Post by Admin on Mar 5, 2015 8:55:32 GMT -9
WHAT'S YOUR PA$$WORD? SECURE YOUR ORGANIZATION BY SECURING YOUR ACCOUNTS
Posted by Lesley Carhart in Fresh Ideas in Public Safety on Aug 29, 2013 4:47:26 PM
There was a time in the not-so-distant past when personal and work lives were two separate things. A person worked at the office, went home, and usually had little to do with his or her employer until the next day. Since the advent of the home computer, the mobile phone, then telecommuting and social media, these lines have blurred. For better or for worse, our personal lives creep into our work, and we're often working during our "off" hours. What many people don't consider is the unprecedented security risk this poses to our employers. Our personal choices can impact the security of our organizations, and making the right choices can help deter attempts at theft and damage. With this series of blogs, we dig into current threats to cybersecurity for everyone — and for organizations.
The topic of password security has been spoken about continually for the past two decades. However, passwords continue to be a problem for almost every organization, and "password" and "qwerty" are still among the most common passwords in the world. Let's go through seven basic facts about authentication and see if your accounts are as secure as they should be.
Everybody should know the basics of how passwords are cracked. For your security, most passwords are stored and transmitted in an encrypted form. There are two ways a hacker can decrypt, or "crack" your passwords. The first is "brute force". This requires generating every possible combination of letters, numbers, and symbols, encrypting each one the same way, and checking if the result matches your encrypted password. For longer passwords, this can be very time consuming. The faster option is a "dictionary" attack, which means checking the encrypted password against the encrypted results of a large dictionary of known words or names. So, passwords that are words are generally significantly easier to decrypt than random strings or phrases.
We've all been trained to think about password creation wrong. Years of password instructions have made us think of passwords in a faulty way. We've been brainwashed into creating one or two-word passwords containing a numbers and punctuation, like ‘P@55w0rd!'. Oddly, in most cases there is no longer anything that limits us to a single word. Most modern software allows for very long passwords, and it's more secure to use a passphrase, or a short sentence. A sentence is easy to remember, contains spaces and some punctuation, and can easily contain a number if required. I can't demonstrate this more succinctly than xkcd.com:
Hackers know all of your password tricks. Password-cracking software has evolved to the point where it can automatically check for words in which letters have been replaced by numbers. Numbers and punctuation at the end can be ignored as well (forget adding the month or year). Checking all these possibilities may take longer, but today the distinction is seconds or minutes, not hours or days. See if you can find any of your ‘tricks' in the built-in options in the password cracking software Cain:
Hackers love it when you reuse your passwords. Nothing will make Jane Hacker happier than cracking the password to your home PC, then finding it opens your Twitter account and your work email, too. I'm not naïve enough to expect everyone to memorize long, complicated passwords. If you're having trouble, use a reputable password manager, like Keepass or Lastpass, which can generate strong passwords and store them securely for your use.
Hackers also love it when you don't change your passwords. There are endless ways that your passwords could be stolen; both in and outside of your control. Presume that at some point, your passwords will be intercepted or stolen from a third party. It does take time for thieves to decrypt large numbers of passwords when they are stolen in bulk, or sell them on the black market. The bottom line is: Changing your passwords on a regular basis is a real simple thing that you can do to help protect yourself.
The password really is dead. Michael Barrett of PayPal stated fittingly this year, "Passwords, when used ubiquitously everywhere at Internet scale, are starting to fail us." More powerful computers, easy-to-use hacking tools, and shared resources have made it a trivial effort for anybody to crack passwords. Organizations and developers need to find new ways to authenticate users. Which leads us to…
Everybody should be using two-factor authentication. Most large social networking, financial, and email websites now support two-factor authentication. This means using a combination of something you know (such as your password or pin number), and something you have (a token, mobile phone, your fingerprint, or a smart card) to authenticate you. Checking a text message on your mobile phone to log into Gmail provides a drastic increase in your security in exchange for a small inconvenience.
Over the next decade, it is very likely we will see more methods of authenticating users without passwords. Organizations are moving in the right direction. The Bank of Utah is monitoring the way users type, while Motorola Mobility has gone so far as to imagine a world where we take pills or use tattoos to log into computers. Unfortunately, it is also likely we will still see passwords in use at work and at home for many years to come. Good password practices and awareness can help decrease the risk associated with them.
