P@ssw0rdS

password

Passwords we all have them, but we all can’t remember them: A satirical observation on the complexity of passwords.

There is so much pressure on choosing the “right” or “R!6ht” password, it has to exceed 6 characters and even though we really wanted to use our dogs name “Spot,” which won’t work since it’s only four characters. So we are then left to think of some other variation to use that we then may or may not remember. Then it becomes an ordeal to just remember is it spot12, Spot123, or SPOT10 since he was ten when you created the password, but was that in human or dog years?

Passwords just aren’t fun anymore, they are stressful. Some people put too much pressure on themselves when creating a password, we promise it’s not like the pressure of trying to win a gold medal at the Olympics. On other end of spectrum some people don’t put enough pressure on creating a strong password (cough) 123456.

Faith Sale once said, “It sometimes feels like the only person from whom your passwords are keeping you safe is YOU.” 1

After forgetting your password you then feel like you need to go to therapy, after being asked enough questions about your childhood to make your head spin. Maybe you don’t have the greatest childhood memories, and you are still recovering from being called, “Chunky Monkey” for the first 13 years of your life. But sure enough, you are prompted to enter in your childhood nickname.

“It may all lead to a profound existential crisis which leaves you yelling at your computer, ‘IT’S REALLY ME, I JUST FORGOT WHO I AM!!!’”1

Some people would argue that passwords are something we have just for the sake of making us feel safe rather, than actually keeping us safe. We don’t agree, a hacker acquiring one or two of your passwords could bring you whole world crashing down. Your bank account could be drained, and even worse they could potentially acquire your social security number and really do some damage.

So adapt password habits that you will remember, and maybe if you are lucky the organization you work for will implement single sign-on, if they haven’t already.

Resource:

1.)    http://www.cbsnews.com/news/a-word-for-the-password-weary/

Food for thought… On Passwords

Let’s talk about forgetting your password, it has happened to all of us at one time or ano

ther.

Forgetting your password is a real pain in the you-know-where. You type in what you think is your  password, then you try another one, then with Caps and a special character. Before you know it, your account has been locked out and you need to contact the systems administrator. You dial the help desk, wait on hold for a few minutes, and then finally, success!

This always seems to  happen when you are in a time crunch. This could be during a meeting or presentation, or  when you need to check your email quickly before heading out for the night. No matter what the case it is a real pain point and a huge inconvenience.

PCWorld  cited a study done by Ian Robertson, “Illustrates the growing amount of alphanumeric clutter in our heads: the average person now has to remember five passwords, five PIN numbers, two number plates, three security ID numbers and three bank account numbers just to get through everyday life. Not surprisingly, Robertson’s research found that nearly 60 percent of those studied felt like they couldn’t possibly remember all of these numbers and letters that they were supposed to.” The number of passwords that the average person is required to remember today only continues to grow.

Today, more companies are shying away are from the “traditional” password management, to a self-service method. Self Service Password Reset is a simple service that can help avoid the anxieties associated with locking yourself out, by prompting the user to answer preselected questions or enter a one-time code sent to their phone to unlock their account or obtain a new password.

Companies like PortalGuard offer a simple and effective solution that will not only eliminate the stress that comes from a lock out, but will save money and time at a higher level.

Click here for more information on Self Service Password Reset.

 

Resources:

http://www.pcworld.com/article/150874/password_brain_power.html

Google's Controversial Chrome Security

A lot of people are recently up in arms over a security policy that Google Chrome has already had in place since its inception.  Why so suddenly are they expressing their dismay? In a blog post by U.K software developer Elliot Kember picked up by Hacker News yesterday, he illuminates why he believes Chrome’s password security strategy is “insane”, and it seems to have garnered much attention.

The issue lies in the way the browser stores web passwords, and how it essentially allows anyone accessing your computer to see those passwords very easily.  It’s not a hack or bug, it’s the intended design.  As described in Kember’s blog post, there is no master password, security or any kind preventing the plain-text revealing of stored passwords within the browser.  His closing point, is not so much that the lack of security is so outrageous, provided ‘Password Management’ is a complicated issue that one can imagine Google has thought through thoroughly, so much as it’s the lack of awareness among less technical users that this sort of easy-access exists at all.

Google Chrome’s security chief, Justin Schuh, was quick to respond, by explaining the company’s side of things in the comments of the same Hacker News article, where an argument between he and Kembler continued for a few replies.  The thick of Schuh’s response is quoted below:

I’m the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.

The two appear to be coming from very different perspectives, each containing valid points in regards to how the password management system should work and what it’s users should know about it.  Is this something that concerns you as a user? Or do you believe Google has done what’s best, have researched the topic for literally years?

Optimizing Passwords Could be Enough

With all of this discussion around two-factor authentication there are definitely mixed opinions, as discussed in one of our previous blog postings “Are You For or Against Two-factor Authentication?”. To require two-factor authentication you typically have been attacked or are being forced to implement stronger authentication because of compliance standards. For the majority of organizations this is not the case and many take a “it is not going to happen to us” attitude. Those who are against this form of stronger security usually put up barriers because it is too difficult to implement and get widespread user adoption. With that said, I’d like to pose the question, could optimizing passwords be enough?

One IT security consultant said that two-factor authentication is like a really fancy lock on a gate to a  waist high fence, if your passwords are not optimized. Although passwords are low on usability they are still the foundation to the way we implement IT security today. So how can passwords be enough? How can you optimize them?

Really it is with best practices that you can enhance the authentication you have in place. For example, you can start by implementing stronger password strength. I know, this usually causes decreased usability, but the solution would be to implement a password strength meter at the same time so that users can see when they have met policy requirements. Then what? Well just by implementing a strikeout limit on accounts deters brute-force and dictionary attacks. If the user attempts to log in too many times the account is locked out and they must wait before attempting again. Even further, to increase security, would be to implement a more frequent password expiration policy. Too often organizations have passwords in place which never expire. This allows a hacker to obtain the password and have access to the account for an indefinite amount of time or until the user manually changes it. And so on…

Of course you are probably thinking at this point…the password is now completely unusable for your end-users. However, there are features you can put in place such as self-service password reset, recovery and account unlock to increase usability. The final step would be the “holy grail” of usability, single sign-on. By increasing the strength of the password it can be used to login once and gain access to all the user’s applications, having them only be required to remember one strong password instead of multiple ones. They are more likely to use best practices if there is only one to remember.

So as some experts say…focusing on your “one-factor” of authentication may just be enough to protect your organization and it’s sensitive data. What do you think? Is it enough for your organization?

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

PortalGuard SSPM Awarded – Download Available

Just wanted to quickly announce before the holiday that PortalGuard’s Self-service Password Management (SSPM) has been getting recognized on various download sites. Two have gone ahead to award the download with 5 star and safety awards. Below is a link to our previous blog post with the description and link to the download for you to check out SSPM that is supported on both the web and desktop.

Safe Self-service Password Management filePortalGuard Self-service Password Management: 5 Star by FreshShare

http://blog.pistolstar.us/blog/new-download-self-service-password-management/ 

LinkedIn Password Breach Outcomes

Following the attack on LinkedIn’s password, the company has higher security standards including “hashing and salting of our current password databases,“ wrote Vicente Silveira, LinkedIn’s director in LinkedIn’s blog. The company locked down and protected the accounts associated with the decoded passwords, invalidated them, that were at the greatest risk. LinkedIn members are being contacted by LinkedIn with instructions on how to reset their passwords.

Affected members will receive an email with instructions on how to reset their passwords; current passwords will not work. They will receive an email with more information on what happened.The company did not confirm how many passwords were involved, it reportedly affected about 6 million of LinkedIn’s 161 million users. LinkedIn has “a broad cross-functional team” working on resolving the password-breach problem and associated security concerns. The company is also in contact with FBI.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

PortalGuard: Tutorial: Password Management

PortalGuard’s Password Management will increase the security of passwords by adding features such as more granular password quality rules, history, expiration and lockout due to incorrect logins. This is especially beneficial for applications failing to meet compliance requirements, such as homegrown web applications or custom SQL user repositories. Administrators can easily manage multiple password policies while users are given usability features such as password meters and password expiration reminders synched with their email client calendar.

