Let's talk about passwords. This is actually something that came up among some friends in the infosec community recently and is a good subject of a first blog post. It is arguably the subject that touches the most people and is also one of the most misapplied practices in security. Even in the largest corporate environments, it is something that is often poorly implemented and it can go a long way towards improving overall security posture, even for home users. It is usually the first line of defense against unauthorized people accessing things they shouldn't be, and for that reason alone, it makes a good basic first post.
It has been written that the most common password in use in the world is '123456' and the fourth most common password is 'password'. It is unreal to me that someone would choose something like that for a password, but again, stupidity among people seems to know no bounds. In fact, it is stupidity that is generally accepted among my cynical gaggle of friends in infosec that keeps us all employed and guarantees our job security for years or decades to come.
So, what can the average end user do to help improve their hardness against becoming the next addition to a botnet administrator's arsenal? Well, arguably, it would be to be smarter about how they use passwords. Step one is to use better passwords. Step two is to NOT use the same password for more than one service or application they access. Finally, step three would be to have some kind of regimen for changing their passwords on a regular basis.
So what makes a good password? Well generally it is accepted that longer is better, and using more classes of character in their password - i.e. use a mixture of upper and lower case letters, numbers and some symbols or punctuation. But even better is to not use a password but a passphrase. It might not seem obvious but using something like 'Apassphraseissomethingeveryoneshoulduse' is a better password than 'Ah3$s_@kX'. They are both relatively strong but (and I won't go into all the math or a discussion of entropy) the length of the passphrase makes it a MUCH less hackable password than even the complex password. So when asked to choose a password for a service (whether it's for an online game website or your online banking password - more on that in a second), consider using a phrase instead of a single word or random string of characters. It decreases the likelihood of being guessed by orders of magnitude.
The second step is to choose different passwords for different services. Certainly, if I can somehow guess, crack, keyboard sniff or otherwise get a hold of your password, it lessens the damage done if you aren't using that same password for multiple services. At the very least, it should be easily recognizable that different services have different levels of sensitivity. From the earlier example, if you use the same password for (say) an online gaming website as you do for your online banking, you are asking for trouble. It is not unheard of for even huge corporations to get hacked and lose their customer information, including their customer's usernames and passwords. This is made worse by the fact that many companies want you to use your email address as their username. So imagine if you used the same password for that as you do for your gmail account, and then that gets compromised because some company didn't keep their software patched and up to date. Now the hackers have your email address and the password. Two hacks in one. And it's all about making it harder for the bad guys. So again, use different passwords for different services and you lessen the impact if one of those services getting compromised.
Finally it is just good practice to change your passwords (at least the most important ones) often. How often is often? Well this is generally one thing that larger corporate environments do a better job at, and it's mostly because in a large corporate infrastructure, through group policy, to force users to change their login password on some kind of schedule. Usually that time frame is along the lines of every 90 days or less. This is not bad, and is something that end users are required to do. Which is different than most home users who choose a password when they first get their computer and then continue to use that same password for years. The longer you use the same password, the more chance you have of getting that password compromised in some way. And if you continue to use the same password, then you are just making it easy for the bad guys to use your resources (your CPU time, your network bandwidth, or worst case, the funds in your bank account) longer. So its a good idea to setup reminders for yourself, at least every few months, to change your most important passwords.
So for those that complain that doing all these things is too much work, there are some tools to help you. Use of some kind of password management software can help immensely. There are a number of choices, but a couple of the best that have been around for years are Keepass, and PasswordSafe. A quick google search of either of those will point you to where you can get them. They are both free to use and have a number of features that help you choose good passwords (or passphrases), easily use them, and remind yourself to change them on some kind of schedule. These are the simplest and most effective things a typical home user can do to instantly improve their security posture and I highly recommend it. (I am not affiliated with either of these pieces off software in any way, just so you know.)
Many people (especially the average home user) think that they are not important enough to be the target of a hack, but for a number of reasons, this is not at all true. This is a form of "security through obscurity" which is considered among the worst ways to keep something secret. (This might be the subject of a future blog post.) But the fact is, even if you are just a typical home user, you DO have some things that the bad guys want. Even if you don't use online banking, at the very least you have a computer (and its associated CPU, memory and storage) and a connection to the internet. Possibly even a fast broadband connection. Those two things alone make you a very desirable target for the botnet herders out there, and so they would love nothing better than for you to use 'password' to secure those things.
So, in summary: 1) Use better passwords and even better, consider using passphrases to secure your resources, 2) Don't use the same password or passphrase for more than one service (or at the very least the same class of service), and 3) Setup reminders for yourself to change your passwords/passphrases on a regular basis. I guarantee, if you follow those three simple steps, that will make you orders of magnitude more secure than probably 90% of the rest of the people out there.
No comments:
Post a Comment