Password Commandments

Posted by Justin A. Parr on January 18, 2018
Posted in: Tech Support. 1 comment

Thou shalt protect your data.

Passwords are the most versatile and effective way to protect your data, but most people break these simple rules.

Using a weak or ineffective password strategy in an always-connected world means that your money, data, and identity are at risk.

Thou shalt follow these commandments in order to protect yourself, both online and offline.

Table of Contents

 

I – Thou Shalt Not Use Biometrics for Security

Biometrics sounds really cool and high-tech, but the reality is that every single biometric authentication system in existence today, and every single biometric authentication system that will ever be invented can easily be hacked.

The concept behind biometric authentication is that “you” are your password.  Since “you” are the “only you”, then “only you” can authenticate and gain access to biometrically-protected resources.

In reality, everything about you, from your face to your fingerprint, and even your DNA can be copied.

 

What is biometric authentication?

  • Retinal eye scan
  • Finger print
  • Palm print
  • Facial recognition
  • Gait recognition (how you walk)
  • Ear profile
  • Voice print
  • DNA scan (theoretical)

Every single one of these security measures can be easily subverted, and in most cases, using common household items:

  • Retinal scans can be bypassed using the original eyeball or a high-resolution print of the original eyeball
  • Finger print and palm scans can be bypassed using the original finger, or by using a combination of glue or silicone gel with a high-resolution print of the original fingerprint
  • Facial recognition is the least secure, and can be bypassed using a photograph of the original face
  • Gait recognition isn’t commonly used, and is considered “perfectly secure” at this point.  It analyzes an individual’s walk, and how they carry themselves.  However, as robotics become cheaper and more accessible, it’s easy to envision programming a cheap, portable robot to mimick someone’s walk, in order to bypass gait recognition.
  • Everyone’s ears are unique.  But you can take a picture of anyone’s ear, and then print that picture out in order to bypass an ear scan.
  • Voice prints can be easily bypassed using a voice recorder
  • Although DNA-based security is theoretical at this point, it’s easy to imagine the bad guy obtaining a DNA sample by one of several means
  • Most biometric locks have a backup key or PIN.  So if you use fingerprint locking or facial recognition, an attacker can simply bypass it, and attack the backup key or PIN instead.

Infamous biometric security failures:

  • A man in Singapore, in 2004, was car-jacked for his Mercedes.  When the thieves found out that his car used fingerprint authentication, they cut off his finger!  So instead of an insurance claim, he had an insurance claim, a hospital bill, and a finger that he will miss for the rest of his life.
  • In 2006, the Mythbusters, Adam and Jamie, beat a (at the time) state-of-the-art fingerprint scanner by using a photographic etching process.  Low-end fingerprint scanners can be defeated using a printed copy of a fingerprint.
  • In 2017, the brand-new iPhone X introduced facial recognition.  Shortly after its debut, a Youtube video surfaced, demonstrating that two different Asian women could unlock the same cell phone, and numerous hacks have subsequently been demonstrated.
  • In most states, photo-radar and red-light cameras are illegal.  To get around this, they are administered by an “independent agency” (read: private corporation) that pays a sworn officer to review the tapes and issue a “fine” (in the form of a bill) to the vehicle’s registered owner, and the government gets a kick-back.  As so-called proof, they include a high-resolution photo of the driver, taken through the windshield.  You want to run red lights on the way to work?  Wear a Nic Cage mask, and tell them to send the bill to Nic Cage, to whom you “swear” you lent your car that morning.
  • Every movie that depicts a retinal scanner also depicts the victim having their eye removed, most often post-mortem, so that the bad guy can gain access to the secure area.  Demolition Man, for instance.
  • Most heist movies depict the protagonist surreptitiously obtaining the target’s fingerprint or voice password, and then using it to gain access to a vault or other secure area.

Despite its current popularity, biometric security is not secure.

 

Best Practices

  • Use a PIN or password instead of biometric security.  Disable fingerprint locks and facial recognition.
  • Use PhoneFactor (sends text to your cell phone) or USB key in conjunction with certificate PKI as a second authentication factor, in place of biometrics as a second factor.

 

 

II – Thou Shalt Log In to Your Computer

Eventually, the popularity of Windows operating system will decline in favor of more secure operating systems such as Linux and ChromeOS.

Until then, you probably run some version of Windows.

The biggest security hole in Windows is that most computer vendors configure the operating system to log you in, without the need for a password.

THIS IS BAD.

All security starts with physical security, and that means, making sure someone who has physical access to your computer can’t get to your stuff, or pretend to be you online.

Windows has the ability to create separate profiles for each user, and to enforce passwords.

In Windows, Linux, and many other operating systems, the purpose of a profile is to allow each individual user to have their own settings, and to prevent other users of the same computer from accessing each others’ data.  Profiles also allow personalization so that each user sees their own customized desktop, their own bookmarks, and the like.

Without a password, anyone who uses your computer “is you”, and has instant access to YOUR documents, YOUR internet history, and maybe even YOUR online accounts.  Every time you click “keep me logged in”, that’s an opportunity for someone who IS NOT YOU to get access to YOUR STUFF, or to PRETEND TO BE YOU.

If someone logs in as you, they potentially have access to:

  • Your e-mail (see “Thou Shalt Protect Your E-Mail”, below)
  • Your identity (see “Thou Shalt Protect Your Identity”, below), including date of birth, social security, and driver’s license number
  • Your bank account, financial information, and tax records
  • Ability to purchase using your online accounts
  • Pictures of you, your family, and your friends, including potentially embarassing pictures
  • Medical information
  • Access to your social media (reputation)
  • Your browser history, including any dirty little secrets.  If you’re in to fetish porn, now is the time to panic!
  • History of what you watch online, from such sources as Youtube, Netflix, Hulu, and Amazon Prime.  Been watching skin flicks lately?  I’m sure your girlfriend or wife will be interested.
  • Search history.  At first this doesn’t sound that bad, but what if you searched for something sensitive and private?
  • Any illegal activity, such as downloading movies and games or dealing in contraband
  • Install software, including malware, viruses, and spyware that could damage your computer, steal or erase your data, or provide the attacker with remote access later down the road.
  • WiFi networks, including “secure” networks to which you might have connected.

So, basically, anyone who logs in as you could steal your identity, steal your money, destroy your reputation, blackmail you, get you fired, and maybe even get you arrested.

 

Best Practices

  1. Create a separate profile for each person (“user”).  Even your wife, kids and friends.  This ensures that your personal and private information remains personal and private.
  2. Turn on password enforcement.  Make sure that every profile has a password, so that everyone who uses the computer is protected.
  3. Set a secure password for your profile.  (See “Thou Shalt Create Secure Passwords” below).
  4. Set a screen lock timeout.  Whether you use a screensaver or not, make sure that your profile is configured to lock after 60 minutes of inactivity, and requires a password to unlock.
  5. Enable or create a “guest” profile.  If someone asks to use your computer, click “switch users”, and they can log in as guest.  You’re not being a jerk, you’re simply setting boundaries.  The guest profile should have limited permissions, so that it can’t access shared documents, can’t reconfigure the system, and can’t install software.  Windows has a “guest” account defined by default, but it usually must be manually enabled.
  6. Don’t make exceptions.  If someone gives you crap about it, “Oh, I see how you are!  You don’t trust me!”, respond with “This is my PERSONAL computer, and there are PERSONAL things that I don’t want to share with anyone, including you.  No offense.”  Your true friends will respect your boundaries, and, well, anyone else doesn’t really matter, do they?
  7. Make sure there are no sensitive files in “Public Documents”, “Public Pictures”, “Shared Documents”, “Shared Pictures”, or similar.  Anything you don’t want your kids to see should NOT be “public” nor “shared”.
  8. Smart TVs and other Media Player devices can access your computer, if they are on the same WiFi network, and can display both PUBLIC and PERSONAL pictures and videos, sometimes without logging in!  Again, if you have anything in your “Pictures” or “Videos” folders that you wouldn’t want your kids to see, move it to a new folder under “Documents” called “Private”.

 

Configure individual user profiles, and use passwords to keep other users out of your stuff, and away from your online accounts.

 

 

III – Thou Shalt Secure Your Smart Phone

Your smart phone is the most personal device you own, and you take it everywhere you go.  If it gets lost or stolen, you don’t want a stranger to be able to get to your stuff.

As with your computer profile, someone who gains access to your smart phone could steal your identity, steal your money, destroy your reputation, blackmail you, get you fired, and maybe even get you arrested.

 

Best Practices

  1. Do not use biometrics for security.  This includes facial recognition, fingerprints, and anything else having to do with your body.  Although this flies in the face of popularity, and at first, seems counter-intuitive, see “Thou Shalt Not Use Biometrics for Security” above.
  2. Use a secure PIN or Password (see “Thou Shalt Construct Secure PINs and Passwords” below)
  3. Use Android’s “Draw Pattern” lock feature.  This is easy to use, intuitive, and very secure.  Don’t use a simple / stupid or easily-guessed pattern.
  4. Use Android’s “Guest Mode” (5.0 and up) when someone asks to use your phone.  Guest mode allows the user to make phone calls and browse the internet, without access to install or remove applications, view pictures, or pair a device via BlueTooth.
  5. If your phone doesn’t support “guest mode”, install a “guest mode” or “parental control” app, that prevents unauthorized users from accessing your photos, contacts, and applications.
  6. Both Android and iPhone support “remote wipe” and device deactivation capabilities.  Make sure you have this configured, along with the “find my phone” feature, so that if your phone is lost or stolen, you can log in to Google Play or iTunes (respectively), and delete your personal data or even better, deactivate (brick) your phone.
  7. Configure your screen to lock automatically.  Set the timeout to something tolerable, like 3-5 minutes.

Your smart phone is the nexus of your personal life, and a gateway to all of your online accounts.  Make sure it’s protected.

 

 

IV – Thou Shalt Construct Secure PINs and Passwords

Follow these guidelines in order to construct a GOOD password.

 

Hard to Guess, Easy to Remember

PINs and Passwords can be easy to guess (that’s bad) or hard to guess (that’s good).

They can also be easy to remember (that’s good) or hard to remember (that’s bad).

Easy to Guess Hard to Guess
Easy to Remember BAD GOOD
Hard to Remember ? WHY BOTHER ? BAD

Obviously, the best PIN or Password is HARD TO GUESS, but EASY TO REMEMBER.

 

Avoid Dictionary Words in Passwords

Attackers use long lists of words, called “dictionaries”, that they use when performing a brue-force attack, known as “cracking”.  As you may guess, dictionaries consist of common words, but also include sports team names, names of places, and even celebrity names.

When you construct a password, don’t use common words like “football”, or celebrity names like “Trump”.

Here are some common methods to avoid cracking dictionaries:

  • Use a non-common misspelling.  Instead of “football”, use “looftabb”.  The caveat, of course, is that it must be easy to remember.  If you forget your password, it does you no good.  In this case, we are rearranging the sounds, and taking the analogous spelling.
  • Use Pig Latin.  In Pig Latin, you take the first consonant sound, put it at the end of the word, and add “ay” to the end.  Words starting with a vowel, simply get “ay” at the end.  “football” becomes “ootballfay”.
  • Use “y” (or some other letter) for every vowel.  “football” becomes “fytbyll”.  Once again, make sure your substitution is consistent, and that you can remember that you used “fytbyll” and not “fyytbyll”.

 

Avoid Dictionary Words in PINs

When constructing a PIN, many people will use touch-tone spelling.

 

1

 ABC

2

 DEF

3
GHI

4

 JKL

5

 MNO

6
PQRS

7

 TUV

8

 WXYZ

9

Originally, this was introduced in order to allow the user to convert a mnemonic to a number.  For example, in the 50’s, “Houston 5678” would be converted to touch tone as HOU-5678, or 468-5678.

In the late 90’s, people used this same scheme for “T9” texting – the ability to spell words using numbers, with intelligent prediction.

Today, people tend to construct a PIN using this same scheme, which can be problematic.  Although it’s easy to remember (which is good), it may also be easy to guess (which is bad).

If my name is “Bill”, and I choose the PIN, “2455”, an attacker could easily guess this based on my name, or by using a dictionary attack.  The same holds true for any 4, 6, or 8-digit word or name that I construct in to a PIN using touch-tone spelling.

Here are some common methods to avoid PINs that are easy to guess using a cracking dictionary:

  • When you select a PIN, use a site like www.aer.org/ ,which converts keypad number sequences in to words, and check to make sure that your PIN doesn’t correspond to a simple word.
  • To make sure that your PIN doesn’t spell a word, always use a 1 or a 0 somewhere within your PIN.  Neither 1 nor 0 correspond to a letter.
  • Intentionally misspell your word.  For example, if your name is “Bill”, your PIN could be 2955, 2155, or 2055 instead.  Try to be consistent, so that you don’t forget your PIN.

 

Avoid Too Much 733T 5P34K

(“Avoid Too Much LEET SPEAK”)

“Leet Speak” is where you substitute numbers and other symbols for letters in a word.  For example, the letter “I” might become “1”, “!”, or “|”.

While using a little bit of “Leet Speak” substitution can make your password harder to guess, using too much can make it really hard to remember.

For example, did you use “|<” for “K”, or “&”?

Remember that attackers use password cracking tools that employ a list of common words and names, called a dictionary… these password cracking tools can be configured to automatically perform “Leet Speak” substitutions, so even going to the extreme with Leet Speak doesn’t make your password that much more secure.

Here are some Leet Speak best practices:

  • Most websites and applications require “complexity”, which is another way of saying that they have rules about requiring a number, a symbol, and / or an upper-case letter.  Leet Speak is a great way to incorporate a number or symbol in to your password, in a way that’s easy to remember.  For example, use “!” for “I” or 0 for “O”, or flip one of the “E”‘s in your password to a “3”.  Just make sure you have a scheme, so that the substitutions are easy to remember.
  • Multi-symbol substitutions are stronger than single-symbol substitutions.  For example, use “1<” for “K”, “[)” for “D”, or “\/” for “U” or “V”.
  • Unlike keypad substitutions, Leet Speak is a great way to pick a PIN.  For example, if you use the word “LIAR” as your PIN, it would be 5427, and because “liar” is a dictionary word, it would be quite simple to guess.  Instead, if you use Leet substitutions, “LIAR” = “7147”.  We keep the R=7 keypad substitution, since there isn’t an easy numeric substitution for “R”.  Because our Leet PIN has a 1 in it, there is zero chance that it corresponds to a dictionary word.