We hope you enjoy a video we made:

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

Advice from LinkedIn

Here is a list directly from LinkedIn’s blog about how to best protect yourselves:

1.“Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.

2.Do not use the same password for multiple sites or accounts.

3.Create a strong password for your account, one that includes letters, numbers, and other characters.

4.Watch out for phishing emails and spam emails requesting personal or sensitive information.

5.Our efforts to protect LinkedIn members impacted by this incident are ongoing and we will continue to keep you posted here.”

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

LinkedIn Passwords Potentially Leaked

Many sources are posting today about LinkedIn passwords that potentially leaked online from about 5% users (6.5 million out of 150 million LinkedIn users worldwide). A hacker has leaked 118 Mb file of the hashed passwords  to a Russian forum. Fellow hackers have begun to decrypt the hash. The forum is currently offline. It looks as though some of the weaker 300,000 passwords may have been cracked already. LinkedIn fails to find evidence so far of password leak. The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS. Here are LinkedIn’s responses:

To be safe, Change your LinkedIn password ASAP. As always it’s better to be safe about these things. It’s also unclear if the hackers got hold of LinkedIn usernames.

1. To change your LinkedIn password, log onto your account.

2. Click on your name in the upper right corner and then click on the link for Settings.

3. In the Settings section, click on the Change link next to Password.

In other news, LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers. According to LinkedIn’s mobile app head Joff Redfern:

In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.

In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes.

The company has already promised that it will no longer pick up meeting notes from your calendar and add a “learn more” link to explain how your calendar data is being used.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com

Password Study across Various Demographics

Joseph Bonneau, PhD, University of Cambridge, analyzed the password strength of 70 million Yahoo users. The data was protected using hashing (a security technique), which ensured that he did not have access to the individuals’ accounts. He was then able to measure and calculate relative strength of passwords across various demographics. Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss and each additional bit doubles the password’s strength. These are interesting (if not unexpected) results.

* People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old. German and Korean speakers choose the strongest passwords. Indonesians pick the weakest.

* People who change their password from time to time tend to select the strongest ones.

* People with a credit card stored on their account do little to increase their security other than avoiding weak passwords such as 123456. This had no effect on whether the password associated with the card would be stronger.

* The average password would take only 1,000 random attempts before it was guessed. A randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. People often pick much easier passwords than those theoretically allowed.

* People who have the strongest passwords are also in the same category as people who change their passwords occasionally.

How can businesses use this information?

One pointer Bonneau’s research discussed was that businesses should make users pick tougher passcodes, for instance, assigning people randomly chosen nine-digit numbers (the length of a phone number). Each character of that 9 digit “telephone” password has 10 possible values. This means there are only 10^9 = 1,000,000,000 (0.001 trillion) possible passwords. This would also create WAY too many forgotten passwords which causes Help Desk calls and productivity losses.

We, here at PortalGuard, had a thought that a much better approach is to encourage “pass phrases.” Using “my dog has fleas” is MUCH easier to remember and constraining the example to only allow spaces and lower case ASCII characters results in a purely random* password “space” of:

27^16 = 79,766,443,076,872,509,863,361 ~= 79,000,000,000 trillion ~= 79 billion trillion

for a 16 character phrase (note: 26 letters + space = 27). Obviously, this pass phrase is also MUCH more difficult to crack.

* – We used “purely random” to simplify the math since some letters occur more frequently than others. The “actual” password space would be lower than that number, but still multiple orders of magnitude greater than the phone number example.

Bonneau presented the findings at the Symposium on Security and Privacy in San Francisco, California, on 23 May (http://www.ieee-security.org/TC/SP2012/). For more Joseph Bonneau and his work, please see here (http://www.cl.cam.ac.uk/~jcb82/).

The image was taken from http://xkcd.com/936/

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com