Saturday, January 24, 2009

Conficker and Password Advice

I was just reading an article in The Age today about the Conficker virus, and the article was pretty straight forward… bad virus, infected lots of machines, uses brute force to crack passwords. Some of the advice that was given was obvious, use stronger passwords, make sure your OS is up to date, and any anti virus software you use is also up to date. However, the last sentence really bothered me

From the article :

"Go get a notebook, keep it next to your computer and record your password in it. No hacker in the world can hack the written page locked away in your office."

This is a quote from David Perry a “Software Security Specialist” from Trend Micro.

I have not heard worse advice regarding password security in many many years. Sure a virus can not leap out of the computer file through your notebook and try everything written down, but what about anyone who uses your office. Your cleaner, your spouse, your kids, their friends etc…. It’s the same basic principle with you bank card PIN number. If you write it down, then another person can potentially see it and use it, and if you follow the other advice in the article about using numbers and special characters (which you should) it makes it quite easy for a human to pick out a password from a heap of other random scribbling on your desk-side notepad. You may well say, but it’s only my spouse and my kids that use my office, and I trust them. Sure, but I’ve never seen it as an issue of trust in these cases, I see it as an issue of protection. I trust my spouse implicitly, but will never tell her my password. The reason being that if there is ever a security violation using my account, and my company asks me who else may have been able to find out my password, I can honestly and confidently say no-one, not even my spouse, there-by protecting her from any suspicion.

So what’s the solution. We know for a fact that username and password is a flawed security model, and we often talk about three-factor security, ie username, password and hardware key like a smartcard, as being more desirable. However, the reality is that the vast majority of systems are still protected by the humble username and password (two-factor security), so how do you choose a password that will protect your computer without the dreaded fear of forgetting it?

My tips are as follows. Pick something from your life that is obscure enough that other people wouldn’t be able to guess. As an example you may be into 70’s rock music, and in particular you may love the album from WHAM called “Make it Big”. That’s pretty obscure (not to say quite sad), or you may have just finished reading Dostoyevsky’s “The Brothers Karamazov” which is in itself an achievement worth remembering long after. Pick something from this aspect of your life, a phrase or a name, so in the first instance you might pick “Guilty feet have got no rhythm”, in the second case lets say one of the characters names “Dimitry Fyodorovich”, although a minor character may work even better, now adapt this to a password. Leave out some words and leave out spaces (if you want), then replace certain letters with numbers, capitalize others, and replace others with special characters like this “gui1tY#eeTn0rhythM”. In the second case something like this might would work “d!m!trYfY0d0r0v!ch”. Make sure the password length is greater than say twelve characters, and satisfies any other constraints your Systems Administrators want to put on your corporate network. Now you have a password that is, for you, fairly easy to remember without the necessity of writing it down, and extremely hard for a brute force crack to guess, or (and this is where the obscure thing comes in), no one who knows you will be able to guess either.

The other good thing is you now have a scheme for creating really interesting passwords, and it means that you can change the password regularly, and each time it is a game to see just how creative you can get in picking your new password. The more creative you get, the harder it will be for anyone or anything to break it, and the easier it will be for you to remember what it is.

Technorati tags:

1 comment:

  1. It is with some annoyance that I am disabling comments on this post because of some idiot spammer who insists on periodically posting a comment every so often advertising password hacking websites.

    If you have anything to add to this post, please send me an email.