Mind Games

Remembering passwords can be a challenge for any user. According to an October 2011 survey of 300 IT pros by Lieberman Software, 51 percent of respondents had at least 10 passwords to remember for use in their work, and 42 percent said that in their organizations IT staffers are sharing passwords to access systems or applications.

When it comes to passwords, longer is better. Eight characters do not always do the trick—in fact, many recommend using 12- to 14-character passwords if permitted. The main thing to remember when creating a password policy, argues Pierluigi Stella, CTO of Network Box USA, is that you are dealing with humans. “My advice is make up some long statement that makes sense to you, then remove the spaces by using either _ or – or some other filler; then change only a few and ‘easy to remember’ letters into something else,” he said. “Basically use some kind of mental process that will allow you to ‘reconstruct’ your password mentally if you forget it; and make sure the password is very long—I would say 20 characters or more.”

An examination of the passwords exposed in the Yahoo incident underscored the fact that people use passwords for multiple sites and or services. Sometimes this may be insignificant; for example, if a hacker figures out a password used by someone on multiple sites that don’t have any sensitive information about that person, the impact is negligible. However, if a hacker guesses a user’s email password and it is the same one the person uses on an e-commerce site, problems could ensure. For that reason, password reuse should be avoided.

Passwords should make use of different kinds of characters, such as numbers or punctuation marks, when possible. This makes them more difficult to guess than regular words. In fact, using real words can leave an account vulnerable to dictionary attacks that target common passwords. Also, avoid using personally identifiable information in your passwords, such as birthdays, etc.

While some organizations require users to change passwords every few months, this policy can backfire if people have to change their passwords too often. The end result could be that users resort to weaker passwords that are easier to remember. Before setting a time limit, organizations should consider how likely it is that a current password will be guessed or compromised versus the likelihood of it being stolen if it is not changed. It may be smarter to require a stronger password at the outset as opposed to mandating users regularly change them.

Another reason why the Yahoo breach is more severe than others is that the passwords were not encrypted. They were contained in an older file with log-in information for Associated Content, which became Yahoo Voices when it was acquired by Yahoo. If the customers’ log-in credentials had been hashed and salted, cyber-criminals couldn’t have used them without finding a way to decrypt them, a major hurdle for them to scale.

Use of accounts with super user privileges need to be tightly controlled. In its 2011 database security survey, the Independent Oracle Users Group (IOUG) found that 65 percent of respondents either didn’t know or weren’t sure if they could track abuse of super user accounts. Keeping track of who has access to these accounts and how they are being used can be a big problem for enterprises. “The key is to monitor [privileged user accounts] not just for dormant use or when they turn over, but also for aberrant data/IP access that indicates infection,” said Rob Rachwald, director of security strategy at Imperva. “Since evading malware is as easy as pie, enterprises need to do a better job keeping cameras on the vault to stop exfiltration.”

Sometimes passwords alone might not provide enough security. Many organizations have taken to using two-factor authentication, such as sending SMS messages to a customer’s cell phone to authenticate an online banking transaction. In some circumstances, it may make sense for a business to take that approach to provide an extra layer of security.