Related News

Personal Computing , Security

Password Management: Best Practices for General User

by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
   
 
 
Authentication is the process of identifying the authenticity of a user. It can be accomplished by means of a combination of login ID (identification) and password (authentication). People nowadays are struggling with their login IDs and passwords because of the need to access more and more systems. Setting and remembering login credentials is becoming a painful experience because different systems enforce different security requirements. For example, people can choose preferred ID name for Gmail as long as there is no duplication with previously registered users while university ID might be assigned randomly by the campus IT administrator; Asia miles web portal requires the password to be composed of numeric numbers only but Internet banking system enforces password complexity consisting of uppercase, lowercase, non-alphanumeric characters and digits. 
 
Login ID & Password Challenging
 
Password policy often suggests choosing a complex and random combination of characters and numeric. Users are also required to change password regularly before expiration and prevent repeated usage of recent passwords. Though theoretically this sounds secure, it is difficult for normal users to memorize different strong passwords for different systems. Eventually users will fall back to set the same password for different systems as much as possible. But if the password of a system is hacked, using the same compromised password to access other systems will pose great risks. 
 
Besides choosing strong passwords, memorizing and managing passwords is also another challenge. Some people may simply write down login IDs and passwords on a memo and stick on conspicuous area. Some may mark the credentials on their phone notes or excel spreadsheets for easy retrieval. Such handling methods are considered as weaknesses in terms of password protection, because the memos and spreadsheets can be read by others and the phone can be stolen or compromised. 
Password Leakage Cases
 
On 11th September 2014, a list of nearly 5 million Gmail addresses paired with passwords was posted online1. This just occupied 2% of the total number of Google accounts. Some of these accounts were found inactive and some of these passwords were used previously at another online system. If you were one of the victims, please bear in mind to changing the passwords immediately. Nowadays, Gmail is now providing two-factor authentication by configuring the account settings and setting the additional PIN code to be sent via SMS or email (an alternative email address) whenever you login. 
 
On 4th December 2014, it was reported that Sony has leaked thousands of passwords stored in a folder called “Password”2. The salary figures of the top management hence were published due to this incident. FBI is now investigating the case. We can see that improper storage of passwords will lead to irreparable damage to corporate reputation. 
 
The security incident of Dropbox3 happened on 15th October 2014 is a living example to tell that people adopting the same password for several systems would lead to unauthorized access of all the systems once the password is obtained by hackers.
 
 
Password Login Functions
 
People normally come across login functions in the following situations during their daily life: 
  • University login 
  • Personal computer login 
  • Security guard lock at school and office 
  • Smartphone screen lock (iOS, Android, Windows, etc.) 
  • Internet Banking 
  • ATM debit card 
  • Social media login (Skype, Facebook, Twitter, etc.) 
  • Personal Email (Gmail, Yahoo, Hotmail, etc.) 
  • Online shopping (Taobao, eBay, etc.) 
  • Online payment (PPS) 
  • Cloud Service (Dropbox, iCloud, Google Drive, etc.)
  
Guidelines & Circulars4
 
Strengthening Security Controls for Internet Banking Services 
 
…Although the use of OTP for two factor authentication is still recognised as an effective security measure for Internet banking services, adequate protection of the OTP is essential for ensuring continuing effectiveness of two factor authentication. In this connection, AIs are required to implement, where applicable, the security measures set out in the Annex if these measures have not yet been put in place…
 
 
  
University data and you7:
​​ 
 
Research into data breaches in HE institutions indicates that the majority of incidents are due to: 
 
- Unauthorized access by insiders (accidental and malicious) 
- Accidental exposure of data online 
- Laptop theft 
 
The majority of data leakage is down to human fallibility. For example, people routinely give passwords over the phone or in response to emails without verifying whether the request is genuine and many of the government's high-profile leaks have been down to laptops left on trains and CDs posted without thinking through the consequences of loss and disclosure of the data within. Also, data is often routinely shared with colleagues that do not have a right or need to have access to that data, or data is needlessly copied, creating further opportunities for loss or theft.
Password Grouping
 
Instead of choosing a different password for different system which is impracticable to remember all (and not writing down on sticky notes), users can consider adopting the same password for a group of systems facing similar risk. For example, you can use the same password for social media sites and e-Card login. 
 
If the password of a system is compromised and leaked out due to poor security protection by a system provider, systems belonging to another group will not be directly affected because the passwords are different. Also, this saves the hassles of resetting passwords for too many systems but only those within the same group. 
 
To achieve this, the systems should be first classified according to its perceived risk and severity. Some examples are listed below: 
 
 
Risk System High Internet Banking ATM debit card University / Personal Email University / Personal Computer Login Cloud Service Phone / Online Payment Security Guard Lock Medium Smartphone Screen Lock Online Group Purchase Low Social Media e-Card Login 
 
Some people may disagree above grouping, it actually depends on user practice for using any sensitive information over these systems. People can adjust their grouping detail like this example to plan for their own password management. 
 
