Password Security | Jason Palmer, CPA, CITP

Share Dessert, Not your Password

August 17, 2012 By Jason Palmer Leave a Comment

In many offices, people think nothing of giving their computer login User Name and Password to a co-worker. In general, this is a bad idea. Once a co-worker has the Password associated with your Login, the co-worker can masquerade as you. There is no technical way to differentiate actions taken by you vs. your co-worker should something inappropriate transpire.

For example, perhaps your co-worker is targeting your job and acts maliciously by sending out a sensitive document to a competitor using your email account. It would be extremely difficult to prove that you did not send it. Whoever did send it had your User Name and Password and gained access as you. Management will ask who else could have sent it but you? As an IT Auditor, I can assure you that most companies do not have the forensic skill to perform a proper investigation to save your job. The facts will appear to be self-evident and Management will take the path of least resistance and fire you.

It is extremely common for an Assistant to an Executive to have the Executive’s User Name and Password. This too is still a bad idea. The mitigating factor is that in most cases, the Assistant’s have the explicit trust of the Executive especially if they have been together for many years. I fully understand that the entire purpose of an Executive Assistant is to “assist” and act on matters that the Executive may not be able to attend to directly. However there are alternatives that do not compromise the Executive’s personal privacy, allow the Assistant access to selected functions, and still maintain an audit trail of access.

The problem with providing an Assistant your User Name and Login Password to your computer, corporate network or any other account is that this is an “All or Nothing” proposition. There is no ability for you as the Executive to keep anything “private” from your Assistant. This means that every single email, document you receive or draft, message from a family member to your work email (and possibly your personal email) – you entire life – potentially – is completely exposed to your Assistant.

On a practical level, this may not seem like an issue to you. You might say, “My Assistant only uses my Computer when I ask him or her to check something for me.” And I would say, “Are you absolutely sure that is the ONLY time he or she has ever sat down at your computer and looked around?” Giving your Assistant your Password exposes you as the Executive to the same kind of risk as any other Staff member. Information that was to be private and remain within the Company or that was for your “Eyes Only” is now potentially shared with your Assistant and whomever he or she sees fit to share it with.

Here is a better solution: Depending on your specific environment, if on a Corporate Network, your Assistant can use his or her own login to access your Computer and Files provided that you give (or more likely your IT Person gives) the appropriate permissions to the directories that contain your personal files that are either stored on the local computer hard drive or on the Corporate Network. In this manner, there is an “Audit Trail” of who accessed what file and when.

The best solution is to take advantage of the fact that you have Corporate Network environment and create “Shared Folders” that only you and your Assistant can access. This allows your Assistant access to files you deem unclassified in the Shared Folder while still allowing you to store sensitive information privately that only you can access in your own personal folders.

Both of the above options work regardless of if you have a Corporate Network and a File Server where files are stored centrally or if you have a Single stand-alone PC. Even on a Stand-Alone PC (or Mac) you can have individual user accounts, each with their own 100% private storage area that can only be accessed while that specific user is logged in under their user name and a common storage area that all users can access regardless of which specific user is logged in.

The most popular excuse (reason) for the sharing of the Executive User Name and Password is for the co-worker or Executive Assistant to check and respond to email. Most Corporate Email Servers, specifically Microsoft Exchange, support the ability for you to give Proxy Permissions to a co-worker or Assistant. This enables someone other than yourself to read, reply, create, and send mail as you depending on what permissions you allow. The subtle difference is that there is an Audit Trail that shows that the correspondence, even if appearing to have been sent by you to the outside party, was actually sent by your Proxy – the co-worker or Assistant acting on your behalf. The other key advantage is that if a message is marked as “private”, a function of some Corporate Mail Servers, the co-worker or Assistant cannot see it. Only you can only open the message with your specific User Name and Password.

User Names and Password are personal and should remain specific to you. As you can see, there are a number of ways to share files and enable access to email with co-workers and Executive Assistant’s that do not compromise your personal privacy.

There is one exception to sharing your Password with someone and that is usually the IT Administrator. Having your specific User Name and Password makes it easier to diagnose problems with your account and enables the IT Administrator to see exactly what you are seeing and the problem you are experiencing. Understand that your IT Administrator has a “Super User” (Administrator) account that would allow him or her to see, in most cases, absolutely every file, email, and piece of data on the Corporate Network regardless of if he or she had your specific User Name and Password or not. (The few cases where this is not true are when a separate encryption program is used to securely encrypt specific files and directories or a specific password is set on a file. In those situations, only the person who set the encryption or the password on the file or directory knows the password to decrypt (access) it. Neither the IT Administrator, nor anyone else for that matter, can access or read the file.)

