Tag: passwords

Ending the era of the computer password

Has the humble computer password reached the end of the line?

Earlier this year, Wired Magazine writer Mat Honan had his entire digital identity stolen from him when hackers cracked his email password and then systemically took over all of his cloud and social media accounts.

Matt writes of his experience on Wired and proposes it’s time to kill the password.

The problem with Mat’s proposal is that he doesn’t suggest an alternative.

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place.

Every alternative authentication method to passwords has flaws just as serious, if not worse. Many are plainly impractical.

All of them, including passwords, have the common weakness that those holding the information can’t be trusted either – one of the greatest ways for passwords to get into the wild is when incompetents like Sony give them away.

Security is evolving, in the meantime we need to keep in mind some basic rules.

  • Use different passwords for different accounts
  • Only access accounts from trusted and up-to-date computers
  • Create strong passwords for accounts that matter, like online banking and email
  • Strong passwords are multiword phrases
  • Use two-factor authentication if its available
  • Don’t link unnecessary social media and cloud accounts together
  • Be very careful

We should also remember that a skilled, motivated hacker will probably break into your account regardless of your computer security. In this respect it’s no different to the physical world where a determined criminal will get you regardless of the locks and alarms on your house.

It’s also important to remember that security is more than just evil hackers; data can be damaged or given away by a whole range of means and people breaking into systems is only one risk of many.

Computer security is an evolving field and while it might be premature to declare the password dead, we’re going to see big changes as we try to lock down our valuable digital assets.

Similar posts:

Securing your online passwords

On ABC Sydney we look at how you can make your passwords move secure

Every Internet user has to struggle with the burden of passwords as we’re expected to remember dozens of log in details for various websites and computer networks.

As we’re seeing though, passwords aren’t that effective with universities and private companies being hacked on a regular basis. The problem is so bad banks are considering moving to fingerprints to replace PIN and password logins.

Even if passwords are going to become irrelevant as we move to biometric logins like fingerprints and iris scans they aren’t going away quickly, so how do we protect our important online accounts?

Use different passwords

One of the key ways to protect yourself is not to use the same passwords for every site. Some critical sites, like your online banking and email, need protecting with strong passwords while others like social media sites don’t require such tough security.

As we’ve seen with various security breaches, most notably the continual Sony hacks of 2011 and the deeply embarrassing Stratfor leaks, even the strongest passwords are useless if some dill leaves them on an unprotected server.

Use strong passwords

For the sites that matter, make sure the passwords are strong. You’ll find how to make memorable, easy to use and strong passwords on the Netsmarts site.

You don’t need to use strong passwords on every site, for some websites that require registration to access you might want to fall back on the much maligned password or 12345 for those publications.

Change default passwords

Most of the hacks on university and corporate networks happen because the default passwords on servers aren’t changed. This was also how News International workers broke into British mobile phone message banks.  When you get a new phone or tablet computer, make sure you change the basic passwords that have come with the device and any associated service.

Update your systems

One of the biggest vulnerabilities for home and business computer systems is unpatched systems. Malicious websites, viruses and various tricks use known weaknesses in computer systems to bypass security measures. This applies to Apple Mac users as well.

Consider two factor authentication

Two factor authentication involves having double security, this could be a password linked to a SMS or a special one-off code. Services like Gmail offer this as do many corporate networks and banks.

Be careful linking social media services

A bigger risk than hackers is phishing where someone tricks you into giving away your password. This has become very common in hijacking social media accounts.

If you’ve linked various social media services together then one being compromised can mean bad guys have access to all of your accounts, so be cautious about what applications you allow to connect with your Facebook page or Twitter account.

For businesses

Cyber security is critical for business, it’s been estimated that one in six companies who’ve been compromised will fail as a result of the breach and a credit card lapse can be expensive as well as embarrassing.

The Australian government’s Defense Signals Directorate has an excellent guide to securing computer networks. The DSD’s research shows that just following four basic rules will prevent 85% of attacks.

We should also keep in mind no security system is perfect. Just as your car doors or home can be broken into by a determined thief, the same is also true with computer networks, a skilled operator with enough time and resources can beat even the toughest cyber security regime.

Similar posts:

Strategic lessons from a security breach

What businesses can learn from Stratfor’s data lapse

2011 has been the year of the IT security breach. Big and small organisations around the world ranging from major corporations like Sony through to smaller businesses such as security analysts Stratfor found their customer data released onto the web.

The frustrating this is most of these breaches are avoidable and “hacking” is often giving too much credit for the security used by the targeted companies.

While the ‘hackers’ themselves may be skilled, the compromised organisations are often easy targets as they don’t follow the basic rules of protecting their data.

Standards matter

Customer payment account details are covered by the Payment Cards Industry -Data Security Standard (PCI-DSS) operated by the PCI Security Standards Council.

The PCI Security Standards Council helpfully has a range of information sheets for merchants of all sizes and if you are taking payments off the web you should make yourself aware of the basic requirements.

For most businesses, the cardinal rule is not to save customer’s card details. Once the payment is approved, you have no business retaining the client’s credit card or bank account numbers.

In Stratfor’s case, they were almost certainly processing payments manually and credit card details were being saved on customers’ records in case of errors or to make renewals easier.

Call in the professionals

There’s no shortage of payment companies, ranging from PayPal through specialist services like eWay to your own bank’s services. Choose the one that works best for you. If you have no idea, call in someone who does.

One of the arguments for using outsourced services, particularly cloud computing, is how data security is a complex field that requires professional and qualified expertise. The internal systems of Sony, Telstra and Stratfor were not up to the demands placed upon. A professional service is better equipped to deal with these issues.

Size doesn’t matter

A major lesson from the last year’s security breaches is that it’s not just the local shop or garage e-commerce business that is careless with data. Some of the world’s biggest companies and government agencies have been compromised.

If anything, Sony’s experience has shown the double standards at work in the application of security rules; there’s no doubt that had a local computer shop been as thoroughly compromised as Sony were, they would have been shut down on the second breach and the management would have been carted off to jail well before the twelfth.

For the management of Sony, there seems to have been little in the way of sanctions of the people nominally responsible for this incompetence. This has to change both within organisations and by those charged with enforcing the rules.

The lesson for customers is you can’t trust anyone with your data; don’t assume the big corporation is any more secure than the serving staff at your local sandwich shop.

Passwords matter

Every time one of these breaches happen we hear about password security, with “experts” pointing out that some of the subscribers were using passwords like ‘statfor’ or ‘password’.

For customers, this actually makes sense if you can’t trust third parties with your details so specific, disposable passwords for each site should be used. There’s little point in having a complex password if some script kiddie is going to post your login details onto 4Chan.

Naturally your passwords for banking and other critical websites should be very different and far more secure than those you use for sites like Stratfor and the Sony Playstation Network.

Will 2012 be any different?

Given the data embarrassments of 2012 for businesses and government agencies, can we expect lessons to be learned in 2012?

While many businesses are going to learn specific lessons from these breaches, there’s a management cultural problem where any spending on information systems is seen as a cost that has to be minimised.

This cost cutting mentality lies at the core at many organisations’ failure to secure their systems properly and until a more responsible culture develops we’ll continue to see these lapses.

Good managers and business owners who understand the importance of guarding their organisation’s and customer’s data are those who are ahead of their competition. Over time, these folk who will have the competitive advantage.

For customers, the sad lesson is we can’t trust anyone and a layered approach to security along with keeping a close eye on our bank accounts and credit card statements is necessary.

Similar posts: