[LINK] Guidance re Passwords

Roger Clarke Roger.Clarke at xamax.com.au
Sat Jul 23 10:40:50 AEST 2011


A correspondent on BrowserID issues has asked me a question about the 
use of 'password managers'.

It prompted me to think about what guidance we give consumers (and 
employees, students, etc.) in relation to passwords and their 
protection.

Surprisingly, a quick web-trawl found little of much use - although 
there are plenty of 'how to select a good password' pages, some of 
them daft (i.e. of the form 'make sure your passwords are so 
complicated that you can't possibly remember them').

It's good to see that this is better than most:
http://www.staysmartonline.gov.au/factsheets/factsheet_15
(I like this bit: 'To make a password easy to remember, think of a 
pass phrase and then change some of the characters to make it a 
strong password';  although the examples are unrealistic).

Can linkers point to other useful guidance pages?

A 20-minute tap at the keyboard produced the below.  Feedback appreciated.

_________________________________________________________________________


              What Everyone Ought to Know About Passwords

            Very Tentative, One-Pass Draft of 23 July 2011

Passwords are widely used as a means for authenticating a person's 
authority to use an account.  The logic underlying a password is that 
it's something that only the (or an) authorised person should know.

A password alone offers only a low level of security, because it's so 
easily compromised, i.e. discovered by someone else.

Alternative ''single-factor authenticators' include:
-   what you have, such as a hoozit that generates a one-time password
     each time the user needs to authenticate themselves, or a digital
     signing key.  (By hoozit I mean some kind of device.  We used to
     call such things a widget, but that word's come into common usage)
-   what you are, i.e. a biometric
-   where you are, e.g. your IP-address or device-ID
-   what you do, e.g. the time-signature of the key-strikes when
     you're typing your password

Digital signature technologies have theoretical appeal, but also 
multiple vulnerabilities.  (Among other things, the use of the 
signing key may be protected by a password, which represents a weak 
link in the security chain).

Biometrics, contrary to the nonsense put about by marketers, are 
highly vulnerable as well, in particular because a biometric is not a 
secret, can be easily captured and replayed, and in some cases is 
easily spoofable.

The most effective approach is multi-factor authentication, 
particularly including a one-time password - which may be generated 
by a hoozit, or sent to the user when it's needed, but via a 
different channel.

Authentication security needs to be traded off against practicality. 
Because all of the alternatives are awkward, and none are foolproof 
or attacker-proof anyway, passwords are here for the long haul.

Remembering even one password is bad enough, but remembering a lot of 
passwords is even more challenging, especially for the accounts that 
you use infrequently.  It's therefore common for people to take risks 
such as:
-   using the same password for multiple accounts;  and/or
-   recording their passwords in one or more locations, which
     -   may be local to them or remote from them
     -   may or may not be hidden and
     -   may or may not be protected, e.g. by another, 'master' password

Below are some security risks with passwords, and approaches to 
reducing the likelihood that you will suffer from them.

How seriously you should take this advice depends on how much harm 
you could suffer if someone else acquires your password and operates 
on your account.


         Password Vulnerabilities and Threats, and Safeguards

1.  Guessing of the Password
Do not use as obvious words, or obvious data associated with you 
(e.g. your birthdate, your name, a close relative's name).
If the account is issued with a default password, only use that 
password once, to gain access the first time, then immediately change 
it.
('Remember Murdoch's once-successful paper 'The News of the World').

2.  'Brute Force' Guessing of the password
(Programs have been written that test large numbers of combinations 
of characters.  They are typically based on a 'dictionary attack').
Do not use simple words.  At least mis-spell them, and preferably use 
unlikely (but memorable) combinations of letters, digits and 
punctutation marks, e.g. (it's published, so don't use this one!) 
pass?w0rd

3.  Visual Observation of the Password
(Someone sees what you keyed in, or which keys you hit).
Don't key your password into a field that displays in clear on the screen.
Don't key your password when someone is watching your hands.  (This 
applies *especially* to your flatmates, family-members and workmates).
Obscure the keys you strike by putting your hands or body in the way.
Change your password very shortly after it may have been observed,
e.g. when you've used it in an Internet cafe or airport lounge.

4.  Electronic Observation of the Password
(The term 'key-logger' refers to malware that can detect what you key in).
Install, maintain and run 'brand-name' anti-malware software.  You 
need to be confident in that software, so don't accept dodgy-looking 
offers.
When in a relatively secure environment (hopefully this includes at 
home), prefer a mouse-based user-interface (where you click on the 
relevant characters on the screen, rather than typing them on the 
keyboard).
But this is insecure in a public space like an Internet cafe.

5.  Interception of the Password
(Someone or something in the network sees the password as it goes by).
Do not provide a password unless you're on an encrypted link
(e.g. uses SSL/TLS which displays 'https' in your web-browser).
Do not send your password in an unencrypted email-message.

6.  Phishing of the Password
(Someone tricks you into sending your password to them).
Do not click on a hotlink in an email and then enter your password.
Only ever enter your password when you are confident you are 
communicating with the right server, e.g. you've typed the URL from a 
reliable source, or you're using a bookmark that you previously typed 
in.

7.  Compromise of One Account's Password Compromises Other Accounts
Do not use the same password for more than one account.
OR
Do not use the same password for more than one *important* account.
It's less risky to use one password for the myriad accounts you're 
forced to have but where the harm would be minimal even if it's 
compromised (e.g. commentators' accounts, e-mailing list admin 
accounts, subscriptions to paid content, reviewers' accounts).

8.  Discovery of Passwords in Storage
Do not record your passwords.  (But that's difficult advice to follow!).
Record not the passwords, but reminders of what the passwords are.
Do not record all of your passwords or reminders in one place.
Obscure the fact that they are passwords or password reminders.
Obscure your password records by encrypting them (whether manually, 
or using crypto software together with a crypto-key and/or 'master' 
password).
Prevent other people accessing the record, e.g. carry it on you, 
whether on paper or in a device that isn't network-connected.
Do not store your password-related records remotely over a network; 
or, if you do, then make sure that it's crypto-protected against the 
organisation that stores it for you, and against others.

9.  Compromise of the Password-Reset Process
(It's normal for there to be a way to override the password on an 
account, and generate a new one.  It then has to be re-issued, 
usually to the email-account that you nominated when you opened the 
account).
Record the email-address that you used when you opened each account.
Make sure that you have access to that account, and that no-one else has.

10. Continued Use of a Compromised Password
If you have any reason to suspect that someone may have discovered 
your password, get into a relatively secure environment and then 
change it.
If you have used any password for a long time (and protection of the 
account is important), assume that it's been compromised, and change 
it.
How long is 'a long time'?  It's inversely proportional to the damage 
that someone can do to you if they get into your account, i.e. the 
more important the account, the more often you should change the 
password.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list