 

Longer Passwords are More Secure Than Complex Ones

We briefly touched on complexity above, and we’re all familiar with “pick your password” hell:

Your password must contain a number, a symbol, an upper-case letter, a heiroglyph, a gang sign, some alien writing, at least one species of flying insect, and a blood oath.

The purpose of requiring complexity is to increase the number of possible symbols in each position:

Symbol Set Number of Symbols
a-z 26
a-z; A-Z 52
a-z; A-Z; 0-9 62
a-z; A-Z; 0-9;
!@#$%^&*()-=_+
[]{};’:”,.<>/?\|		 92

 

The thought process is that, by enforcing complexity, even a short password is fairly secure:

Password Length Combinations Time to crack
4 92^4 = 71.6 mil 2 hours
5 92^5 = 6.6 bil 7.6 days
6 92^6 = 606 bil 1.9 years
7 92^7 = 55 E12 176 years
8 92^8 = 5 E15 16,274 years

(Assumes 10,000 attacks per second.  Hash attacks can be performed much faster, but actual authentication attempts are much slower)

 

However, even if we use just upper and lower-case letters, we can get almost the same level of security:

Password Length Combinations Time to Crack
8 52^8 = 53 E12 169 years
9 52^9 = 2.7 E15 8,815 years
10 52^10 = 144 E15 458,381 years

 

At 8 positions, using only upper and lower-case letters, we have almost the same level of security as 7 positions using letters, numbers, and symbols.

By increasing your password to 10 positions, and using ONLY upper and lower-case letters, you can far exceed the security of a highly-complex, 8-position password.

Longer passwords are always stronger, with or without high complexity.

 

 

Use Text Icon Substitution

I know I just said that complexity doesn’t matter.  It makes your password hard to guess, but too much complexity also makes it really hard to remember.

However, you can use a “text icon” as a simple substitution for a letter within your password, which makes your password complex, yet much easier to remember.

For example, let’s say that your password is “ilikekittens”.  You might substitute a smiley “:-)” for the letter “e”, resulting in “ilik:-)kitt:-)ns”

Because we are substituting one symbol for three, this has the effect of adding complexity, increasing the password length, and it’s also virtually guaranteed to defeat dictionary attacks.

If you do use a text icon, just make sure you can type it quickly, and correctly, or you risk being locked out!

Don’t be afraid to use your imagination.  Here are some examples:

[-o-] Tie Fighter t[-o-]ef[-o-]ghter
\o-o\ Glasses gl\o-o\sses
\=/ Glass of water gl\=/ssofw\=/ter
+– Ninja Sword ninjas+–ord
~v~ Eagle m~v~agl~v~
(See “Make it Hard to Crack” for an explanation of the “m”)

 

 

Make it Hard to Crack

After performing a dictionary attack, an attacker will typically revert to a brute-force attack, where the cracking program attempts to try every possible combination of letters, numbers, and symbols in each position.

First, it tries every 1-digit password, so it tries “A”, then “B”, etc… to “Z”, then it starts with lower-case “a” through lower-case “z”, then it tries each digit “0” through “9”, and finally, it tries each symbol, such as “$” or “%”.

Once it tries every 1-digit password, it moves on to every 2-digit password, starting with “AA” and ending with “%%” (perhaps).

And so on.

A clever attacker can set limits based on what they know about the environment, and customize the execution of the cracking program.  For example, if the attacker knows that the system in question requires a minimum password length of 6 positions, or that the system in question won’t allow “<” or “>” (common for web applications to filter these out), then (s)he can set those limits within the cracking program, in order to reduce the amount of work to be performed, and hopefully reduce the time it takes to crack one or more passwords.

Although any password should be equally secure, as you can see, if your password starts with the letter “A”, the cracking program will find it LONG before someone else’s password that starts with the letter “Z”.

Since the cracking program can be customized, you don’t know whether the attacker will start with numbers first (0-9), or symbols, or letters, nor can you tell which symbols the attacker will choose to include.  (Example, “<” and “>” are typically excluded because this mechanism is used as an attack vector to attempt to bypass web application security).

Therefore, your best bet is to start your password with a letter.  In fact, many web applications require the first symbol to be a letter.  Most often, the cracking tool is configured by default to check numbers, then upper-case letters, then lower-case letters, then symbols, because this is the order that they appear in the computer’s ASCII symbol table, but you can’t guarantee that the attacker hasn’t customized the sequence.  So your best bet is to start with a LOWER-CASE letter.

If you could guarantee that the attacker always starts with “a” and progresses with every password combination until the cracking program hits “z%%%%%” (or whatever), then you would always start your password with “z”, but guess what?  The attacker could run the attack in reverse.  As a matter of fact, a smart attacker will run TWO cracking sessions – one forward, and the other on a second computer, running in reverse, which doubles the odds of hitting the correct password in half the time.

So your best bet is to pick a password that starts with a lower-case letter that occurs in the middle of the alphabet – somewhere in the range of “i” to “r”.

Likewise, when selecting a PIN, pick something that starts with “3” through “7”.

 

How to Construct a Good Password

  1. String some words together, to make your password LONG
  2. Use a few random capital letters
  3. Make a couple of “Leet Speak” substitutions
  4. Put symbols between words
  5. Substitute one or more letters for a text icon

Example:

  1. Start with “hockeyiscool”
  2. Make some random capital letters and leet speak substitutions:  “h0ck3yiSCooL”
  3. Add some symbols:  “h0ck3y$iS%CooL”
  4. Throw in a text icon substitution, “\_” = a hockey stick, and we will substitute for “o”:  “h0ck3y$iS%C\_\_L”

Depending on what the password protects, this might be way overkill.  You have to judge for yourself, based on the risk that someone might gain access to the system, and the value of the information it protects.

 

How to Derive a Password

IDEALLY, YOU SHOULDN’T

However, sometimes it’s expedient or convenient to have a set of passwords that are similar, for related applications.

The easiest way to do this is to pick a few positions, and alter them in a predictable way.

For example, let’s say that our base password is “h0ck3y$iS%C\_\_L” (from above), but our application doesn’t allow “%” symbol.  The easiest thing to do is to substitute another $:  “h0ck3y$iS$C\_\_L”.

The trick is to do this in such a way that you won’t forget it in a month, the next time you go to use it.

 

 

How to Construct a Good PIN

  1. Use as many digits as is feasible (not too long to remember easily).
  2. Pick a word that’s as long as your PIN, or longer
  3. FIRST, use “Leet Speak” to convert as many letters to numbers as possible
  4. THEN, use keypad alpha codes to convert the remaining letters
  5. If you have more digits than you need, discard 1 or more of the initial digits
  6. Make sure your pin does not start with 1 or 9.
  7. Make sure your pin includes at least a “1” or “0” (or both) so that it definitely does not spell a dictionary word
  8. If you can manage to remember it, transpose two of the digits

Example:

  1. We need a 6-digit PIN, so we start with “crocodile”
  2. We convert as many digits as possible using leet:  “cr0c0d1l3”
  3. We convert the remaining digits using keypad alpha:  “270203153”
  4. We discard the weak 2, and take the next 6 digits:  702031  = “rocodi”
  5. We have two zeros and a one, which is actually too many ones and zeros, so we change the first one in to a 4:  742031
  6. My final PIN is:  c + r4c031 + le  (I can either look at the keypad, or remember that r = 7 and c=3)

 

 

Deriving a Shorter PIN

Let’s say that we have our PIN, 742031, and we want to match this across several systems, but some of the systems only accept a 4-digit PIN

Although it’s a bad idea to reuse a PIN, there may be a legitimate reason, or maybe convenience outweighs the need for absolute security.

  • Do not use the first 4 digits.  If your standard PIN becomes compromised, they will check “7420” first
  • Do not use the first digit at all.
  • Take the remaning digits, and have some kind of scheme, such as 4203 (center 4) or 1302 (last 4, backwards), 2430 (center digits, rearranged)

Again, DO NOT SHARE PINs BETWEEN SYSTEMS, unless the need for security is trivial.

 

 

Deriving a Longer PIN

Let’s say we normally use a 4-digit PIN, 7420, and for some reason, we need a few extra digits.

Anecdote:  We have two cipher locks that take a 4-digit PIN, and 3 vehicles that use a 5-digit PIN.  I won’t go in to detail, but one is a subset of the other, because there is absolutely zero risk of someone compromising my car, my garage, and my shed, all for the same reason.

If we delve in to this a little, all three cars use ONE keyless entry code, which is TERRIBLE.  At the very least, each vehicle should differ by 1 digit.  However, I live with other human beings who aren’t so good at remembering several different PIN codes, so we tend to reuse some of them.  We don’t store any valuables in the vehicles, so even if someone did guess my keyless entry code, and managed to open all three of my vehicles, there’s very little that they could accomplish with this information.

Sometimes, making a system perfectly secure, also makes it a perfect pain in the ass.  You have to weigh ultimate security against convenience.  If a system is so complicated that someone has to write down their PIN, then the PIN is PHYSICALLY there for someone to steal, and you’ve defeated the purpose.