In general, do not share your user name and Password with co-workers or your Assistant if you can possibly avoid it.

Share Dessert instead. Much tastier and the only risk is a few extra calories.

Securing your Digital World with Passwords

August 15, 2012 By Jason Palmer Leave a Comment

This is a test: Grab your nearest digital device that has your personal information on it. That would be your cell or Smartphone, iPad or Android Tablet, notebook or desktop computer or iPod/mp3 player. Touch the screen or tap the keyboard to wake it up.

Does it ask you for a Password to proceed before you can access it?

If “Yes”, congratulations, you passed and understand the importance of taking as many precautions as possible to keep prying eyes out of your personal data and digital world.

If “No”, then the next question to you is “Why does your digital device not have a Password set?” Would you leave your car unlocked on the Street? Would you leave the front door of your house or apartment open so that anyone could just walk in and look around? Well, would you?

If you secure every aspect of your physical world with locks, keys, and combinations, why would you not think to do the same for your digital world?

Password security is not just for your online web accounts. Password security should be engaged and used everywhere it is supported.

I am sure that some of you have lost your cell or Smartphone. Without a Password set on the device, whoever found it immediately had access to your entire address book: every name, every phone number, perhaps full addresses, possibly birthdates. In this address book list there are probably sensitive contacts like your Doctor’s, Financial Advisors, and Attorney’s. If you are like many people, in the NOTES section, some contacts may have Account Number and (hopefully not) Password and access information to these accounts. But we are just getting started as we are only considering the wealth of information in the Address Book/Contact List. In the wrong hands, this is an identity thief’s dream.

If you have a Smartphone, every text message sent and received and every email for approximately the past two weeks is fully visible. If the person who just found your phone is a criminal or identity thief, he or she might send an email or text message that appears to come from you fraudulently asking for “assistance” to one or more of your contacts. (A popular scam is to claim that “you” are in a bad cell zone and can only text, have lost your wallet, and can “your friend” please send $100 via a wire service or mobile payment service.)

Your Smartphone most likely connects to an App Store – either the iTunes store or the Google Play store. This person may now be able to obtain additional personal information about you from Apple or Google and possibly credit card information which can then be used to break in to other accounts at other web sites discovered from your Contact/Address Book list.

The above scenarios hold true for most iPads, Android Tablets, iPods, and mp3 Players that have a contact list, email capability, and connect to any kind of App Store.

With a Notebook Computer it only gets worse: Your portable computer has all of the above and plenty of bonus content for the person who finds it. The computer will most likely contain sensitive documents. If you only have a notebook computer and no desktop computer, then it will contain your entire body of digital knowledge: Every letter, proposal, memo, spreadsheet (i.e. Expense Report, Income Information), Business Plan, poem – just about every piece of digital content you have every created will be on this one device. But wait, there’s more: Every picture you have ever downloaded from your phone or camera: you, your family members, places you have been, all of your friends, and pets. This may seem innocuous but for professional thieves, the photos may reveal additional physical targets for burglaries. (Fluffy might become pet-napped and held for ransom.)

If you are a person who accesses a corporate network, which probably does use and require a Password, and that Password is stored in the access application, DING, DING, DING – it is the Mother of all Pay Days for the unscrupulous individual who is now in possession of your notebook. That person potentially has full, unrestricted access to all of your company’s sensitive information. This time it includes not only documents but may include corporate financial information and detailed personal information about clients of the company.

Finally for the Lightening round: I am virtually positive that many of you have your Apps set for “auto-login” where your User Name along with your Password are stored in the App. (If a web site, the user name and password are stored in the Web Browser.) You have just given the person in possession of your digital device the “Keys to the Kingdom” of your Digital World. He or she is now capable of viewing (and manipulating) your Social Media, WebMail, eCommerce accounts and any other web site that has stored access information.

As you can see, for lack of taking a few extra seconds to enter a Password every time you pick up one of your digital devices, you could be needlessly exposing your entire digital world and putting yourself and those around you at extreme risk.

