Tagpassword

NIST updating password recommendations

The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!

(Full story is behind the Wall Street Journal’s pay wall.)

You’ve used P@ssw0rds like this for years. It’s what NIST recommended for the Federal Government in 2003 and major corporations and universities picked up the guidance and set their password requirements to match.

Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.

He looked for some real-world data to see what people were doing.

He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.

Given there wasn’t much research into the field of password security and no real-world password stockpiles to pull from, he did the best he could.

With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.

Now there is better password data available. Have I been Pwned currently lists 3,999,249,352 accounts from 228 websites. My own data has been breached over a dozen times including by our own government

The truth about passwords is we’re bad at passwords. I am terrible at passwords. That’s why I’ve used 1Password to keep my passwords secure. I don’t know most of my passwords because they are nonsense and very long. I know a single master password.

Given this new data, NIST is updating its recommendations which will slowly be adopted by the government and companies as it did originally.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

This XKCD comic explains the math behind cracking these types of passwords. I look forward to leaving the P@ssw0rd days behind and welcome the correct horse battery staple.

Password requirement comic from XKCD.

My Simple Password System

Much has been written about passwords. How to manage them? Is it worth buying an app? How do you keep them all straight?

When people fret about passwords, their anxiety starts when it comes time to change the password. What will I change it to? How will I ever remember when I have so many?

Let me give you a hint about changing passwords I bet no one has ever told you.

You only need to change one character.

Did you know what? If your password is Password1! you can change it to Password2! And it will still work. That’s all. Just change 1 to 2 and move on with your life.

Let me share with you my method for creating passwords for work. At work, since I can’t rely on an app to input my login password to my computer, I need a password I can remember.

I used to work in a place that required two passwords. One for my everyday user account and another password for my administrator account.

The user account had the normal must be at least 8 characters with capital letters, lowercase letters numbers and a special character.

My administrator account *must be at least 16 characters with the same requirements.

Now how was I ever going to keep my passwords in mind when I had to change the first every 90 days and the latter every 60 days?

My Password System

Let me give you my password system that works perfectly for the working world.

  1. Choose a food. Pick one with a few characters in it. I like pizza.
  2. Choose a special character. I always like to start with a ! It gives some pop! to! my! password!
  3. Choose a number. Start with 1. It will make you life easier.
  4. When it comes time to change your password, add 1 to the number.

Now, create your first password by putting them all together.

Enter your food with a leading capital letter.
Pizzas
Now, add your number, starting with 1.
Pizzas1
Finally, add your special character.
Pizzas1!
When it comes time to change your password, just add 1.
Pizzas2!

If that sounds funny, make it 1Pizza!!

Pizza was too short so I added an S to get my 8 characters. You could always use more numbers or special characters.

1Pizza1!
2Pizzas!!
3Pizza?!

Now you have passwords for as many years as you need. Keep adding 1 to your current password and if you don’t remember it, just try the last 3 numbers you remember using. It will be one of them.

And if you need to reset your password because you’ve forgotten what number you were on, add a couple of numbers so it. Instead of 23Pizzas! make it 27Pizzas!

Get tired of pizza? Use another food. Foods are easy because they’re easy to spell and hard to guess. Common passwords are names of children, spouses, parents or pets. Foods are much harder to guess.

And by changing a single number every time, you can reuse the same password forever without running out of options.

No more stressing when it comes time to change passwords. No more frustrating bouts of trial-and-error.

Click here and enter your password

Why will your local IT Department never ask for your username and password?

XKCD Comic

Username

Your local IT department setup your account. They know your username. They can look it up if they don’t. It’s often a combination of first and last names. Perhaps there’s a number thrown in. Or perhaps it’s a series of numbers.

No matter what it is, your IT department knows it.

Password

Never Give Anyone Your Password Over Email

Your IT department doesn’t know your password. They have no way to look up your password. But you know what they can do, reset your password.

IT will never ask you for your username and password. If they really need it, they can look up one and reset the other. And resetting a customer’s password without their permission or knowledge is a huge breach of security and trust and will lead to that person getting fired or possibly worse.

What is Phishing?

According to Dictionary.com, Phishing is…

to try to obtain financial or other confidential information from Internet users, typically by sending an e-mail that looks as if it is from a legitimate organization , usually a financial institution, but contains a link to a fake Web site that replicates the real one.

Basically, it is someone trying to gain information from you by pretending to be something else. The attackers will spoof your bank web site, your employer, local IT department or an email from a friend or loved one.

