Let’s start with the obvious. We all hate passwords.
Users hate passwords because they are hard to remember and they slow you down, getting in the way of the computing experience.
IT staff hate passwords because they’re just one more critical thing that needs to be managed, taking valuable time away from keeping computer systems running and users happy.
And the information security community hates passwords because they’re too often a source of conflict with users who don’t want to use strong passwords. And, truth be told, they are completely ineffective once a cybercriminal has installed a keylogger on the victim’s computer. Online bank fraud tools like Zeus and SpyEye install a keylogger to capture user login credentials and the answers to secret questions. Your money is no longer safe once the cybercriminal has your online bank account password and this other information.
According to Microsoft research, back in 2007 the average user way had 6.5 passwords, each of which was shared across 3.9 sites. Each user had about 25 accounts that required passwords and typed an average of 8 passwords a day. Demonstrating the challenge users have remembering passwords, the research showed that 1.5% of Yahoo users forget their password each month.
Users are notorious for using weak password. The most common passwords in SplashData’s 2012 annual list of most-common passwords lists ‘password’, ‘123456’, ‘12345678’, ‘abc123’ and ‘qwerty’ as the 5 most frequently used passwords. A 2011 study by KoreLogic presented at the Austin OWASP meeting suggests that fewer than 10% of users have passwords that are complex enough and long enough to resist basic cybercriminal attacks.
Hated or not, passwords are often the only credible line of defense protecting sensitive information.
Which takes us to another obvious: Passwords — at least for the short term — are here to stay.
Therefore, it only makes sense that we learn to live with them … happily ever after.
Why Do You Use a Password: You use a password to authenticate yourself, to establish that you are who you say you are.
A password is the cyber-equivalent of a driver’s license or a passport; it says you’re you. Once the computer system or web page ‘knows’ that it is interacting with you, it gives you access to those files and services that you are ‘authorized’ to use.
Three Rules for Password Sanity
Rule 1: Keep your password private.
Since your password is used to authenticate you, anyone with your password can pose as you.
With your passwords [and either your easy-to-get name or email address], a cyber criminal can spend your money at Amazon, send an abusive message to your friends on LinkedIn and move money from your bank account.
If a cyber criminal has your work password, the computers and programs you use will give him the same rights to do things that you get. He can read your files, send email from your account and conduct the same transactions you do.
Putting a password under your keyboard or on a post-it note slapped on your monitor is an invitation to information theft. If you must write your passwords down, store them withe the same care that you store your money, your wallet and your passport.
Rule 2. A password used to access sensitive information needs to be long, complex and unique.
Passwords need to be long and complex because cybercriminals have several software tools that let them quickly crack passwords that are too short or inadequately complex. Passwords ‘1234567’ offer little or no protection. Length without complexity is not adequate; the Korelogic study cracked long non-complex passwords like ‘Januarybaby2010!’ and ‘Abcdefghijklmnopqrstuvwxyz’.
To see why passwords need to be unique, recall the theft of 6,000,000 passwords from LinkedIn last June. Users whose bank account passwords were the same as their LinkedIn passwords found their banks account at risk.
Citadel recommends a minimum password length of 12 characters, using a mixture of lower-case, upper-case, numbers and characters. They don’t need to be totally random but as the examples above show, they do need to be complex. Examples include ‘kla45Young##’, ‘Plokr/*u1234’ and ‘54175rat-Tar’. One characteristic of all 3 of the examples is that the letter sequences are all pronounceable.
Rule 3: Consider the careful use of a password manager
Imagine only needing to remember one password!!! You can do this with a modern password manager … provided you’re very very careful.
Password managers store all your passwords for you so you don’t have to remember them. All you have to remember is the one master password that gives you (and your programs) access to all the passwords stored in the password manager. Modern password managers integrate right into web browsers: visit a website, click a toolbar button and the program logs you in automatically.
Password managers, though, are like dynamite. Dynamite is great when it’s knocking down a hill so we can put in a new road. It’s not so good, though, when the hill falls on the workers.
The Open Directory Project has compiled a large list of password management programs. Citadel has experience with two of them Keepass and Roboform. There is no denying the convenience of a good password manager.
There are three key questions to consider in using a password manager.
1: How sensitive is the information being protected?
All software — even password managers — have vulnerabilities that expose them to cyber attack. This means that that using a password manager necessitates a trade-off between convenience and security. Making this trade-off requires balancing the loss that would be incurred from using a password manager against the gain in convenience achieved from using the manager.
That’s why the NSA, for example, wouldn’t authorize the use of a password manager without extensive security testing and certification.
The situation is analogous in any commercial environment, businesses, not-for-profits, government agencies, etc. Before authorizing the use of a password manager in a commercial environment, management must consider the risk to sensitive information and operations. This is a cyber security management function. Users should not be free to install their own password managers but must follow their organization’s security policies and standards before using a password manager.
Consumers at home often have less sensitive information than at work. Credit card and banking regulations, supportive of consumers, lower the risk to consumers from using a password manager.
2: How well does the password manager protect your information?
An excel spreadsheet makes a basic password manager; just not a very secure one. A password manager is the key to all the keys in your kingdom. It better do it’s job and do it well. A password managers most important job is security. It is not convenience. It is not a pretty interface, or anything else.
Of particular concern are password managers that store passwords in the cloud. Even though the passwords may be encrypted, they may still be at unnecessary risk. This is particularly true if the master password is also stored in the cloud.
Testing the security of password managers can pose difficult challenges making it hard for consumers to evaluate the security of password managers. I recommend reading several reviews from different sources, honing in on the security testing that was done. Keep in mind that security testing is different from merely listing security ‘features.’
3: How well do you protect the keys.
No matter how well designed a password manager is, it is worthless if the user doesn’t protect it with a strong master password. Citadel recommends users protect their password manager with a complex password that’s at least 15 characters long.
We also recommend setting the password manager to self-destruct after 5 – 10 invalid attempts to enter the master password. This is particularly true when the password manager is installed on a laptop, tablet or smartphone as these devices are prone to being lost.
Defense-in-Depth: Passwords are a necessary element in defending access to sensitive information and services. But, as we discussed above, passwords offer no protection against the cyber criminal able to install a keylogger on a user’s computer. Additional defenses — like spam filters and employee awareness training — are also required as a part of any thorough cyber security management program.