Thursday 27 June 2013

"Invalid User Name or Password"

Time was when passwords were something that you read about in spy novels but never actually came across the need to use.  As far as I recall it wasn’t until the early to mid 1990’s that I needed a password at work to access a particular system, but gradually as the decade progressed more and more work migrated from paper to PC, there was a proliferation of new systems and applications, each with need of a password.

By the time I left work at the end of last year I had access to twenty odd systems that required passwords; a fairly modest number compared with some people, but still enough to make remembering them all quite exacting. IT policy in most organisations regarding passwords tends to require users not to share passwords, not to record them anywhere and to have unique passwords for each system. Add to this last recommendation the fact that each system has different requirements vis a vis password construction; fixed length, variable length, upper case and lower case letters, numbers, special characters and it is little wonder that most people record at least some of their passwords somewhere, somehow.  My favoured method, and one which even IT security would grudgingly agree was just about acceptable, would be to have two spreadsheets in my personal drive; one with a list of systems or applications and user names, and another with a corresponding list of passwords. These spreadsheets should have innocuous names that don’t make it obvious they are password lists and of course, these spreadsheets need to be password protected!  There are propriety apps like Dashlane or Password Caddy that can be downloaded to a smartphone to store passwords, although I imagine that many companies would have IT policies that would not approve their use. Some of these types of apps are free, but some do charge and personally I would be somewhat wary of trusting my passwords to a third party app, regardless of how secure they appear to be.

The fact that passwords in most business systems expire regularly (I had some that expired every ninety days, some that expired monthly and one that had to be changed daily) makes remembering them all without some sort of prompt difficult in the extreme, especially the ones not used every day. Inevitably this means that your typical IT helpdesk spends a disproportionate amount of time resetting passwords for frustrated users who cannot remember them.

The need for multiple passwords is avoided by the adoption of something like Active Directory, a single sign-on (SSO) that allows the user access to sub-systems once they have logged on to the domain. Obviously a weakness of Active Directory is that any would be hacker needs only to get through one password instead of many, so single sign-on types of access control really need two factor authentication, supplementing the user’s password with a one-time password (OTP). This type of authentication is now fairly commonplace in internet banking.

On top of our work passwords we now all have innumerable passwords for our private transactions. Internet banking, various shopping sites and social networks all require passwords and again these may all be in different formats. Often these do not have expiry dates but Clifford Stoll, an astronomer and author, says “Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.” Hmm, not sure how many people follow that advice, and if they do how often they have to click the “Forgotten Password?” link, unless of course they recorded their new password somewhere. This becomes even more pertinent as so many applications on your tablet or smartphone now automatically log you in without needing your password and most web browsers offer to remember you passwords for you to the extent that when you do need your password, say when you’ve had to log out of the site, can you remember it anyway?

A further problem that I find is that, depending on the website or application, my log on name may be my email address or something else entirely. While I have no problem remembering my email address, the other log on names are rather more tricky as they vary wildly and I have lost count of the times when I can remember my password but not what creation I came up with as my user name and have to ask for it to be resent to me.

When nearly half a million Yahoo! users had their accounts compromised last year, research of the passwords that were revealed showed that the top ten most commonly used included gems like “Password1”, “welcome” and “123456”. Interestingly, “Incorrect” is not among the top ten; the joke doing the rounds says, “I set my password to "incorrect" so that Windows reminds me every time I get it wrong.”

While Yahoo!’s list contains some obviously guessable passwords, it appears that even apparently “strong” passwords are actually easily hackable. Well, easily hackable if you employ the sort of talent that Ars Technica did when they cracked over 15,000 passwords this year, including the memorable 16 character string, “qeadzcwrsfxv1331.” Actually, if you test that password in a site like Password Meter (http://www.passwordmeter.com) it only scores 65% (rating, Strong). A password such as “Password38” rates 66% on the same site!

Following other advice that IT security experts give, you should not use family or pet names, car registration numbers or the like as passwords. Some recommendations for password construction include the idea of making up a phrase, such as “My friend, Dorothy, was 35 last year!”  which is in itself easier to remember than an apparently random character string. Taking the initial letters from this sentence gives a password of Mf,D,w35ly! which Password Meter rates as 100% (Very Strong) although I reckon that Ars Technica would have broken it.

No matter how secure we believe our passwords to be, they will be broken by someone with sufficient incentive or opportunity. In the workplace this will probably be the internal fraudster, but they won’t try and guess a password, rather they will wait for their prey to leave their PC unattended and unlocked, and/or will “shoulder surf” to acquire their victim’s password. Similarly at home it may be that some unscrupulous visitor, friend or even family member who has nefarious intentions will obtain a password in the same way.

The ways in which our passwords become compromised are normally due to negligence or forgetfulness, either ours or that of the owners of the application or website we are using. The easiest ways to have your access to whatever system, application or website compromised appear to me to be either being the victim of a phishing attack, or a data protection breach such as the theft by hackers of over six million LinkedIn user passwords in June 2012. Keeping a list of your passwords on a Post It note stuck to your PC monitor is another good way and apparently more people do this than you would imagine!

Identity theft is now sadly a fact of life and if someone wants to break your password badly enough they will probably do so; I guess the trick is to make their life sufficiently difficult that they move on in search of someone who hasn’t been quite as rigorous in protecting themselves.

Oh, and by the way, my password is...









No comments:

Post a Comment

Readers Warned: Do This Now!

The remit of a local newspaper is quite simple, to report on news and sport and other stories relevant to the paper’s catchment area. In rec...