Integrated security specialists, Websense ,have written a new blog that discusses the fundamental rules of password security, the common errors and the results of a password phishing exercise. It looked like sound advice -- so we reproduce the blog, by Carl Leonard Threat Research Manager, Websense as well as the advice from the well known security specialist Bruce Schneier, to which the blog refers.
Bruce Schneier, over the years, has posted quite a number of blogs on password security. There are things we all know are common sense, yet we still break most of the fundamental rules. In his blog today he listed various DOs and DON'Ts . ( reproduced below) While I was reading the list, one rule reminded me of a recent conference I spoke at:
"DON'T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don't use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password."
Seems obvious enough, right? Maybe not. At AusCert 2009, I attended a talk given by Peter Gutmann, a researcher in the department of Computer Science at the University of Auckland. His talk focused on various assumptions within security. He displayed samples of phishing data that had been collected. Many of the phished passwords demonstrated exactly what the rule above explicitly says not to do. It seems, at least from the phishing data that was collected, many users are still using passwords basic enough to guess or discover by brute force in a reasonable amount of time. With the recent cracking of all of Dan Kaminsky's passwords, we're reminded that most of us probably use the same password everywhere, over-simplify it in order to remember it easily, and use it in insecure locations.
Lately we've seen quite a few mass injection attacks occur on Web sites by attackers coming in through the front door with passwords in hand.
You might wonder: How attackers gained the passwords of these ftp/scp/ssh accounts? There are a number of possibilities, but I'll mention a few:
Providing the answer to a secret question has always been thought to be the ultimate test in order to prove your identity and change your password. But, as even Sarah Palin learned the hard way, this is not the case.
Hotmail, for example, has various secret questions from which the user chooses:
· Mother's birthplace
· Best childhood friend
· Name of first pet
· Favorite teacher
· Favorite historical person
· Grandfather's occupation
Google, Bing, Yahoo, and other search engines have allowed attackers to find information about individuals like never before. The more public a profile you keep on Facebook, MySpace, hi5, or any of the other various social networking sites, the easier it is to obtain answers to most, if not all, questions above. As we all know, an attacker with enough time, patience, and resources will eventually find a way into a target.
Much like Bruce says in his post, we all break the rules he outlines. But that doesn't mean we shouldn't attempt as users and administrators to abide by them and enforce them if possible. Never forget that guessing a secret question and gaining access to a public Web account can lead to massive amounts of potential data leakage if information has been stored in locations it's not supposed to be.
Link to the Websense blog: http://securitylabs.websense.com/content/Blogs/3458.aspx
Schneier on Security
http://www.schneier.com/blog/archives/2009/08/password_advice.html
A blog covering security and security technology.
Password Advice
Here's some complicated advice on securing passwords that -- I'll bet -- no one follows.
· DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column. Although Scott focused on free programs, I really like CallPod's Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you to keep all your passwords in sync. Find more information about the program and a download link for the 15-day free-trial version on the vendor's site.
· DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven't visited in long time. Don't reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.
· DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.
No matter how much you may trust your friends or colleagues, you can't trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.
· DON'T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don't use repeat characters such as 111 or sequences like abc, qwerty, or123 in any part of your password.
· DON'T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.
· DON'T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
· DON'T use the "remember me" or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.
· DON'T enter passwords on a computer you don't control — such as a friend's computer — because you don't know what spyware or keyloggers might be on that machine.
· DON'T access password-protected accounts over open Wi-Fi networks — or any other network you don't trust — unless the site is secured viahttps. Use a VPN if you travel a lot. (See Ian "Gizmo" Richards' Dec. 11, 2008, Best Software column, "Connect safely over open Wi-Fi networks," for Wi-Fi security tips.)
· DON'T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.
I regularly break seven of those rules. How about you? (Here's my advice on choosing secure passwords.)