I used to work with a guy who had a password that was over 32 characters long. I know this because he ranted to me that our enterprise policy only allowed a 32 character password and he didn't feel he should have to shorten his password due to a bad policy. Is a long password actually more secure? I don't think so, especially for the average employee.
My experience as a computer support technician is that the average employee will write down any password that he or she thinks is too complex. The Open Web Application Security Project recommends a maximum password length, stating "The longer the password, the more likely people are to enter them incorrectly for your system." Now you end up with a greater security threat from a longer password because it was written down or it interrupts work because it has to be reset.
So is a "short" password insecure? Brien Posey in a recent blog post first tested a dictionary based crack, then a brute force approach to hacking an 8 character password on a zip file on his personal computer. He used the standard rules of a mix of upper and lower case letters, special characters and numbers. While he was waiting for the software running on multiple servers to render his password, he did the math on the total number of possible combinations - 669 quadrillion possible combinations. At that point he abandoned the quest to break the password.
Creating a secure password doesn't have to be difficult. The process I recommend is to use a line from a song or poem or favorite saying. Take the first letter of each word and mix it up with a special character or letter in place of some of the letters. For example;
I need to get into this file and edit something becomes In2gitf&es
It's easy to remember, complex, not guessable or a dictionary word and easy to come up with a new one when this one expires in 90 days or so.
Oh say can you see by the dawns early light becomes 0scysbtde1
(the O becomes a zero and the L switches to a one)
This will work as long as you don't whistle the tune every time you log in!
Posey, B. (2013, August 14). How important is Password Complexity? [Web log post]. Retrieved from Redmond Magazine website: http://redmondmag.com/articles/2013/08/14/password-complexity.aspx
Open Web Application Security Project (OWASP) (2014, September 23). Password Length and Complexity. Retrieved from OWASP Website: https://owasp.org/index.php/Password_length_%26_complexity
Tuesday, September 23, 2014
Wednesday, September 17, 2014
I'm Solidly on the Side of Security on This One...
WikiLeaks, the organization that has published classified information in the interest of openness has gone too far this time. On September 15th, WikiLeaks founder, Julian Assange has posted "weaponized malware" on his website, including the password, because "Better scrutiny leads to reduced corruption and stronger democracies in all society’s institutions, including government, corporations and other organisations". This software is designed for spying and hides itself from antivirus software. There are versions that work on every major operating system including all common mobile versions. His specific reason for releasing the software is so that security and privacy researchers can develop better detection techniques. Is this guy serious!
David Gewirts, a blogger for ZDNet, says this is the equivalent of handing out vials of the ebola virus at the local mall so an antidote can be developed by biotech companies. I agree with Gewirts. The world became less safe today.
Asange, Edward Snowden and others like them see themselves as heroes, protecting the world by disclosing secrets. While there is value in doing so, it should be done responsibly. Assange could've given the software to security companies and publicized that he had done so and achieved his goal of helping to develop better detection. Now he's made it available to every script kiddie, mobster and corrupt government in the world. Many will use it before there's a fix for it. They may see themselves as making the world a better place, but in reality they took more of our freedom away and gave it to cybercriminals world wide.
WikiLeaks. (2014). About. https://wikileaks.org/About.html
Gewirtz, D. (2014, September 16). WikiLeaks posts 'weaponized malware' for all to download. [Web log post]. Retrieved from ZDNet website: http://www.zdnet.com/astonishingly-irresponsible-wikileaks-posts-weaponized-malware-for-all-to-download-7000033716.
Monday, September 8, 2014
Balancing Privacy and National Security
Hillary Clinton recently spoke at a tech meeting in San Francisco. When I read the blog post summarizing her speech, she expressed some opinions about the tension between the NSA and their attempts to protect us from terrorist threats against the right to privacy. Should our government collect data on everyone in order to potentially track down terrorist threats? How much is too much?
I wish I could say I've formed strong opinions about how much data the government (and private companies like Google and Amazon) should be allowed to keep. We live in a world where technology has developed faster than our ability to understand the underlying implications of many conveniences. Just owning a cell phone means giving up a significant amount of privacy. Enabling all the cool functionality takes all of it away. Google keeps the history of your movements if you have an Android phone and turn the GPS on. While that's kinda creepy, it sure is cool to have a personal GPS device with you at all times. Mine has gotten me "unlost" too many times to count.
