Password
Security
Introduction
A user’s password is the first line of defence in the prevention of misuse or theft of client personal or confidential information. Here are the essentials of maintaining the security of your password and some useful tools which will help make your use of cloud-based applications and tools more secure.
With enough time, a hacker can break any password: the objective for the legal practitioner is to create a password which will take longer to break.
The following discussion is designed to provide information about creating a more secure password that will take a longer time to hack.
A Strong Password
Your password should be a strong password. What does this mean?
Simple passwords that are short can more easily be deciphered. Most experts advise that a strong password is longer than 14 characters and should use upper and lower case letters, numerals, punctuation marks and symbols that are not part of a pattern. An exercise conducted by Ars Technica showed how easily even long passwords, which appear completely random, such as "qeadzcwrsfxv1331" could be cracked. The only way to reduce the risk of being hacked is to use a password manager to randomly generate a complex password.
The first rule is to avoid passwords that contain:
- Dictionary words
- Patterns such as consecutive or repeating letters or numbers eg “abc” or “123”
- The user name
- Family names, nicknames or pet names
- Celebrity names or names of sporting personalities.
Creating Meaningful Passwords
Here are some suggestions for creating and remembering memorable and meaningful passwords:
- Use the first characters of a sentence you can easily remember. "I go on holidays on 15 November" could be "IgoH15N" or my daughter was born on 30 June 2010 would be shortened to “Mdwb30/Jun!”.
- Substitute numbers for letters in a word that is included in your password string: "LawSociety" would be represented as “L1wSo3i5ty”.
- Remember to add symbols and punctuation – using the entire keyboard in the password increases the level of security.
Passwords should:
- Be changed frequently;
- Contain alphanumeric and mixed case;
- Include special characters;
- Contain lengthy random keys.
Separate Passwords for Each Applications
A separate password should be used for each application. If your account is hacked, it may contain your details or your client’s business or personal information allowing hackers to access other applications used by you or your client. Those applications may contain details which will assist in fraudulent activity.
Most of us have numerous accounts for varied activities, all with their own username and password. It is tempting to recycle passwords between different applications, but there are good reasons not to do so. The incidence of hacking large databases is increasing, and if your login details are stolen, all other accounts will be compromised. Even re-using part of a password between applications increases the risk.
Safe Storage of Passwords - Why You shouldn't Store Passwords in Your Browser
Passwords should be committed to memory or retained in an encrypted file. They should never be written down and should not be stored in a text file on your laptop or device.
Most browsers will offer to store your login, password and other key information and automatically fill relevant forms. Passwords are stored in encrypted databases locally on the user's device. If the browser is able to "sync" data between a user's device and third party devices, then the information is saved in the encrypted format: eg it is saved to Google for use on Chrome.
The security risk associated with this method is that anyone who can access the computer can also access the passwords saved on it.
How do they do this? With Chrome, it is a simple matter of going to the browser settings and clicking on "manage saved passwords" under "passwords and forms". Passwords will be visible under "manage saved passwords". While Internet Explorer does not let a user view saved passwords and does not sync data across devices, it is still vulnerable to third party password recovery tools that can be used to reveal passwords.
Using a Password Management System
Consideration should be given to using a password management system. A password manager helps users:
- Access all data (eg credit card information, secure websites and documents) using a single password, the Master Password;
- Create complicated and lengthy passwords for each application.;
- Use the browser to automatically complete user names and passwords from stored (encrypted) information.
So, instead of typing a different password into each site visited, the user only has to remember a single password and the password management system will automatically log into registered applications.
Encryption is at the heart of the security offered by password management systems. Most password management systems cause the user’s computer or device to encrypt passwords and personal data before uploading a copy to a cloud server. Thus, a user’s password [and other data] is encrypted and saved to the cloud through a secure connection, but the user will still have access to a synchronized, local copy of the password database on every computer and mobile device, regardless of the operating system, browser or mobile platform used. Which provides the user with access to the user's passwords if the cloud is unavailable or the vendor ceases business.
The Master Password
While passwords to various applications are randomly generated by the password manager, it is preferable to choose a sentence or phrase for the master password that is easy to remember but which is in a format that is difficult for a person to guess and will take longer to hack.
The master password is not known to the password manager.
Password Management System - Risks and Security
While a Password Management System is safer than not using one, it is not foolproof - providers themselves are not immune to attack: LastPass password manager was hacked in 2011 and some data may have been accessed. However, other breaches of password managers have not been reported since the LastPass hack and certainly there have been no reported successful compromises of encrypted password hashes since the LastPass hack.
However, a number of encryption vulnerabilities were highlighted in leading password management systems in 2012 and which are detailed in a paper “Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really?” by A Belenko and Dmitry Sklyarov. Many of those vulnerabilities appear to have been addressed by the providers.
Local encrypted backup?
If a user forgets the master password, they will be unable to access data. As the password manager will not have retained the master password it will be necessary to reset all individual applications passwords
However, if the encrypted database of passwords is stored on a local device, the user will always have access to their password database via that device. Given that if the device is lost or corrupted in some way, and the user will not be access their encrypted local backup. So many technicians recommend storing an off-site encrypted backup of the user’s password database.
Popular Password Management Applications
Some popular applications are listed below. The list is not in any particular order and is not a recommendation for any application:
- 1Password
- Symantec Norton Password Manager – Windows
- AgileBits
- Dashlane
- Kaspersky Password Manager – Windows
- LastPass – Android, iOS and PC
- eWallet – for Windows, Mac and Android devices
- KeePass – Windows, mobile device GNU Open Source Software Free that runs on Linux, Mac or Windows http://keepass.info/compare
- MiniKeePass – iOS
- RoboForm
- Sticky Password
- Password Tracker Deluxe