[LINK] Guidance re Passwords
Roger Clarke
Roger.Clarke at xamax.com.au
Sat Jul 23 10:40:50 AEST 2011
A correspondent on BrowserID issues has asked me a question about the
use of 'password managers'.
It prompted me to think about what guidance we give consumers (and
employees, students, etc.) in relation to passwords and their
protection.
Surprisingly, a quick web-trawl found little of much use - although
there are plenty of 'how to select a good password' pages, some of
them daft (i.e. of the form 'make sure your passwords are so
complicated that you can't possibly remember them').
It's good to see that this is better than most:
http://www.staysmartonline.gov.au/factsheets/factsheet_15
(I like this bit: 'To make a password easy to remember, think of a
pass phrase and then change some of the characters to make it a
strong password'; although the examples are unrealistic).
Can linkers point to other useful guidance pages?
A 20-minute tap at the keyboard produced the below. Feedback appreciated.
_________________________________________________________________________
What Everyone Ought to Know About Passwords
Very Tentative, One-Pass Draft of 23 July 2011
Passwords are widely used as a means for authenticating a person's
authority to use an account. The logic underlying a password is that
it's something that only the (or an) authorised person should know.
A password alone offers only a low level of security, because it's so
easily compromised, i.e. discovered by someone else.
Alternative ''single-factor authenticators' include:
- what you have, such as a hoozit that generates a one-time password
each time the user needs to authenticate themselves, or a digital
signing key. (By hoozit I mean some kind of device. We used to
call such things a widget, but that word's come into common usage)
- what you are, i.e. a biometric
- where you are, e.g. your IP-address or device-ID
- what you do, e.g. the time-signature of the key-strikes when
you're typing your password
Digital signature technologies have theoretical appeal, but also
multiple vulnerabilities. (Among other things, the use of the
signing key may be protected by a password, which represents a weak
link in the security chain).
Biometrics, contrary to the nonsense put about by marketers, are
highly vulnerable as well, in particular because a biometric is not a
secret, can be easily captured and replayed, and in some cases is
easily spoofable.
The most effective approach is multi-factor authentication,
particularly including a one-time password - which may be generated
by a hoozit, or sent to the user when it's needed, but via a
different channel.
Authentication security needs to be traded off against practicality.
Because all of the alternatives are awkward, and none are foolproof
or attacker-proof anyway, passwords are here for the long haul.
Remembering even one password is bad enough, but remembering a lot of
passwords is even more challenging, especially for the accounts that
you use infrequently. It's therefore common for people to take risks
such as:
- using the same password for multiple accounts; and/or
- recording their passwords in one or more locations, which
- may be local to them or remote from them
- may or may not be hidden and
- may or may not be protected, e.g. by another, 'master' password
Below are some security risks with passwords, and approaches to
reducing the likelihood that you will suffer from them.
How seriously you should take this advice depends on how much harm
you could suffer if someone else acquires your password and operates
on your account.
Password Vulnerabilities and Threats, and Safeguards
1. Guessing of the Password
Do not use as obvious words, or obvious data associated with you
(e.g. your birthdate, your name, a close relative's name).
If the account is issued with a default password, only use that
password once, to gain access the first time, then immediately change
it.
('Remember Murdoch's once-successful paper 'The News of the World').
2. 'Brute Force' Guessing of the password
(Programs have been written that test large numbers of combinations
of characters. They are typically based on a 'dictionary attack').
Do not use simple words. At least mis-spell them, and preferably use
unlikely (but memorable) combinations of letters, digits and
punctutation marks, e.g. (it's published, so don't use this one!)
pass?w0rd
3. Visual Observation of the Password
(Someone sees what you keyed in, or which keys you hit).
Don't key your password into a field that displays in clear on the screen.
Don't key your password when someone is watching your hands. (This
applies *especially* to your flatmates, family-members and workmates).
Obscure the keys you strike by putting your hands or body in the way.
Change your password very shortly after it may have been observed,
e.g. when you've used it in an Internet cafe or airport lounge.
4. Electronic Observation of the Password
(The term 'key-logger' refers to malware that can detect what you key in).
Install, maintain and run 'brand-name' anti-malware software. You
need to be confident in that software, so don't accept dodgy-looking
offers.
When in a relatively secure environment (hopefully this includes at
home), prefer a mouse-based user-interface (where you click on the
relevant characters on the screen, rather than typing them on the
keyboard).
But this is insecure in a public space like an Internet cafe.
5. Interception of the Password
(Someone or something in the network sees the password as it goes by).
Do not provide a password unless you're on an encrypted link
(e.g. uses SSL/TLS which displays 'https' in your web-browser).
Do not send your password in an unencrypted email-message.
6. Phishing of the Password
(Someone tricks you into sending your password to them).
Do not click on a hotlink in an email and then enter your password.
Only ever enter your password when you are confident you are
communicating with the right server, e.g. you've typed the URL from a
reliable source, or you're using a bookmark that you previously typed
in.
7. Compromise of One Account's Password Compromises Other Accounts
Do not use the same password for more than one account.
OR
Do not use the same password for more than one *important* account.
It's less risky to use one password for the myriad accounts you're
forced to have but where the harm would be minimal even if it's
compromised (e.g. commentators' accounts, e-mailing list admin
accounts, subscriptions to paid content, reviewers' accounts).
8. Discovery of Passwords in Storage
Do not record your passwords. (But that's difficult advice to follow!).
Record not the passwords, but reminders of what the passwords are.
Do not record all of your passwords or reminders in one place.
Obscure the fact that they are passwords or password reminders.
Obscure your password records by encrypting them (whether manually,
or using crypto software together with a crypto-key and/or 'master'
password).
Prevent other people accessing the record, e.g. carry it on you,
whether on paper or in a device that isn't network-connected.
Do not store your password-related records remotely over a network;
or, if you do, then make sure that it's crypto-protected against the
organisation that stores it for you, and against others.
9. Compromise of the Password-Reset Process
(It's normal for there to be a way to override the password on an
account, and generate a new one. It then has to be re-issued,
usually to the email-account that you nominated when you opened the
account).
Record the email-address that you used when you opened each account.
Make sure that you have access to that account, and that no-one else has.
10. Continued Use of a Compromised Password
If you have any reason to suspect that someone may have discovered
your password, get into a relatively secure environment and then
change it.
If you have used any password for a long time (and protection of the
account is important), assume that it's been compromised, and change
it.
How long is 'a long time'? It's inversely proportional to the damage
that someone can do to you if they get into your account, i.e. the
more important the account, the more often you should change the
password.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list