So I choose to keep my Android phone. I keep my GPS and other widgets turned off most of the time. I'm not a terrorist and I doubt the government will ever think I am. I choose not to engage in illegal activities, so I don't worry about surveillance cameras watching me when I'm in public places. I keep stuff in the cloud, but I do so carefully. I'm careful what I post on Facebook.
I get a sense of security knowing the government has facial recognition software. I don't mind them logging my cell phone calls. I save time by not getting lost as often as I used to and I appreciate Amazon's suggestions for cool stuff I should buy. I'll take the good with the bad.
King, Rachel. (2014, August 8). Hillary Clinton talks NSA and privacy, data security, tech jobs in San Francisco [Web log post]. Retrieved from ZDNet website: http://www.zdnet.com/hillary-clinton-talks-nsa-and-privacy-data-security-tech-jobs-in-san-francisco-7000033094/
Leonhard, Woody. (2014, September 4). Why the U.S. needs better privacy laws, now! Windows Secrets, 447. Retrieved from http://windowssecrets.com/newsletter/why-the-u-s-needs-better-privacy-laws-now/
I wish I could say I've formed strong opinions about how much data the government (and private companies like Google and Amazon) should be allowed to keep. We live in a world where technology has developed faster than our ability to understand the underlying implications of many conveniences. Just owning a cell phone means giving up a significant amount of privacy. Enabling all the cool functionality takes all of it away. Google keeps the history of your movements if you have an Android phone and turn the GPS on. While that's kinda creepy, it sure is cool to have a personal GPS device with you at all times. Mine has gotten me "unlost" too many times to count.
So I choose to keep my Android phone. I keep my GPS and other widgets turned off most of the time. I'm not a terrorist and I doubt the government will ever think I am. I choose not to engage in illegal activities, so I don't worry about surveillance cameras watching me when I'm in public places. I keep stuff in the cloud, but I do so carefully. I'm careful what I post on Facebook.
I get a sense of security knowing the government has facial recognition software. I don't mind them logging my cell phone calls. I save time by not getting lost as often as I used to and I appreciate Amazon's suggestions for cool stuff I should buy. I'll take the good with the bad.
King, Rachel. (2014, August 8). Hillary Clinton talks NSA and privacy, data security, tech jobs in San Francisco [Web log post]. Retrieved from ZDNet website: http://www.zdnet.com/hillary-clinton-talks-nsa-and-privacy-data-security-tech-jobs-in-san-francisco-7000033094/
Leonhard, Woody. (2014, September 4). Why the U.S. needs better privacy laws, now! Windows Secrets, 447. Retrieved from http://windowssecrets.com/newsletter/why-the-u-s-needs-better-privacy-laws-now/
Monday, September 1, 2014
Do Ethical Hackers make for better security?
I was recently listening to my favorite news station on the radio, NPR's Morning Edition. During the weekly All Tech Considered they had an article called When Hackers Test For Flaws, They Might Earn Cash — Or Threats. It caused me to wonder if people trained in hacking skills are better at security. Obviously, they do find security weaknesses using the same techniques the "bad guys" use. If they pass their findings on to the companies that sell the insecure products, they're providing a valuable service. But, as the title suggests, they aren't always appreciated.
These hackers have training that allows them to find these exploits, and there's no question they're smart. Finding and fixing these flaws makes all of us more secure. Since I'm pursuing my MS in Cybersecurity, would it make sense to also learn how to "hack" or will by employer feel threatened if I do so?
I guess I would say it takes both kinds of security professionals. Whether they work together or apart on the same problem, I expect the end result will be better security.
These hackers have training that allows them to find these exploits, and there's no question they're smart. Finding and fixing these flaws makes all of us more secure. Since I'm pursuing my MS in Cybersecurity, would it make sense to also learn how to "hack" or will by employer feel threatened if I do so?
I guess I would say it takes both kinds of security professionals. Whether they work together or apart on the same problem, I expect the end result will be better security.
Subscribe to:
Posts (Atom)