Examples of phishing emails

Over the past few weeks, we’ve seen a larger than usual amount of phishing emails. I have included a couple of samples below with the links removed. After each message, I’ll make a note of why this is a fake message and what to look out for.

From: “Hogan, Judith”
Date: February 11, 2013, 11:14:15 AM EST
Subject: Security Update
There has been an automatic security update on your [email address](LINK REMOVED). To complete update, you are to click here.
Please note that you have within 24 hours to complete this update because you might lose access to your Email Box

First, check who the sender is. Does this person work in your company. Do they have the same Company.com email address? Have you heard of them before or the company they work for?

In this case, poor Judith Hogan at Rochester.edu is our sender. She does not work for the same organization where this email was sent to. She has most likely had her account compromised and it being used by the attackers. Judith is not trying to get access to your account. She is another victim of phishing or another attack that has compromised her account. She is not after your information. She is merely the victim.

Second, the link for “email address” went to a page at hpage.com. Hpage.com is not your local IT department.

From: National Institute of Health <2254576378@qq.com>
Date: Sat, 2 Feb 2013 04:27:06 -0500
Subject: Important Notification

Dear Subscriber, All NIHMAIL users must upgrade their account on or
before 4th February 2013 . For easy upgrade, Click
http://[REMOVED].my3gb.com and fill out your correct account details.
Webmail Administrator

First, the From line actually has the correct organization on it. However, a quick check of the email address goes to qq.com. NIH is a government entity and uses a NIH.gov domain. They would never direct customers to qq.com for any reason.

Second, Dear Subscriber is a giveaway. If this really were your employer emailing you, they know who you are. They would address you by first or last name. It would not be something so generic as Subscriber.

Third, The IT department plans and executes upgrades. Your IT department would never ask you to click anything to upgrade your account. That is part of the job of your IT techs. To manage, upgrade and control the email servers and email accounts. If there is an upgrade happening, they will tell you about it.

Finally, IT will never, ever, ever ask for your credentials. The IT department setup your email account. They already know what your username is. And while they don’t know your password, they do have the power to reset it. If you’ve ever forgotten your password and call your Help Desk, they can reset your password so they’ll never need to ask you for it. Your IT Department will never ask for your username and password.

Often times, attackers will threaten a customer with their data or email being deleted to scare them into compliance.

From: “Warren, Frank”
Date: Mon, 26 Nov 2012 07:19:27 -0500
Subject: Security Update

There has been an automatic security update on your email address. Click here to complete update
Please note that you have within 24 hours to complete this update because you might lose access to your Email Box.

First, Frank Warren @ BP.com doesn’t work for your company most likely.

Second, IT would never conduct an automatic update without first announcing it. And if there was an update performed, no one would need to click a link. They are the IT department. When they perform an upgrade, your account is upgraded. Done. There is no step 2.

Third, sporadic capitalization such as Email Box and missing periods in sentences are key indicators of phishing. Professional emails sent from your IT department will use proper grammar and punctuation.

From: NIH EMAIL WEB ACCESS
Subject: TERMINATION OF ACCOUNT

Dear NIH Account User,

Due to the congestion in all NIH users
accounts you needs toupdate your account with
our released F-Secure Internet Security 2013.
Newversion of a better resource spam and viruses.

If you have not upgraded your account, click reply
and fill in the columnsbelow to send it back so we can
update our database account immediately.
Failure to update will process your NIH
account beingtemporarily blocked or suspended
from our network and may not be able to
receive or send e-mail due to the update.

First, your company knows who you are and would address you by name.
Second, the missing spaces between words and poor grammar such as better resource spam and viruses means phishing. That last line doesn’t even make sense when you read it.
Third, the IT department upgrades your email. It doesn’t access you to click a link *or else.** IT doesn’t threaten customers.

From: NIH User
Subject: Blank

Due to recent suspicious activities in your web-mail account and high amount of Spam mails we receive daily. you account have been blocked and made inactive to protect you, so to activate and unblock your account before routine deletion by our servers, To upgradeyour webmail please click (link withheld)

please fill all details to unblock your account instantly Thank you.

First, the subject line would not be blank.
Second, if your account has been blocked, you would not be receiving this email because your account has been blocked.
Third, poor grammar, lack of capitalization and asking to click a link is a sure sign of phishing.
Fourth, filling information into a web site will not unblock your account. A call to your help desk will.

I hope these examples and explanations have been helpful to better understand phishing and the ways attackers try to gain access to your email. Often times, customers will say, “I have nothing in my email that is important or sensitive.”