Posted by Lesley Carhart in Fresh Ideas in Public Safety on Aug 29, 2013 4:47:26 PM
There was a time in the not-so-distant past when personal and work lives were two separate things. A person worked at the office, went home, and usually had little to do with his or her employer until the next day. Since the advent of the home computer, the mobile phone, then telecommuting and social media, these lines have blurred. For better or for worse, our personal lives creep into our work, and we're often working during our "off" hours. What many people don't consider is the unprecedented security risk this poses to our employers. Our personal choices can impact the security of our organizations, and making the right choices can help deter attempts at theft and damage. With this series of blogs, we dig into current threats to cybersecurity for everyone — and for organizations.
The topic of password security has been spoken about continually for the past two decades. However, passwords continue to be a problem for almost every organization, and "password" and "qwerty" are still among the most common passwords in the world. Let's go through seven basic facts about authentication and see if your accounts are as secure as they should be.
Everybody should know the basics of how passwords are cracked. For your security, most passwords are stored and transmitted in an encrypted form. There are two ways a hacker can decrypt, or "crack" your passwords. The first is "brute force". This requires generating every possible combination of letters, numbers, and symbols, encrypting each one the same way, and checking if the result matches your encrypted password. For longer passwords, this can be very time consuming. The faster option is a "dictionary" attack, which means checking the encrypted password against the encrypted results of a large dictionary of known words or names. So, passwords that are words are generally significantly easier to decrypt than random strings or phrases.
We've all been trained to think about password creation wrong. Years of password instructions have made us think of passwords in a faulty way. We've been brainwashed into creating one or two-word passwords containing a numbers and punctuation, like ‘P@55w0rd!'. Oddly, in most cases there is no longer anything that limits us to a single word. Most modern software allows for very long passwords, and it's more secure to use a passphrase, or a short sentence. A sentence is easy to remember, contains spaces and some punctuation, and can easily contain a number if required. I can't demonstrate this more succinctly than xkcd.com:
Hackers know all of your password tricks. Password-cracking software has evolved to the point where it can automatically check for words in which letters have been replaced by numbers. Numbers and punctuation at the end can be ignored as well (forget adding the month or year). Checking all these possibilities may take longer, but today the distinction is seconds or minutes, not hours or days. See if you can find any of your ‘tricks' in the built-in options in the password cracking software Cain:
Hackers love it when you reuse your passwords. Nothing will make Jane Hacker happier than cracking the password to your home PC, then finding it opens your Twitter account and your work email, too. I'm not naïve enough to expect everyone to memorize long, complicated passwords. If you're having trouble, use a reputable password manager, like Keepass or Lastpass, which can generate strong passwords and store them securely for your use.
Hackers also love it when you don't change your passwords. There are endless ways that your passwords could be stolen; both in and outside of your control. Presume that at some point, your passwords will be intercepted or stolen from a third party. It does take time for thieves to decrypt large numbers of passwords when they are stolen in bulk, or sell them on the black market. The bottom line is: Changing your passwords on a regular basis is a real simple thing that you can do to help protect yourself.
The password really is dead. Michael Barrett of PayPal stated fittingly this year, "Passwords, when used ubiquitously everywhere at Internet scale, are starting to fail us." More powerful computers, easy-to-use hacking tools, and shared resources have made it a trivial effort for anybody to crack passwords. Organizations and developers need to find new ways to authenticate users. Which leads us to…
Everybody should be using two-factor authentication. Most large social networking, financial, and email websites now support two-factor authentication. This means using a combination of something you know (such as your password or pin number), and something you have (a token, mobile phone, your fingerprint, or a smart card) to authenticate you. Checking a text message on your mobile phone to log into Gmail provides a drastic increase in your security in exchange for a small inconvenience.
Over the next decade, it is very likely we will see more methods of authenticating users without passwords. Organizations are moving in the right direction. The Bank of Utah is monitoring the way users type, while Motorola Mobility has gone so far as to imagine a world where we take pills or use tattoos to log into computers. Unfortunately, it is also likely we will still see passwords in use at work and at home for many years to come. Good password practices and awareness can help decrease the risk associated with them.