Home‎ > ‎Departments‎ > ‎Technology‎ > ‎Info-Security Blog‎ > ‎

Passwords: why use them?

posted Apr 29, 2013, 7:53 AM by Jason Tozer   [ updated Apr 18, 2017, 6:30 AM by Bob Bradford ]
In this installment, I want to discuss passwords and password protection.  In previous discussions, we have looked at the C-I-A triad, phishing, spyware, your PII, and protecting the PII of students.  Now, what do we do to secure that information and prevent compromise?  Passwords are the keys to information access and function as the keys to your home, office, or vehicle.  Having the correct key gives access to your home, office, or vehicle.  If you use an ATM or debit card, pay bills online, or use online banking you are familiar with passwords or pins.  Passwords, pins, and keys all have a common thread: to allow authenticated access. 

Information security utilizes three concepts to control access to computer and network systems.  These are designed to restrict user access based on needs and authorization.  In information security, we refer to this concept as AAA:  Access Control, Authentication, and Auditing.  Passwords fall under the Authentication category of AAA.  Password protecting computer systems and data prevents unauthorized access.  Password protection ensures C-I-A is maintained and protects assets and information.  Weak passwords or the sharing of passwords puts those assets or information at risk for compromise.  Your password identifies you to the computer or network.  However, information systems are not smart enough to realize that it may not be you that is actually typing in the password.  Weak passwords, passwords that are written down, or passwords that have been shared cannot be considered valid authentication.  Once someone has your password, they can become you as far as a computer or network is concerned.  Do you loan out the keys to your vehicle to anyone you meet on the street?

I suggest creating a password of at least 8 characters using letters (upper and lower), numbers, and special characters.  Using 8 characters of upper case, lower case, numbers, and special characters provides 7.2 quadrillion possible combinations and would take 83.5 days to crack using today’s supercomputers.  Use a phase or an event that occurred in your life and make it into a passphrase.  Passphrases are easy to remember.  For example, "I went canoeing on Lake Superior in June 1981," could be the root phrase and serve as the mnemonic.  Taking just the first letter of each word, before the date, creates IwcoLSi.  Add ^81 or 81#6 or @681 adds complexity and brings the length over eight characters.   Make the passphrase identifier unique to you, but not easily identifiable.

Ensure you have different passwords for your various accounts.  Can't remember that many passwords?  Use the same, strong passphrase as a base and add an identifier.  For example, you sign up for a Facebook account this month and need a password.  Based on our example it might be IwcoLSi^81#6FB0511.  Ripping this apart, we see that the passphrase is the same (IwcoLSi^81#6) and I have added FB (Facebook) 05 (May) 11 (2011) to the end.  You could add the FB0511 in the middle or at the beginning. Running IwcoLSi^81#6 through Kaspersky Labs password checker results in a strong password;  try running your password through Microsoft's password checker.  Be wary of running your password through any other online password tester as you cannot rely on the integrity of the website: that site might be collecting passwords to add to password cracking dictionaries.

Do's and Don'ts

Don'ts:
1. Don't use passwords that are easy to guess.  Birthdays, pet names, and family member names are considered weak passwords.
2. Don't write down your password.  If you need to write down a password, protect that information.  Don't write in on the top case of your laptop.  Don't write it on a sticky note and place it on your monitor or under your keyboard.
3. Don't share your password.  
4. Don't use the same password for everything.

Do's:
1. Do create a strong password using a passphrase.  Use at least 8 characters with uppercase, lowercase, numbers, and special characters.
2. Do protect your password as you would your keys.
3. Do change your password at least 4 times a year.
4. Do change the default password you are given.
5. Do use multiple passwords.  

Resources:
(Neither site tests the strength of a password).

http://www.lockdown.co.uk/?pg=combi - How long to crack a password.
http://blogs.sans.org/windows-security/2009/06/12/how-long-to-crack-a-password-spreadsheet/ - How long to crack a password. Heavy on the geek speak, though.
Comments