For example, your normal pin is used in conjunction with your badge to enter the server room, but there is a cipher lock at the offsite storage location which requires 6 digits (and no badge)

  • DO NOT just add digits to the end
  • Throw in some 1’s 0’s or 9’s:  741209

 

 

V – Thou Shalt Protect Your Identity

When you sign up for a new account, sometimes they ask you for your first dog’s name, or the street address where your Mom lived when you were growing up.

Personal information should NEVER be disclosed no matter what!

You can’t just assume that your favorite website is using all of that information for the forces of good!

Never give out:

  • Your date of birth
  • Your year of birth
  • Your zip code (add or subtract 1, unless you are buying online)
  • Social Security
  • Driver’s License number
  • Mother’s maiden name
  • Personal details about your life

If I wanted to, I could randomly throw in a personal question every 2-3 times you log in, and slowly build a psychological profile of you, that I could then manipulate for the purposes of marketing.  I could ask you questions about your dad, to figure out who you will vote for in the next election, or questions about your mom, to figure out how much you’re willing to spend on my website, and run an algorithm to bump my prices up or down, accordingly.

Don’t think that this isn’t out there in the wild today – because it is.

  • When a website asks you the name of your first pet, answer “yellow”.
  • When they ask you your favorite color, answer “yellow”.
  • If they conplain that you can’t have the same answer for two questions, answer “orange”
  • What year were you born?  1990 (whether you were born in 1990 or not)
  • What’s your birthday?  June 1
  • What’s the street adress of the house in which you grew up?  111 mainstreet USA

LIE, LIE, LIE.

Your personal information is the MOST IMPORTANT COMMODITY on the internet.

Make sure everything you give out is fake, but make sure you have your answers written down somewhere in case you need them.

 

 

VI – Thou Shalt Protect Your E-Mail

Most of everything you do online ties back to your e-mail.

From online banking to buying online, either you use your e-mail address as part of your credentials, or you supply your e-mail address for the purpose of resetting your password.

If someone gains access to your e-mail, it would take only a few minutes to figure out where you shop online, who you bank with, determine all of your social media accounts, and potentially gain access to all of these.

Protecting your e-mail is so important, it gets its own set of commandments…

 

i – Thou Shalt Use a Unique Password for E-mail

We hear about data breaches every day, and often, the data that’s disclosed includes passwords.

Ideally, no website should store any passwords, as the best way to handle authentication is to store a secure hash of the password, and discard the password itself.  For more information, see The Importance of Hashing Passwords.

Unfortunately, inexperienced developers simply store the password in cleartext, in the database, so that it’s right there for a hacker to steal!

This means that if you use the same password for your email, and for your account on XYZ.com, that if XYZ.com is breached, they now have your e-mail address, and your e-mail password.

Make sure your e-mail password is unique.  Don’t reuse your e-mail password, nor a variant, for any other system or website.

 

ii – Thou Shalt Use a Strong Password for E-mail

Even though it goes without saying, it’s important enough to mention twice.

Your e-mail password should be the most secure password you use.

 

iii – Thou Shalt use a Secure E-mail Platform

Unless you’re Hillary Clinton, your e-mail should remain as secure as possible.

Once upon a time, e-mail was something you downloaded from your ISP.  You would fire up a copy of Eudora or Outlook Express, enter some arcane settings to configure your e-mail server settings, and click “download”.  You might read your e-mail offline, and maybe even reply, and then “sync up” your e-mail the next time you connected.

Then came “Hotmail”, and everything changed.  Hotmail was the first mainstream, online, fully-functional web client – you could go to a website from any internet-connected computer in the world, and read your e-mail.  And, if you changed ISPs, you didn’t need to change your e-mail address, nor pay your old ISP for forwarding.

Soon, Yahoo arose as a major competitor, and every ISP soon adopted their own flavor of web-based e-mail.  Later, Google got in to the act, with GMail, and finally, Microsoft bought Hotmail.

So the top 3 “cloud” e-mail platforms today are Outlook Live (formerly Hotmail), Yahoo Mail, and Google GMail.

Although there are still some small, dark corners of the internet which offer anonymous e-mail, if you go with any of the big-3, be prepared to sacrifice your real identity, and supply a phone number for validation and password recovery.  Just like Facebook, they want as much personal information as they can siphon off of you, so that they can use it for marketing.

  • Yahoo had a major account / data breach in 2014
  • Google has stated that they have bots that read your e-mail, scanning for keywords
  • Outlook Live has stability and reliability issues, and suffers from feature-bloat.  And in light of Windows 10 privacy issues, don’t expect a Microsoft-hosted application to place its first priority on privacy.
  • All three of them respond to thousands of FISA warrants per day

So what does all of this mean?