However, when a customer’s email account is compromised so is access to anything else they have. Any network drives are also vulnerable. VPN access or remote access are now vulnerable.

If the customer works with sensitive data such as HR or Financial information, access to those accounts are now vulnerable too. Think of all the things that use a password reset sent to an email address to change a password.

If an attacker has access to your email account, they potentially have access to anything that email address connects to. Do you use it for Facebook, Twitter, your own web site, Amazon, Paypal, or your bank?

All of those things could be compromised because the attacker is able to reset those emails with your email address. For a worst case scenario, the story of Mat Honan getting his computer and phone deleted because an attacker was able to gain access to his account.

This is a worst case scenario. However, the same security threats exist if an attacker gains access to your email account. Attackers aren’t just after your work email accounts either.

Take a look through your Gmail, Hotmail, or Yahoo email account. What social media sites do you use that email for? Does your bank send email there? How about credit cards? If an attacker gains access to that account, they have anything you use that email address for. In addition to being able to email your friends, family and colleagues from your account in an attempt to gain access to their accounts too.

The best weapon against phishing and other attacks is to use common sense. If you have a question about something you’ve received email the sender back and ask them about it. If you receive a suspicious email at work. Call your help desk and ask about it.

The best defense is to use common sense and think about what you’ve received and if it makes sense. How can you easily detect a phishing attack?

  1. Check the sender. Do they work for your company? Is the email address the same as the sender name?
  2. Are there weird misspellings, poor grammar and a lack of basic punctuation? Does your local IT department send you emails like this? Does your brother, mother or colleague?
  3. Is there a link in the email? Don’t click it. If you move your mouse over it and wait a couple of seconds, it will show the link where it’s going to take you. If it’s a weird-looking link. Don’t click it.
  4. If your suspicious, delete the email. If it was something important, the sender will contact you again or in another way.
  5. Remember, the IT department manages your email account. They will never ask for your credentials or to click a link for any reason. They have the power to do whatever they need to do to upgrade, manage or migrate your email. That’s their job.

Some thoughts on Internet Security

Author’s Note: This article is part of a Tech Topics column I write for a small print publication focused on helping small business owners become more comfortable with technical topics.

It’s not a glamorous topic. When you hear the words Internet Security, the first thing that pops into your head is probably viruses, spyware, phishing and other tribulations of the Internet.
However, there is another type of internet security you should be aware of, and that’s security for your web site. We have recent reports of two sites that were defaced or hacked in some way. Unlike the image you see on the news, of the elite hacker sitting for days engineering a secret way into web sites, both of these problems could have been easily prevented with a few minutes of time and a little attention.

First, create a good password. This goes for passwords to your server (FTP or File-editing access), passwords to your email, and passwords to your web software, like an online ordering system. I’m not saying you have to make the password look like “Th1SizAg0OdP@s$w0Rd” but also don’t make them “password” or “CopyShop” or your company, spouse, pet, or child’s name. Birthdays are also a very common source of passwords. The idea is not to make the password so difficult you will never remember it, but also to make it hard enough that no one would be able to guess it with a few minutes of trying.

Second, keep your software up to date. If you are running a content management system (CMS), online ordering system, or shopping cart of any type, make sure it is up to date. New releases of these applications often contain security fixes to help keep out would-be intruders. While this may sound daunting, many modern web applications like these have simple update links to click and they will update automatically. Similarly, many web hosts provide a “1-Click” update functionality. Of course, if you’re working with a company to provide your web site then they should already be taking care of this for you.

Third, keep a critical eye. This is not so much a tip as just a warning to remain vigilant. Often times, intruders gain access to systems not by hacking them by guessing passwords, or exploiting flaws in software, but by “social engineering”. Social engineering is a fancy word for trickery. One of the more common forms is a fake email pretending to be from a trusted source such as a friend or colleague, a paper or supply vendor, a large retailer like Amazon, or even your bank. The purpose of these fake emails is to direct you to a web page that mimics the look of the actual page and getting you to enter your username and password so they can then turn around and access your accounts without your knowledge.

A good rule of thumb is that if something looks suspicious, it probably is. If you get an email about a recent order from amazon.com that you never placed, or a note from your bank about a large purchase you don’t remember making, don’t click the link in the email, as it is most likely going to redirect you to a fake site. Go to your browser and type in amazon.com or YourBanksName.com. If you have any question, a call to customer service is a surefire way to verify the authenticity of the message.

All of these are simple things you can do to save yourself hours of headaches and repair work should your website or server become compromised. The moral of Internet Security really is that an ounce of prevention is worth a pound of cure.