Friday, 20 February 2015

Password

Ah, I see its yet another day in the world of social media. A time when the PM gets himself planked by a spoof phone caller. While the rest of us wrestle with IT systems that require us to change our passwords periodically. I don't know about you but passwords and remembering a different one for different systems is a pain in the bum. 

I have tried several systems of password security over the years. Trouble was that I usually forgot the password for the password security system – which I suppose must make the password system much more secure if even I can't remember how to get at them. 

There is a website called 'SplashData' that compiles a list of the top passwords that have been found to be effective in those password guessing software programs. It seems that top ten in easy peasy passwords to try are :- 123456, password, 12345, 12345678, qwerty, 123456789, 1234, baseball, dragon and football. 

Now, I have always thought that as a pair the login and password if carefully chosen should be reasonably secure. For me, I also choose to take it to a third step of personal security by having nothing of any worth stored on-line. 

Years ago when I worked on large UNIX based systems – I put in place software that would disable user accounts outside of agreed times. Lets suppose that you work in a 9 to 5 office. One where weekends are not required. Such a system could add a whole extra level of security. Just by disabling and enabling the login process. 

The problem was that quite often the login code would have some resemblance to the users name. When accounts were being created, we would convert Joe Blogs into jblogs and if we had two Joe Blogs we would create a jblogs2. However, that was a long time ago – much more is now stored on line and security of access has gone to a whole new level of complexity. 

I started to monitor login usage. This would give me data as to when the account had last been used. There soon appeared a list of dormant user accounts – a quick check with personnel - highlighted that the accounts belonged to people who had been on short contracts or had changed employment or even retired. I then noticed that the list of ex employees still had some with infrequent use. It turned out that some employees liked to get to their old email accounts and hosted workspace. 

I needed a more secure system. I remember setting up logins that were tied to specific MAC addresses. So not only did you have a login password pair – but you could also tie the pair to a specific machine. The machine had to be inside the firewall and with few exceptions no remote logins were allowed. Today spoofing a mac address is quite a trivial thing to do. In reality – the problem at that time was the user. 

When we set up the MAC address login/password pair security. This had the effect that users in a shared office space would take the sharing to the next level by sharing their login codes and passwords to make things easier. The problem will always be the user. So we set up accounts that would time out. If the system remained in a quiescent state we would log the user out. The troops did not like this as it was set to a quarter of an hour timeout. We agreed to change this to one hour and over the following year we gradually shortened the waiting time to a quarter of an hour. No one noticed! 

One day, I was installing a bit or specialist software on a user machine – his desk drawer was open. Pinned on the front edge of the drawer was a list of various login codes and passwords for various system. Security was that he sometimes locked his drawers. Over the next few weeks, I did a little check on drawers and users roller dexes. There were dozens of similar stashes. So we introduced the notional once a year forced password change. Like we had done previously, we shortened the period and at the same time introduced a system that would not allow a password to be reused. 

I downloaded a brute force password checker and ran it against our systems. The vast majority of passwords were easy to crack. So we introduced a seeded system that would enforce a level of complexity on the users. The passwords would need to have minimum length, the password had to have a minimum of one upper and one lower case letter. We also introduced a screen that would advise the user on the strength of their password. It said that the more complex a password was the longer the period would be between enforced password changes. It was a bit of social engineering – you could choose any password that you wanted, that conformed to minimum length and the minimum upper and lower case letters. But you could never achieve the fabled on year password period. 

I ran the brute force password checker again and the number of hits was greatly reduced. So them we introduced the slow login regime. The first login would instantaneous – but if you entered a wrong password a delay in getting back to the login screen was introduced. After five wrong passwords the account was disabled. 

So what can you do about choosing a password. First of all, chose two words that can be made memorable . Lets say Piston and Tractor. You could now interchange the first two letters Tiston Practor, which gives two non dictionary words. Now you join both words together. TistonPractor, now add a number and a letter to be a space between the two non dictionary words. Say the number (4) and a lower case letter, say (a) So the password becomes Tiston4aPractor. The memorable phrase for you to remember or write down would be Piston for a Tractor. The above is what I used to use with staff by way of an example. When they were sat trying to think of their next new password. 

The security of any system is always compromised by the user!

No comments:

Post a Comment

Please put your name to your comment. Comments without a name may automatically be treated as spam and might not be included.

If you do not wish your comment to be published say so in your comment. If you have a tip or sensitive information you’d prefer to share anonymously, you may do so. I will delete the comment after reading.