Friday, July 23, 2010

Securing Passwords with Secure Practice

“Passwords are often the first (and possibly only) defense against intrusion.” MacGregor (2002)

When the average person thinks of network security within a school they often think of the student trying to hack into the system to change their grade, to see if they can take over their friend’s computer, or to put a prank up on the school website. In light of the current network dangers these may be some of least of the school system worries.

Breached Passwords

There are many ways for people to get passwords. What they do once they have them can be devastating. The important first step in data security is for everyone to take password security seriously. Choosing good passwords, not posting it on your computer, making sure no one is looking when you are typing it in are all simple steps in password security.

Analysis of 32 million breached password

A recent study was conducted to analyse 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.

Key findings of the study include:

• The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”

• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.

• Recommendations for users and administrators for choosing strong passwords.

Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes.

The report identifies the most commonly used passwords:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

In corporate environment, password insecurity can have serious consequences. Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like “Country123”.

Securing Passwords with Secure Practice

Some secure password practices are built on commonsense where others take on a more systematic framework.

• Change passwords frequently.
• Do not reuse old passwords.
• Always keep passwords secret. Users should not document their passwords manually or digitally. Trust no one with a username/password combination.
• Do not use passwords that consist of dictionary words, birthdays, common series such as sequential numbers or repeated characters.
• Do not log into an account via a link in an email in case it is a case of phishing. Enter the normal URL, Uniform Resource Locator, in the web browser to check the identity of the party asking for information.
• Never disclose passwords to any other party by email, phone, or face-to-face interaction.
• Never write down a password. Commit it to memory. If one must write something down to remember a password, write a hint to the password, and not the password itself.
• Do not let anyone watch or stand behind the user when typing a password

No comments: