlights a basic modern operational truth of the open-systems framework into which our devices www.10donts.com/passwordsand our data are integrated. Security and convenience operate in a constant balance. As systems become more secure, they also become more cumbersome. As systems become more convenient, they become more vulnerable. This is a reality.

Bigger Can Be Better. . .

In light of the inherent give and take in the security-convenience trade-off, most IT experts and professionals recommend that end users think in terms of what are being called “passphrases” rather than “passwords.” Longer passwords are mathematically much harder to crack due to the exponentially increasing number of potential combinations of password elements (see Table 2-1).

Table 2-1. The total number of possible permutations increases exponentially with password length
Full size table

Note

This table assumes the use of the 83 possible characters on a standard English-language keyboard.

For example, “IoncevisitedSt.Louis,Missouri” is a much stronger password than a simple “missouri123.” These kinds of security phrases are harder for criminals to guess, or automated programs to crack, yet are still relatively easy for end users to remember. They also offer a coherent mnemonic for remembering longer key strings that would be exceptionally difficult if the string were composed of randomly chosen characters.

Mix It Up

Whenever possible, different passwords should be used for different sites, particularly sites that store credit card or other financial data. “Work” passwords should be kept distinct from “personal” / social media / photo-sharing / online shopping passwords to segregate spheres of vulnerability.

When hackers steal credentials from a particular web site, these data often are sold to another thief. The buyer may try the stolen credentials on other sites (unrelated to the original), because many people use the same username/password for most (or all!) of their online activities. When most users hear about a breach at eBay, they will change their eBay password. But what if they use those same credentials and log-on key for Amazon, Google, Zappos, etc? Do they change all of those logins? Unfortunately, most probably don’t.

In 2012 Best Buy customers reported unauthorized use of their online accounts to purchase Best Buy gift cards and other merchandise. These users had their credit card information stored on BestBuy.com , but there had been no indication that the retail giant’s own servers had been compromised. Hackers were using credentials stolen from other sites, correctly assuming that many users had the same credentials for their BestBuy.com account.

We believe a secondary party gleaned user information and passwords from other online sites and then they’re tapping into us and other retailers to see if people are using their same password across multiple sites.

—Susan Busch, Best Buy’s senior PR director

Although end users are typically bombarded by frantic-seeming system administrators with requests for disciplined password protocol adherence, ongoing discussion within the IT security community has left open the question of what is the most effective enforcement approach for password expiration and reuse. It is debatable whether it is a good idea to force users to change passwords on a regular basis, or to prevent them from reusing their last several passwords (which many users would prefer to do).

On the one hand, advocates argue that forcing frequent password changes limits the potential damage that a criminal can inflict once in possession of a user’s password. Restricting users’ ability to reuse old passwords also prevents criminals from using these recycled passwords to gain access to key accounts and data (or personal financial information). On the other hand, overly restrictive expiration/reuse policies increase the probability that users will forget their password.

Forgotten passwords can lead to productivity losses, as users are forced to go through a password reset process each time the password is forgotten (more information on this issue follows below). This approach also can more easily lead to security breaches, as users who can’t remember their passwords are more likely to write them down or store them in other insecure places (like the underside of a desk blotter…!).

Security consultant Bruce Schneier offers a discussion of this situation on his virtual security blog focused on the issue of password policy.Footnote 2 Schneier makes the excellent point (unlikely to be found in most corporate or other on-boarding materials), that it’s always a good idea to change e-mail, social media, banking, etc. passwords when a romantic relationship ends. Romantic partners often know each other’s passwords. This substantially increases the potential collateral damage of failed love. Criminals aren’t the only parties interested in your data, and a jilted lover has just the right (or wrong…) motivation to make a difficult-to-clean-up virtual mess of your on-line accounts.

Protecting Passwords

When users forget their password(s), as they invariably will, the password reset procedure also is a point of potential system vulnerability. The reset procedure has to be secure but is subject to the same kinds of security limitations as other data transmission processes. How is a new password provided to users? If the password is sent via e-mail, this procedure opens up a host of questions revolving around issues of e-mail vulnerability. Is the e-mail address verified and secure? What gates are up to protect the e-mail against unofficial or illicit appropriation?

What about if the password is sent via phone or text? What kinds of proof of identity are users required to provide within this transaction? Is the new password provided in person? Is the user required to provide some kind of identification? What role does the in-person inconvenience factor play within this approach? There is an inherent trade-off between password transmission security and convenience in this process that limits the range of options that administrators (and users) are likely to accept on a regular basis. If the new password is provided in person, is it handed to each user on a physical slip of paper? If it is, what’s to prevent users, like “Jackie,” from simply keeping that slip of paper in plain sight on their desk or, even worse, up on their dry-erase board?

