Articles

Passwords

Passwords

by Liam McNaughton

Yes, they’re a pain aren’t they? Everyone hates them. Use them once, forget them, and when you need them again – an hour of pain and frustration getting it sorted out.

I’ve got into the habit over the years of adding my various accounts and passwords to a database in an application called Roboform; this works with all the major browsers (Internet Explorer, Firefox, Chrome) and also desktop applications. It synchronises the accounts across all your browsers, and even across all your devices – so whether I am on my PC at work, a laptop, a Mac at home, or even my phone, I can access my various home and work suppliers and online accounts without too much trouble. There is one master password to remember which you supply each session, so it’s pretty safe, and Roboform claim that the database is so secure even they can’t access it. But I assume GCHQ and the CIA can. So a big-up to Roboform, and thanks to one my customers, Alan Matchett at IPSL UK (link) for introducing me to it.

Passwords, they’re a pain. But until there’s some kind of bio-recognition built into website and application forms (which seems some way off) they are a necessary evil. For dental practices, and other businesses, various regulations and standards apply here: not least, the Data Protection Act, which requires that you make reasonable efforts to keep data safe, and for dental practices in particular the various myriad IG (Information Governance) stipulations and references.

Password Strength Meter

Each person on the IT network should have their own username and password. Generic usernames (like “office”, “reception”) should be avoided if at all possible. I understand that this may be more convenient, but this is not proper security and there is no audit trail. Let’s have proper IT disciplines please, this isn’t a home setup. The only exception to this would be a machine (such as an x-ray acquisition PC) that is absolutely only used for one function and will never store different configurations/data for different users – in this case one logon makes sense.

Passwords should be reasonably safe, and they should be changed from time to time. Most networks enforce some kind of “password complexity” requirements that specify, for example, that there must be at least one number, or symbol, and that the password should be of a certain length, or not include a common word and the like. This is because password-cracking tools (of which there are many) will struggle a lot harder to break/guess a password that has mixed upper/lower case and symbols than a password without these.

I am mindful, however, that you should not make your password policies too harsh – for the simple reason that, the harder you make them, paradoxically you may end up making the network less secure. This is because if people really struggle to remember the latest password, they will end up writing them down, or leaving them on post-it notes, which may leave the network more exposed than before.

Another consideration is whether the business owner/manager should know what the passwords for each member of staff are. This is difficult and complex to manage, and most businesses do not operate like this, although I can understand the motives of managers who prefer this setup; they may want to access the account of that member of staff, and indeed as the employer/business owner they are quite entitled (in my view) to do so if they need to. Passwords could always be reset by the network administrator, however. Personally I wouldn’t operate like this, for various management reasons, but each to their own.

So if we have to live with passwords, how can we live with them in peace without too much frustration?

In the absence of a password manager tool (like Roboform mentioned above) a good strategy for creating passwords that are both memorable AND secure is to use the first letters of a phrase that means something to you, but is also a bit random. For example: “This year my radishes were the best!” creating password: Tymrwtb! (Yes, with the exclamation mark). This is a very strong password, is probably compliant with password complexity requirements, and should be pretty easy to remember.

Having a strong password is absolutely essential for security. Having a weak password is akin to those locks on bags and suitcases with the tiny flimsy keys with next to no pattern on them. You know they are for casual deterrence only, and that they wouldn’t stop anyone armed with even a small screwdriver for longer than a few seconds. So it is with weak passwords.

We all know we shouldn’t have the same passwords for everything, although if your password is fairly strong, it won’t be guessed and it would be fairly safe to have similar passwords (with subtle changes to the theme) for different accounts. You will, for example, want to have a separate password for your bank, but perhaps the same or similar passwords for your Amazon and Hotmail accounts is not a big deal, if those passwords are secure. The reason for this is that, assuming the back-end systems are not really insecure and badly designed (as they won’t be at Amazon and Hotmail) the password will not be stored anywhere in plain text form; it will be in encrypted form, which is the result of a one-way algorithm applied to the plain text password you supply. In other words, Amazon or Hotmail (or more importantly anyone attempting to access your account) also don’t have a clue what your password is and wouldn’t be able to determine what it was even with access to the encrypted password.

The worst possible scenario is to have the same passwords for multiple accounts, which isn’t strong and could be guessed – if someone hacked your Hotmail account, you may have references in your email to your other online accounts, and your whole online presence and accounts could be seriously and dangerously compromised very quickly. I would also recommend not using the same, or similar, passwords for accounts with smaller companies or less well known websites; not only do you not know how well they will be handling your password security, you don’t know how secure their website and systems are.

Finally, a word of warning. Please don’t assume that if your online accounts, or your work network have not been compromised so far, that they are not under attack – in fact they probably are. I hear regularly of online accounts that have been hacked, and we see the logs on firewalls that show that networks are being probed and attacked on a daily basis. Whilst you may not consider yourself much of a target, and indeed your Yahoo email may not be of much interest to anyone but you – hackers will still want to gain access to it, in order to spam all your contacts and to use your email address as the source of the spam. And you may think no-one would want to get onto your relatively small network, but they do: if you have a modern IP or hybrid phone system, they could use your network and phones to call premium rate numbers, or they can use your network/server as a platform from which to launch other attacks.

Hackers like to accumulate many small, compromised sites, so that, when they are ready, they can launch one large attack from many sources (called a DDOS – a distributed denial of service).
In summary, a decent username and password combination is by far your best defence against even the most determined hackers.


Return to Articles page

More Articles

SIP isn't as reliable as ISDN. Get over it. Lessons from Wannacry Is backing up to the cloud enough?
Support Ticket