Password safety: why it’s time to get tough
Dr John Chapman, Security Operations Centre Manager at Jisc, highlights the risk of choosing poor passwords
A report published in March 2018 on behalf of the Government’s Cyber Aware campaign describes “the worryingly large misconceptions the public has about cybercrime compared to the reality of the threat” and identifies three key myths:
- that cybercrime isn’t ‘real crime’
- that it ‘won’t happen to me’; and
- that there’s ‘nothing I can do about it’.
The minister for security and economic crime, BenWallace, warns in the report that such misconceptions lead to “dangerous inertia”. He goes on: “As a result of the perception gap, millions of people are leaving themselves, UK businesses and UK infrastructure vulnerable by failing to follow even the most basic secure online behaviours. Criminals frequently exploit the weak cyber security of individuals to facilitate their attacks.”
Let’s put the risk into context: in the year to September 2017, the Crime Survey for England and Wales recorded 1.2 million victims of computer misuse offences, meaning the average person is roughly 11 times more likely to fall victim to computer misuse than a robbery.
How can we protect ourselves?
In February 2018 we published a blog from Cyber Aware that highlighted the importance of having a separate, strong password for your email account. The point is that, if you use the same old password for everything, hackers who get into your emails will be able to help themselves to all sorts of other goodies.
But what does a strong password look like, and how do we convince people that having separate, complex passwords for each online account is not a nightmare for all but those with super-human memories?
There is a simple, two-step solution: use a password management application in tandem with multi-factor authentication (MFA).
Using a password manager (and there are many opensource/ freeware variations, such as Dashlane and LastPass) will allow you to create unique passwords for all your accounts, store them, and have them automatically entered online when you log in.
This is far from a complicated procedure and requires remembering only one master password. When combined with MFA, each user will have greatly increased the strength of their credential security.
MFA gives the user three lines of defence that are required to access accounts: something you know, something you have, and something you are.
- Something you know: your master password, which you remember.
- Something you have: your mobile phone or hardware crypto logical key generator (such as a Yubico), or virtual MFA (such as AWS Virtual MFA).
- Something you are: iris scans are not far away, but this currently refers to a fingerprint, which can be used to unlock your smart phone.
Password management applications allow you to generate passwords that are up to 100 random characters long, although something of 30 characters is the current “unbreakable” standard.
There is no easy way to force the use of true password complexity without employing software, other than to generate random passwords and hand them out to users, which is bound to be unpopular. It also leads to a greater concern that users will write down their passwords, which makes them – and their organisations – even more vulnerable. Using the secure password generators included in most of the password management applications mostly voids this issue.
We advise our members that educating staff and students in good security practice is an essential part of cyber protection because, not only are they the first line of defence against attack, but also the biggest weakness: the most common method of infiltration by cyber criminals is through phishing emails, which trick people into revealing confidential information such as their username and passwords. As you can imagine, if users pick the same password for multiple accounts, the risk of multiple attacks increases.
A survey we conducted among members in 2017 showed 83% of universities provide training for staff, which is compulsory in 46% of cases, but only 40% train students and a disappointing 8% insist that students take a course. We’d like to see mandatory security training for all users, which includes advice on how to spot phishing emails, iffy websites, dodgy links and, of course, good password health.We’d also like to see blanket use of password management applications.
When creating, storing, and using personal credentials, a heightened security awareness is as important to organisations as it is to individuals. So clearly it makes little sense to leave individual students and staff to carry on using authentication practices that put both themselves and their college or university at such risk. Both password management and MFA offer a cost-effective solution that is easy to use and gives a clearly defined advantage over maintaining the status quo.