Likewise, if a physical identity token is provided, what steps are taken to ensure users’ identity? How does the administrator verify that the person is who he says he is? What about remote users who need an identity token but are unable to conveniently make an in-person visit? Is this feasible? What if it’s the e-mail account of a sales rep in another state, or the account is attached to an office in another country? What steps are taken to ensure that the token is being given to a genuine user rather than an enterprising thief with counterfeit credentials involved in advanced persistent threat (APT) reconnaissance and infiltration? Although a techno-thrilleresque prospect, it is not at all a far-fetched scenario today. As we discuss in Chapter 9, brazen on-site impersonation of legitimate company personnel and physical plant penetration are becoming more and more common today.

Is it sent through the mail? This can lead to a great deal of lost productivity as individual users wait for their physical token to arrive. It can be extremely difficult balancing security and productivity needs. As a point of definition, these considerations are often at odds. Individual users will inevitably be inconvenienced by stiffened security protocols.

But, individual users within a larger organization don’t operate in a vacuum. Their decisions and actions directly affect that collective. Here, the needs of the many may outweigh the needs of the few. Individual users’ productivity can be hampered by heightened security protocols, but one user’s security failure has the potential to impact substantially the productivity of the entire organization. If servers go down, a core network is compromised, or clients’ personal and financial data are lost, collective productivity can be catastrophically—even fatally—damaged, with eBay being a recent graphic example.

It’s important for users to remain cognizant of security threats like these. Although typical users don’t administer (or even have access to) frequently used servers, it is essential to pay attention to instructions or warnings disseminated by administrators. As a case in point, in April 2014 a vulnerability called “Heartbleed” garnered wide media attention. Heartbleed is an exploitable weakness in the OpenSSL software used on an estimated two-thirds of the world’s public web servers.

This was an entirely “back-end” issue from the “front end,” the typical user’s interface point, there was nothing users could do to protect themselves from passwords being stolen. The vulnerability had to be resolved from the back end (system administrators). Yet, when the vulnerability was repaired, users were instructed to change their passwords as previous passwords could have been stolen. In the wake of Heartbleed, many organizations and popular consumer sites like Tumblr, Reddit, and Pinterest strongly recommended that users change their passwords immediately.

Twenty-first century end users have to be sophisticated enough to recognize this type of legitimate password advice and to differentiate it from the faux requests / phishing attacks discussed in Chapter 1. In the case of Heartbleed, the probability that any particular user’s password on a specific site was compromised was extremely low. But in aggregate, a site like Reddit, which has nearly 3 million regular users, almost certainly had some compromised accounts.

What Should You Do?

Data security and use of password protection simply cannot be an issue that users only casually flirt with. Once it was popularly recognized that vulnerability to sexually transmitted diseases had potentially lethal consequences, condom use was no longer seen as an inconvenience or a choice—it came to be viewed as a requisite ticket to ride. It is critical to adopt an almost life-and-death appreciation of the use of virtual protection today.

Systematically consider your various passwords and very carefully contemplate how you use them. Choose different passwords for each of the services that you use. Or, in light of inherently limited cognitive space and mental resources, choose as many passwords as you can reasonably remember. Avoid the inclination to use a dictionary word of any kind. A pet’s name, or any other overly simplistic password can be easily guessed at or harvested through an illicit systematic virtual hunt. Adopt passphrases rather than passwords because they are more difficult to crack. If you can’t remember them all, adopt a 21st-century approach and consider taking advantage of a biometric system or leveraging password-management software, as suggested to Jackie at the beginning of the chapter (see Figures 2-2 and 2-3), rather than writing them down somewhere where they can easily be found by others.

Figure 2-2.
figure 2figure 2

When using a password manager application such as KeePass, the first step is to set a strong master password, ideally one that the user will never forget. Many applications will give a visual indicator as to the strength of the selected master password.

Full size image
Figure 2-3.
figure 3figure 3

Password managers like KeePass can store various passwords for the user, separated into categories. Noteworthy is that these applications can often choose a random password for the user; the user needs to recall only the self-selected master password. (Screenshots from KeePass used under the terms of the software's General Public License [GPL])

Full size image

It also is critical to recognize that your mobile device is exceptionally vulnerable both virtually and physically. Add a PIN or password to all of your mobile devices. If you think or even suspect that a computer or mobile device of yours has been compromised, immediately change all of the passwords that were used on that computer. (We discuss mobile security specifics in greater detail in Chapter 7 and physical security threats in Chapter 10).

Additional Reading

For more on how to be smart with your passwords, see the following links and visit our web site at www.10donts.com/passwords:A