You lock your physical world. Lock your digital world too.

Set a Password on every device that supports the use of a Password.

For some guidelines on setting strong passwords, read my articles, “Strengthening Common Passwords” and “A Complex Password may not be a Strong Password.”

Technical Tip: If your device supports the use of a Swipe Pattern instead of entering a combination of numbers and letters as a Password, definitely use a Swipe Pattern. (A Swipe Pattern allows you to use your finger to draw a series of lines across the screen in a specific order to unlock the device.) Hackers can use automated programs to guess at the number and letter combinations which make up a Password. As of this writing, similar programs do not yet exist to crack a Swipe Pattern on a digital device. Although if a program did exist, most phones would still lock out all further attempts after a certain number of failures. It was reported in March of 2012 that even the FBI could not get in to a phone that used a Swipe Pattern to lock it. See more on that story here.

Strengthening Common Passwords

August 13, 2012 By Jason Palmer 1 Comment

Raise your hands. How many of you are still using one of the following as your Password:

First Name Birth Date
Kids Name
Dogs Name
First Name Date of Hire
Password
123456
Yankees
Mets

You get the idea. A Password so incredibly obvious that you really don’t even need to write it down and stick it to the underside of your keyboard for a co-worker or family member to find it. (What? You think you’re the only person in the world who would think to hide their password under their keyboard?)

Since you refuse to make a genuinely strong password as discussed in my article, “Have YOU changed your Password recently?” let’s see if we can take your existing, incredibly obvious password and make it stronger.

Let’s start with the ever popular First Name and Birth Date. WALT1901 Yes, you do get partial credit for using both Letters and Numbers but fail because these are two pieces of information that many people who might want to get in to your digital accounts already know. I understand that it is very easy to remember. We can make is stronger with just a few minor improvements.

Let us combine the First Name with the Birth Date so that we take one letter from the first name then one number from the birth date: WALT1901 becomes W1A9L0T1 .

We can make this a little stronger still by changing the Letter “L” to a Number “1” so the new password would be W1A910T1 . Changing a letter to a number in this particular manner is a form of simple letter/number substitution called LEET. (Read more about LEET at Wikipedia here.)

A determined hacker who knows your name and birth date would figure this out fairly quickly as one of the few dozen combinations and possibilities. However, the simple modification above will keep out most nosey co-workers and family members who try the incredibly obvious first. (A brute force computer program could figure this password out in a matter of minutes because it is just letters and numbers.)

Almost any Password can immediately be strengthened by using LEET – substituting numbers or special characters for letters. LEET works well as a starting point.

Password becomes P@ssw0rd or P@55w0rd
Yankees becomes Y@nk335
Mets becomes M3t5

Unfortunately, these passwords are still very easy for anyone who knows what Sports Teams you follow to figure out. LEET substitution patterns are fairly well known. (I am ignoring for the moment if you are one of the tens of thousands who still use the word “password” as your actual “password” – LEET or not, you deserve to be hacked.)

In order to throw off those who might know that you like Baseball and may use Sports Team names as your password series, we need to add a special character and mix things up a bit.

If we take our LEET version of Yankees – Y@nk335 – and add an Exclamation point – Y@nk!335 – this makes the password extremely strong from a human attack and reasonably strong from an automated attack.

Going one step further: If we move the numbers to the front: Y@nk!335 becomes 335Y@nk! – this password is even stronger and again could most likely only be broken by a brute force automated attack. (A brute force automated attack is where the computer will keep trying every letter, number, special character combination until it is successful.)

I have demonstrated that you can hang on to your common, weak Password, so you can remember it, and apply a few simple techniques to make it significantly stronger. At the bare minimum, it is will certainly keep out noisy co-workers and family members. At best, it will make the brute force hacker’s work extremely hard to break in to your digital accounts.

A few thoughts on the selection of a Password and Strength:

Understand that every password, given enough time, will be found.

As discussed, someone trying to gain entry in to your digital account is going to try the easy, common passwords first. For example, “123456” is the most common password and “Password’ is the fourth most common password. A hacker is not going to have to use any fancy brute force attack to break in to an account with either of these two passwords. In fact, they will be the first and fourth passwords that the hacker tries to use to gain entry in to your account.