  • The Yahoo breach was pretty serious, but they did require all of their subscribers to change e-mail passwords, and made security changes and improvements to ensure that the attackers responsible for the 2014 breach did not have continued access to compromised data or e-mail accounts.  (Again:  SHAME ON YOU, YAHOO, FOR STORING PASSWORDS RATHER THAN PASSWORD HASHES)
  • Regardless of who you use, the government probably has ready access to your e-mail.  There’s no way around it, unless you host your own.
  • Regardless of who you use, your provider will be scanning your e-mail, looking for relevant content and building a marketing profile on you.

The good news is that all three have draconian password policies, require authentication in order to make account changes, require a 2nd factor (phone or recovery e-mail account) in order to reset your password, and they send you an e-mail or text message if your e-mail is accessed from an unknown computer or device.

 

Side Quest:  Secure Messaging Through Encryption

As we’ve seen, even though access to your e-mail is fairly secure, obviously, you can’t guaranty that the government or some marketing corporation isn’t snarfing up your e-mail messages in order to determine whether you’re a criminal, or want to buy shoes (respectively).

So how do you send something super-secret or super-sensitive through e-mail?

The answer is encryption.

1. Use a text editor or word processor to type up your e-mail

2. Use a program such as PGP or WinRAR to encrypt it

3. Attach the PGP or RAR file as an attachment to a normal e-mail that simply says, “here’s that file you wanted”.

4. Assuming that the recipient knows how to decrypt the file, and has the decryption password, they decrypt the file and then read your “real” message – like maybe the secret plans to the Death Star.

If you are interested in encryption, and want to know more about it, check out Public Key Infrastructure (PKI) and Encryption, Simplified.

 

iv – Thou Shalt Not Use Your ISP for E-mail

Although we covered this above, it bears mentioning again.

If you use your ISP for e-mail, and then use that e-mail address for password recovery for other accounts, then if you change your ISP, you won’t be able to recover your other accounts (duh).

 

v – Thou Shalt Change Your E-mail Password

(Often)

Let’s face it:  password changes are a complete PITA.  When I see that prompt, “you have 10 days to change your password”, I just absolutely know that I’ll wait until day 9, JUST because I don’t want to deal with it.

When it comes time to change your password, you need something easy to remember, but then you run afoul of “password hell” – the rules requiring complexity practically turn it in to a scavenger hunt:

Your password needs to include a species of omnivorous jungle cat, two scrabble tiles, an imaginary number, and a blind warrior-poet, preferably from the middle ages.

BUT, your e-mail password is the MOST IMPORTANT password you have.

SO CHANGE IT.

I say “often”, but the corporate definition of “often” is to change it every 2-3 months.

In the “real” world, if you change your e-mail password every 6 months, you’ll be just fine.  BUT CHANGE IT (often).

 

vi – Thou Shalt Not Stay Signed In To E-mail

Most e-mail services offer a “keep me signed in” check box.

DO NOT CHECK “KEEP ME SIGNED IN” FOR YOUR E-MAIL

Even with this feature disabled, the timout is usually long enough, such that you only get prompted 2-3 times per day.

Getting prompted means that someone who has access to your browser session doesn’t have automatic access to your e-mail.

 

vii – Thou Shalt Maintain a Working Password Recovery E-mail and Phone Number

The “big 3” e-mail providers are able to help you reset your password using a “recovery code” that they send, either to your “recovery e-mail address”, which is a second e-mail account to which you have told them you have access, or via text to a “recovery phone number” (your cell phone).

Make sure these are kept up to date.

You should set up a 2nd e-mail account, either with the same provider or another.  Once you have a “verified” e-mail account, it’s very simple to set up a 2nd account, so DO IT!!

If you change cell phone numbers for some reason, MAKE SURE you update your recovery phone number.

 

 

VII – Thou Shalt Use Unique User Names

Your password is HALF of your login credentials.

The other half is your user name.

The problem is that most people use the same user name for every website, and even worse, many websites use your e-mail address as your user name.

Although this is easy to remember, it also makes an attacker’s job that much easier.

If I know your e-mail address, I probably already have half of what I need to break in to any of your online accounts.

User Name best practices:

  • Only use a user name ONCE.  Never use a user name for more than one website.
  • Keep a spreadsheet or notepad, listing your user names and corresponding websites.  In case the file is compromised, either make sure it’s encrypted, or make sure you DO NOT list your passwords.
  • Make sure your e-mail password is NOT LISTED in your file.  Suck it up.  Memorize it.
  • Use random letters and numbers as your user name for every website.  Most websites require that your user name starts with a letter.
  • Many websites, unfortunately, use your e-mail address as your username.  I say “unfortunately”, because this is not secure.  Consider using a service, such as Sneak Email, that gives you disposable e-mail addresses.  This has the added benefit, that if you start getting spam from a specific website, you can turn off the corresponding e-mail address.

