The Lowdown

17th January '18

cybersecurity passwords security

Effective Password Management – How Should It Be Done?

If there’s one thing that I’m sure most people would say is a necessary inconvenience, it would be password management.

Since the dawn of computing, people have been using passwords to restrict access to their important systems. But as time passes by this basic security mechanism has become increasingly long in the tooth, and several recent high-profile exposés of its weaknesses have done it no favours. They’re so entrenched in everything that we do on our computers, they’re unlikely to go away.

So, what can be done?

Before we can go into that, we need to understand what’s wrong with them – or, more accurately, what is wrong with the way that passwords are used by most people:

Password re-use

We’d be willing to wager that anyone reading this article is, or has been, guilty of re-using the same password. We’ve certainly been guilty of this in the past. Many people have a “system” whereby they use a different password based on the perceived “value” of the resource to them. They may use a good, strong password for their banking services, but a weaker, easier to remember password for social media.

However, the truth is, that re-using the same password even once means that you may as well be handing out access to all of the accounts to a determined hacker. That password may have already been compromised, even if you’ve not been hacked. If any website with that password combination has been breached, those credentials are available to anyone who knows where to look. Sophisticated “botnets” continually crawl other websites attempting to login with stolen details, which is a worrying thought.

You can check if your email address or login username has been compromised in any public data breaches at Troy Hunt’s excellent website.Most people will almost certainly be listed in this database at least once!

Weak passwords

There are a lot of misconceptions surrounding password strength. Often you’ll see advice saying that you should use uppercase letters, lowercase letters, symbols and numbers all in the same password. There is some truth to this, but the key element to a strong password is simple – length.

The longer a password is, the harder it is for computers to crack them. Even using a simple phrase made up of a few unrelated words can be a strong password (the classic example used everywhere for this is “correct horse battery staple”). If you are going to use a passphrase like this, it is best to change things up a little bit with uppercase letters, symbols and numbers as this can help prevent “dictionary attacks”. This is where hackers try millions of combinations of dictionary words to try and find a match.

We always recommend to our clients that a password should be at least 12 characters long. We use 16 characters as a base. That said, if your chosen password appears on this list of the top 1,000 passwords (and, according to that page, 91% of passwords found in data breaches do!) then you definitely need to pick another one.

I’m sure you’re now asking, “how am I supposed to remember a 16 character password?” – well, read on…

Poor password management

One of the reasons people re-use passwords so often is because no-one wants to have to remember a million different passwords for each of their accounts and services – and nor should you. Having to remember that many passwords is difficult for the vast majority, and leads to situations like that seen in the Operations Room at Hawaii’s Emergency Management Agency just yesterday. Hot off the heels of them mistakenly sending an emergency broadcast to millions of Hawaii residents warning them of an impending nuclear strike, they were interviewed on TV. You can clearly see they write their passwords on post-it notes and attach them to monitors in their office. Something that any IT professional is likely familiar with, and something that should absolutely not be allowed under any circumstances!

The answer to password management is to take the hassle away from you and use a dedicated password management tool.

Proper Password Management

The principle behind password managers is that you have one single password (called your Master Password) that you can remember. This should be very strong, as it is basically the key to your electronic front door. Gareth’s master password for his password management tool is nearly 30 characters long.

You then store all of your other passwords in the password manager. You use the tools it provides to automatically fill in login prompts on websites with the password that it has saved.

In an ideal scenario, all of the passwords in your password manager would then be completely random strings of characters. All password managers give you tools to generate secure passwords like this. It is a great way to ensure that none of your passwords are re-used. So, if one of them gets compromised, the damage is limited to just that account.

There are many different password managers available – 1Password, LastPass and Dashlane are three popular online password managers, while KeePass is an open-source tool that lets you store your passwords on your own storage, e.g. in Dropbox.

What else can you do?

There are a number of other elements to account security that can help you keep your accounts safe. Probably the most commonly known is two-step authentication. This is where you are sent a link via email to verify your login. A text could be sent to your phone containing a code that you must enter in order to login.

Enabling two-step authentication on your accounts is a great option. It doesn’t protect against that service being breached. But should someone manage to login to your account with the correct password, they can go no further. That is unless they have access to your email or phone. We always recommend enabling two-step authentication wherever possible.

What does the future hold?

Passwords have been around for a long time. As much as we’d like to see them go the way of the dinosaurs, it seems unlikely it’ll happen soon. In an ideal world, passwordless authentication would be the default method. For example, you would login with an email address and the service provider would send an email to you. Technically speaking, this is arguably less secure than using passwords. But until the vast majority of users stop using (and re-using!) weak passwords, it’s a better option.

Biometric security systems such as fingerprint scanners, face scanners and retinal scans are becoming popular. These have their own drawbacks. Apple’s FaceID system (found on the new iPhone X) has come under intense scrutiny since its release, with a number of shortcomings already being found. But, it is a good place to start when looking at alternatives to passwords.

Need any advice?

If you have any questions about effective password management, feel free to drop us a line.

< read more >

1st August '17

internet law security

Digital Economy Act: 2017 Updates

We are half way through 2017, yet this year has already proven a rambunctious time for digital lawmakers!

In the UK, discussion has been rife over recent changes in Internet law. The Investigatory Powers Act, which controversially allows our secret services to snoop on and record Internet habits, came into being earlier in the year. Against the advice of… well, almost everyone.

The US is hardly quiet on this front either. They are busily attempting to change net neutrality laws. The principle of net neutrality is that ISPs and the authorities must treat everything on the Internet the same, regardless of what it is. As an example, without net neutrality, if you used Sky as your ISP, they could block you from watching BBC or ITV. The could then effectively force you to pay for Sky content. More alarmingly, the government could censor websites that they don’t agree with!

What’s next for the Internet in the UK?

There will be further changes, which may affect Internet users more directly. Starting in April 2018, any website that publishes pornographic content will require that users prove their age by some form of identification. For example, a passport, driving licence or credit card details.

This seems a sensible precaution – after all, businesses check for ID when people visit bars, go to the cinema or buy tools. However, supplying a permanent copy of your identification digitally, over the Internet, is different and comes with its own set of problems. The most prominent being identity theft. Also, imagine if the website suffers from a data breach.

If your website is deemed by the Act to require an age gate, your business must implement the new robust check (simply asking for a visitor’s age without evidence will not suffice.)

It is obvious that children need to be protected from some online content; no-one could disagree with that. However, placing that responsibility on ordinary businesses seems crazy. Many of whom will not be well versed in digital security.

Should the responsibility for policing Internet access stand where it always has? Ensuring that parents and guardians are involved, to parent and guard their dependents? Or should personal use of the web be policed by businesses and governments, all of whom have their own agendas?

The debate will no doubt continue over the coming months and years. Watch this space!

< read more >