The point is that any hacker will have a list of well know common passwords that include Sports Teams, Movies, Celebrities, Comic Book Characters, Seasons, Fictional Characters, Playwrights, Composers, etc. All of these well know possible passwords will be tried first and in too many cases, will be successful.

Once you start to use Passwords that are not common and have the above techniques applied to them, you will force the hacker to use a “brute force” method of attack which can take an incredible amount of time to succeed.

Thieves like to take the cars with the doors left unlocked and the keys in the ignition.

Make sure to lock your digital accounts with a good quality password.

With a few simple modifications to your Password, you can put up enough of a challenge that most hackers will give up and move on (unless you are a specific target of an attack.)

The sites below have a combination of Password Quality Meters and the theoretical amount of time it would take for a brute force, automated attack to succeed.

NOTE: There are significant differences in the assumptions used to determine the difficulty level in cracking your Password.

DO NOT RELY SOLELY ON THESE TOOLS FOR GUIDANCE WITHOUT UNDERSTANDING THEIR METHODOLOGIES!

The three sites below take entirely different approaches to determining the quality of a Password.

Password Quality Test Tools

The Password Meter – Traditional Analysis based on Traditional Policy Theory
http://www.passwordmeter.com/

Pass Fault – Patterns Make Passwords Easy to Crack
http://www.passfault.com
Pass Fault – Analysis based on Pattern Theory
https://passfault.appspot.com/password_strength.html

Needle in a Hay Stack Theory by Steve Gibson and Test
https://www.grc.com/haystack.htm

Have YOU changed your Password recently?

August 12, 2012 By Jason Palmer Leave a Comment

Account Security is not like the Weather. You can do something about it. Almost weekly, someone reports that a Social Media Site, Content Provider, or Financial Institution has had a breach and that customer account information “may” have been compromised.

The absolute best defense against this insane level of carelessness is a good offense.

CHANGE YOUR PASSWORDS EARLY AND OFTEN.

This is an aspect of digital account security that is completely within your control.

The sites that care most about the security of your data force you to change your password on a periodic basis of no less than ninety days. If they do not force a periodic password change, take it upon yourself to change your password at least monthly. If they really care, they force you to use a “strong” password which generally means it is more than eight alphanumeric characters, must include at least one letter, one number, one special character, and is case sensitive.

Unfortunately, most sites feel that forcing you to change your password, even if for your own protection, is too invasive and not very customer service friendly.

Be honest. How many of you have NEVER changed your password on your email account? Facebook? Gmail? AOL? AIM? AppleID? Your bank account? Seriously? Never? Need I go on?

Stop reading this right now and GO CHANGE YOUR PASSWORDS. I will wait… Hmmm… still reading? Well then the least I can do is to give you some advice on creating a strong password.

As amazing as it seems, some Banks do not allow special characters as part of the password. (Special characters are punctuation marks like # @ $ ! % * . – anything that is not a letter or number.) Even without special characters, you can still make a strong password that will be difficult to guess and withstand a good number of basic hacking techniques.

Let us start by creating a password not from a word but from a phrase. Take the first letter from each word in the title of this article as a starting point. “Have You Changed Your Password Recently” would translate to HYCYPR. This is absolutely not a word in any dictionary which eliminates the possibility of a dictionary based hacking attempt. To anyone who is not you, the password looks like complete gibberish. (A dictionary attack uses an English Dictionary or a list of common words and tries thousands of them until it succeeds.)

Now, let us make it even stronger. We are going to substitute the some of the letters with their numeric position in the Alphabet. HYCYPR is going to become 8Y3YPR. H is the eighth letter and C is the third letter of the Alphabet. To keep with my own statement that a strong password should be at least eight characters, I will pad this with some extra numbers. The final password will be “ 8Y3YPR42 ” (Ignore the quote marks.) This password is now virtually impossible to guess and it is definitely impervious to a dictionary attack. By the way, I chose 42 as that is the answer to “Life, the Universe, and Everything” from “Hitch Hikers Guide to the Universe.”

Which bring up another point: Try to use a sentence, phrase or quote that is not common or attributable to your personality, likes, or habits. If someone knows you like Douglas Adams (Author of the Hitch Hikers Series) and has figured out how you assemble your passwords, this gives that person a starting point if you are being specifically targeted.

Now that you know how to make strong passwords, GO DO IT NOW for all of your accounts.

Take this opportunity to get one giant step ahead of the hackers.