I have just finished reading ‘The Art of Intrusion’ by Kevin Mitnick and William M. Simon. Some may remember the name Mitnick, he is probably one of the most famous hackers of all time. In this book Mitnick and Simon present real life cases of computer hacking. Whilst it is now ten years old, many of the stories told in the book are, sadly, still relevant today. What took my attention was the statement at the very end of the book: pages 258 & 259 to be precise, which I hope Mr Mitnick and Mr Simon don’t mind me reproducing here:
“And that seems like a powerful message to end with. If every computer user were to improve his or her passwords tonight — and not leave new passwords in some easy-to-find place — then tomorrow morning, we would suddenly find ourselves living in a much more secure world.
We hope that will be an action message for every reader of this book.”
I’m sure the book has had success, but how many people have taken note of that last paragraph and actioned it? The message about passwords is forever being talked about. Every year SplashData produce a list of the top passwords used worldwide. In 2015 the number 1 position was held by the password ‘123456’ closely followed in second position by ‘password’ and then ‘12345678’. One of the first things hackers want, is to get hold of a password. Once they have one of these, their task is much easier and it looks like the users of computers are not making this too difficult.
Passwords are a pain though. I think I have over 70 now and trying to dream up new passwords for every site/system and then changing them regularly is even harder. It is recommended that passwords are complex, between 8 and 12 characters and also contain special characters such as #^&? etc.. So personally, I am expected to remember:
- 840 characters;
- the associations of those characters to sites/systems;
- the reminders that will help me remember my password!
And change them all regularly. If I follow security recommendations of changing passwords every 90 days, that means annually I am having to remember 3,360 characters just in connection with my computer activity. That’s hard and is probably the reason people reuse, write them down or have ridiculously simple ones. But until something more reliable comes along we are stuck with the dreaded things and we have to make the best of them.
When reading Mitnick’s final paragraph, I remembered the work that had recently been published by CESG in cooperation with CPNI – Password Guidance Simplifying your Approach. In what seems to be a very well written and straightforward document they recommend, amongst other things, lightening the burden on users. Specifically they state:
- Users have a whole suite of passwords to manage, not just yours.
- Only use passwords where they are really needed.
- Use technical solutions to reduce the burden on users.
- Allow users to securely record and store their passwords.
- Only ask users to change their passwords on indication or suspicion of compromise.
- Allow users to reset passwords easily, quickly and cheaply.
- Do not allow password sharing.
- Password management software can help users, but carries risks.
This seems sound practical advice. So I would recommend that if tomorrow, every business looks at their password policy and revises it in line with the CESG advice then we could find ourselves living in a much more secure world.
Reducing the risk of the risk of this:
Featured image by: Eric Schumuttenmaer