Nowadays, online banking system are commonly used with security token as second layer for the authentication process. However, the first layer One-time Password (OTP) is still important. The official guidelines and circulars from Hong Kong Monetary Authority reminds banks to implement second authentication for end users4 to enhance the protection from unauthorized access online. Random number is generated each time when pressing the token button and used as dynamic key for authentication. Hence protection and safe storage of the hardware token requires special care by the key owners. If the token is lost or stolen by accident, immediate report to the token issuer is a must.​
 
Choosing Strong Password​ 
 
 
Since many systems require people to choose strong passwords which can be difficult to select according to the system password policy (e.g. mixing alphabets with digits and special characters), several practical tips of choosing strong passwords are provided below for considerations.
 
Pattern 1 – Keyboard Sharping 
 
Users can choose password base​d on the character layout of the keyboard. It has no logic to follow but is easy to remember. For example, “QzEcTbYn”, “2x4v6n8I”. However, using characters nearby should be avoided. For example, “qawsedrf”, “1q2w3e4r”, etc. 
 
Keeping the keyboard in a good state is necessary since character often used will become blurred and make brute-force attack on your password easier. If blurred keys cannot be cleaned, replace the hardware keyboard.
 
Pattern 2 – Numeric & Alphabet Mix 
 
It is common practice for choosing the password with characters and digits mix. However, it is not suggested to use a meaningful vocabulary such as “Car2001”, “America1980”, etc. To avoid the password phrase to be easily guessed, random combination of numeric and alphabetic characters, such as “C2a0r01”, “A1m9e8r0ica”, are highly recommended. Since there is no familiar pattern to follow, it may be difficult to remember. 
 
Pattern 3 – 1st Letter in a Sentence 
 
Generally speaking, using familiar terms as passwords, like birth date, phone number and street name, are commonly seen. However, it violates the secure password principle. Personal particulars might be leaked without notice; hence this password is trivial for malicious users to retrieve. Yet secure and easy-for-memorization password contradicts each other. The compromised alternatives for your consideration are listed below as examples: 
 
I like to take coffee in my breakfast every day. 
 
Password can be created by choosing the first letter of each word here: ilttcimbed 
 
Some may prefer another combination from this example by exchanging alphabetic with digits and vice versa: Il2tcimBeD 
 
In addition, password can be enriched by adding some digits before OR after it. Take the same example to illustrate: 
 
19Il2tcimBeD90 
 
1990 is separated into two parts and placed at the beginning and last position of the password. 
 
Pattern 4 – Double Password 
 
Double the existing password is another practical pattern for user to secure the password. For example, use “A1p3p5l7e9A1p3p5l7e9” instead of “Apple13579”. Users should take note that it will make password length longer and hence possibility of mistakenly typing will increase.
 
Best and Worst Practices
 
While the best practices for password management is evolving, the following table compares best versus weak practices of managing password:​
 
  
 
Other Best Practice
 
The following practices should be further considered when handling passwords in addition to choosing strong passwords: 
  1. Secured Password Storage

    Password Manager is a software which can ease user difficulties to remember all the passwords and map against user IDs. Many of the Password Manager software support various operating systems including smart phones. Some of them are free of charge but with limited functions and features (e.g. LastPass, Intuitive Password and PasswordBox). Users should check carefully the software capability and their usage needs before upgrading to commercial versions. For more information about mentioned tools, please refer to the PC Magazine6

    On the other hand, some people will simply keep the passwords in a file such as Microsoft Excel worksheet. Users should make sure these sensitive files are kept securely. 
     
  2. Password Safety Awareness

    Most of the password leakage incidents are related to human mistakes. Universities are advised to remind users about the importance of password safety. For example, users can be reminded about phishing attack which is a method to attach suspicious links or files to email allowing malicious attackers to gain valuable information such as stealing password when users type transmit passwords. ​
     
  3. Secured Endpoints

    Another recommendation for password management is endpoint protection. Users are discouraged to use public computers to process and transmit sensitive information such as accessing online banking, or retrieving university emails. This is because it is difficult to ascertain whether the public computers are secure or already compromised with computer viruses and other malicious software such as Trojan horse program or keystroke logger. 
     
  4. Multi-factor Authentication

    Last but not least, multi-factor authentication is highly recommended for sensitive transactions. Internet banking is a good example using multifactors authentication to protect its customers from easily compromising passwords. With the dynamically generated passcode, identity theft will be extremely difficult.  
 
 
Conclusion
 
Users should be responsible for their own password protection and management. With the fast pace of technology innovation and the increase of cyber threats, users should adopt best practices to manage “access key” (password) in the cyber world.​
 
References  
  1. “Google Says Not To Worry About 5 Million 'Gmail Passwords' Leaked” 11th September 2014. Web. 15 December 2014 
  2. “Thousands Of Leaked Sony Passwords Were Reportedly Kept In A Folder Marked 'Password” 4th December 2014. Web. 15 December 2014 
  3. “Alleged Dropbox hack underlines danger of reusing passwords” 15th October 2014. Web. 9 December 2014 
  4. “Guidelines & Circulars – Hong Kong Monetary Authority” 13rd July 2009. Web. 13 January 2015 
  5. “Top 10 Password Manager” 17th September 2014. Web. 13 January 2015 
  6. “The Best Password Managers” 22nd August 2014. Web. 13 January 2015 
  7. “Information Security from University of BRISTOL”10 Web. 6 August 2015​​​​​


​​​​​​​​​​​​​​​​​​​​​​​​​​