What’s your password?
Published 8:21 pm Thursday, April 26, 2018
“How do you hack into a system,” is a question that I commonly hear. As with many things, a straightforward answer is often elusive – and somewhat surprising.
Recently, I wrote about the idea of users being the “weakest link” in the information security landscape. So, I offer that one attack methodology is exploitation of the interaction of the user with the technology: the sacred password.
“Whitehat” hacking is the notion of attacking systems (with permission) in order to document concerns and improve security. We always begin such engagements by seeking users within the target environment. Visit a website, look for published email addresses, scour social media for email addresses and names, review published documents or visit the physical entity and collect business cards. Even, perhaps, if you’re ‘old school’, just call and ask. Gather information about the users and you have the seeds of opportunity.
Password management is notoriously poor among most users. We use the same password for every solution: social media, banking, email, work, all systems with a challenge. Recycle passwords. Employ simple passwords. Write the passwords on sticky notes and attached to the monitor or bottom of the keyboard. You get the idea; a surprising number of people do not manage their credentials adequately. That’s how the would-be hacker often “breaks in”.
So what do we do? How do we avoid the pitfalls associated with bad passwords? Below, I offer some suggestions for creation of complex passwords.
Use complex passwords, at a minimum. Unique passwords contain a combination of words, numbers, characters, and mixed case (upper and lower-case letters).
Don’t use common words. Don’t use “password” or some clever variation of “password”. We try all of these during attempts to gain access. Furthermore, a common technique by the attacker is the dictionary attack. Badly-designed systems will allow unlimited failed login attempts from a user. With a known username, the attacker will simply try to log in and use common word dictionaries as password sources.
Also, don’t use personal attributes as passwords. People often post a wide-array of information to public sources, such as social networks and are surprised that someone guesses that a password is the name of a family pet.
Uniqueness is what we want in passwords. Length is key as well; additional characters make guessing more challenging. I often suggest passphrases, rather than a password. With a passphrase, you assemble a series of words that are known to you. As an example, the first few words of your favorite poem with a number at the end.
Don’t store passwords in text files, such as Microsoft Word, a phone note app. A variety of tools are available to assist with password management and creation. Two of my favorites are Keepass and LastPass. These tools store your passwords securely and assist with suggestions for complex, unique passwords.
While I’m not fond of writing passwords down, if you avoid storing the list in an unsecure fashion, out of plain sight, you’re in better shape than using simple passwords for multiple sites.
Many web browsers will offer to store passwords automatically. I suggest avoiding this practice entirely. Users with access to your phone, computer will be able to visit secure areas easily.
And don’t share your passwords. Credible organizations do not call and ask for passwords, they do not send email messages and ask for passwords.
Help keep the bad actors at a distance by complicating the most common of all access mechanisms: the password.
William Greg Price is the Chief Technology and Security officer for Troy University and the Director of the Alabama Computer Forensics Institute. He founded the first regional digital forensics lab in the nation with the U.S. Department of Justice and developed the Cyberkids Awareness Program for the Alabama Attorney General’s Office.He currently represents District 2 on the Pike County Board of Education.