Tag Archives: password strength

Blog Post Shout Out: Creating Passwords and Internet Privacy

This blog post shout out will focus on both security and privacy related issues.

While there has recently been a renewed focus to phase out passwords, until that happens we need to continue to manage them.

The following article discusses (among other topics) managing passwords. It focuses on providing security while making it easier for users to remember them. It also raises doubts about the need for changing passwords so often and provides evidence to back this up.

All of this advice may useful if you are trying to create or update your corporate password policy to make it more user friendly while still maintaining security.

How to hack the hackers: The human side of cybercrime by M. Mitchell Waldrop (Nature Journal)

================================
In an effort to preserve your privacy you may be using a VPN (defined) connection when browsing the internet using your computer or mobile devices.

However as noted by F-Secure in this FAQ article, this may not be enough to fully protect your identity since some information (namely your real IP address) can still be leaked via WebRTC traffic. Within that FAQ article they provide advice on how to prevent this leak for the most common web browsers.
================================
Related to the above topic of VPNs, using public Wi-Fi hotspots isn’t a good idea if you want to preserve your privacy as this Kaspersky article demonstrates.

While a VPN can assist with preserving that privacy when using a public Wi-Fi, it isn’t a perfect solution. For example, apps installed on mobile devices can still leak data as discussed in this article.

However, it possible to better control such data leakage on Android and Apple iPhones. A guide to do this for Android is available here.

For an iPhone, you can open Setting -> Mobile data and change the settings according to your preference. However, when you connect to a public Wi-Fi hotspot all the network connections in use by the apps will begin new connections or resume existing connections.

To minimise the amount of data leaked you should use a VPN (as I have already discussed above) for your mobile device. In addition, you should use the Low Power Mode option of your iPhone from Settings -> Battery and change the setting. This setting change will halt background tasks, delete Wi-Fi access point associations, previous new emails being received and automatic downloads. More information on this setting is available from here.

Next, turn on your VPN (Settings -> General -> VPN). A list of popular VPN providers is available here.

Using the above steps will help to minimise the amount of data leaked if you are privacy conscious and use an Android powered device or an iPhone. Full disclosure: as you know I use an Android phone so I haven’t intentionally provided more information/discussion on the iPhone.

I hope that you find the above references useful in maintaining your security and privacy. Many thanks to a colleague (you know who you are) for contributing the advice on using VPNs with mobile devices.

Thank you.

Taking The Effort Out Of Password Management (Updated)

In today’s connected world the management of passwords can be a time consuming chore that is unfortunately a necessary evil. Creating and using strong passwords is a recommended best practice to protect any online account from falling into the wrong hands. With the many data breaches that occurred in 2014 e.g. Target, Home Depot, and Ebay (among others) protecting your online identity remains very important.

In order to assist with managing your passwords and online accounts, I would recommend using a password manager e.g. LastPass, Roboform among others to reduce the number of passwords that you need to remember to only one master password (which should be extremely strong) since it protects your entire online identity.

But how do you create strong passwords before you place them in the password manager? First use a random password generator and then test the strength of the password. How strong should a password be? That depends on what account that password protects, the more sensitive/important the account, the stronger the password should be. Most passwords should take from a few weeks to a few months to crack so that other passwords will be uncovered before yours should your password be stolen along with a large collection of hashed passwords.

Popular and effective password generators are the following:

LastPass

Norton Password Generator

While password strength meters can be weak and can provide a false sense of security, I have found this password strength tester to work incredibly well.

=======================
Update: 6th May 2015:
I have found that the above mentioned password strength tester is now limited to testing passwords of 50 characters (or shorter) in length.

Further advice on generating strong passwords without using a password generator and best practice advice on password management is discussed in the following two short YouTube videos from Sophos:

How to pick a proper password
https://www.youtube.com/watch?v=pMPhBEoVulQ

How to choose a strong password – simple tips for better security
https://www.youtube.com/watch?v=VYzguTdOmmU

Aside: While I realize that I often mention Sophos blog posts and videos in general, this is simply because I have found their posts or videos very informative yet concise. I try to link to various sources and I do not endorse Sophos’ products or advice over any other source/company.

For Microsoft Active Directory (Domain Joined systems):
For corporate systems/Microsoft Active Directory joined PCs, Microsoft’s updated its Local Administrator Password Solution (LAPS) tool in order to make domain joined systems more secure by randomizing the Local Administrator password used for each system (rather than having them all set to the same values or managed manually by your IT staff).

More information on the tool is available here. In addition, a short deployment guide is available here. Other advantages to this tool are (among others) that encrypted (using AES) passwords are transmitted to the Active Directory rather than in plaintext or hashed formats. This tool will also help to mitigate Pass-the-Hash (PtH) attacks.

=======================

Going Further Than A Password
Whenever possible you should also use 2 factor authentication. However with 2 factor authentication you should ensure that the online account that supports this type of authentication has the appropriate means of recovering access to your account should you lose your second factor of authentication e.g. your cell phone.

Apple, Google and WordPress are examples of such accounts that offer recovery codes that you can print or save in a secure location to use to access your account should you lose your second factor of authentication. I find such recovery codes ideal since they offer the extra protection of using a second authentication factor while significantly reducing the possibility of locking yourself out of your account should you lose your cell phone. An excellent article detailing the advantages and disadvantages of 2 factor authentication is this Sophos blog post.

As time progresses we may finally obtain some relief from the constant maintenance of our passwords (namely changing the more frequently used or important passwords more often). This should come in the form of the introduction of new and more widely standardized authentication tokens e.g. the USB FIDO tokens that can be used to log into your Google account.

The announcement earlier this year that Microsoft intends to support such tokens for logging into the forthcoming Windows 10 offers a lot of promise for an easier and more standardized means of using a second factor of authentication. In addition, Windows Hello will add biometric authentication (face recognition and fingerprint identification) to Windows 10 which will ease the logon process by removing the need for a password. Biometrics are also more secure than passwords.

With the wider adoption of such technologies and as they become more developed/refined perhaps within the next 5 years we might be able to finally say goodbye to the dreaded practice/topic of password management.

Thank you.