 

 

VIII – Thou Shalt Protect Your Finances

Make sure you use a separate password and user name for:

  • Each banking website
  • Stock trading
  • Each Credit Card website
  • Paypal (or similar)

Using a unique user name makes your bank account TWICE as hard to break in to.

If you have an account that is linked to your money, you should have a unique username and password for that account, and make sure that the username + password combination is used NOWHERE ELSE, even on another banking website.

If your bank offers additional authentication, USE IT.

Some banks offer PhoneFactor authentication, which sends a text message to your cell phone as part of the login process.

Other banks have proprietary authentication factors, where you respond to a question or pick out a picture.  Remember to NEVER give out personal information, but definitely take advantage of the added security.

 

i – Thou Shalt Use Separate Bank Accounts for Receivables and Payables

(Sorry for the mini-commandment)

Simplified:  Thou shalt put your money-coming-in, in a separate bank account from your money-going-out.

Why?

If some company accidentally overdrafts your account, you don’t want all of your money to disappear!

Also, make sure “overdraft protection” is TURNED OFF!!!

If some asshole clerk mistypes your bill as $3000 instead of $30, or some computer programmer can’t calculate where a decimal place sits, then you might get SAVAGELY OVERCHARGED.

If you have overdraft protection enabled, your bank will simply pay the bill!  No questions asked!  And then charge you A LOT OF MONEY.

With overdraft protection disabled, and by having a separate account, should an overdraft occur due to some company’s error, you don’t have to worry about your REAL money (held in a separate account), nor repaying a debt that you don’t owe.  It’s much easier to have the bank reverse any overdraft fees once the mistake is identified, versus going around for weeks without any cash.

Always keep just enough in your “outgoing” account to pay your bills, and leave the rest in “incoming” or move it to “savings”.

 

 

IX – Thou Shalt Not Stay Signed In

Sites such as Amazon and other reputable online retailers prompt for your credentials before allowing you to make a purchase.

However, if you “stay signed in” to Facebook, anyone can post anything as you, and read everything you’ve ever posted.

It takes just a few seconds to enter your password, but the damage someone can do with your account could cost you money, reputation, or income.

Do not stay signed in.

 

 

X – Thou Shalt Follow a Risk-Based Approach for Passwords

Every time you create a password, you’re creating a key, but you’re also creating a lock – it protects something that has to stay locked up and secure when you’re NOT using it.

When you create a password, ask yourself:

If someone who hates me got access to this information or service, what could they do with it, and how bad could this hurt me?

For example, if someone hacks your Amazon account, yes, that’s bad, but ultimately either Amazon or your credit card company will reimburse the charges once you prove that they’re fraudulent.

However, is someone hacks your e-mail, they could bankrupt you by resetting all of your passwords,  send a “screw you, I quit” e-mail to your boss, and a “dear john/jane” letter to your significant other.

So obviously, e-mail is more sensitive (higher risk) than Amazon, and must be protected accordingly.

Conversely, if someone hacks your password on “ILikeCats.com”, I’m sure your reputation won’t suffer too badly, and thus, using a convenient password (possibly less-secure) is appropriate.

When you create a password, make sure the LOCK that your password represents, is strong enough to protect against the worst thing that could happen to you, if someone who hates you gains access to what the lock protects.

 

 

Conclusion

Thou shalt follow these commandments in order to create and maintain a secure password strategy

 

I – Thou Shalt Not Use Biometric Security

(Beware false prophets)

Biometrics are not secure.  Every biometric security measre in existence today, or that will ever be devised, can be easily bypassed.

Use a PIN or password instead, and consider multifactor authentication such as PhoneFactor or PKI certificate.

 

II – Thou Shalt Log In to Your Computer

Good security extends from end to end, and the starting point for any security strategy begins when you log in to your computer.

Create profiles for each user, enable passwords, and enable a screen lock timeout for your profile.

 

III – Thou Shalt Secure Your Smart Phone

Your Smart Phone is incredibly personal, and has ready access to all of your online accounts.

Make sure you use a PIN or password to secure your phone, use Guest Mode if your phone supports it (or download a parental control app), and configure a screen lock timeout.

If your device supports it, go online and configure “find my phone”, remote wipe, and / or remote device deactivation, so that if your phone is lost or stolen, no one can access your stuff.

 

IV – Thou Shalt Construct Secure PINs and Passwords

  • Hard to Guess, Easy to Remember
  • Avoid words and names that might appear in a cracking dictionary
  • Avoid too much Leet Speak
  • Longer is more secure than complex
  • Get creative with text icon substitution
  • Make it hard to crack by breaking up words or misspelling words, and make sure your password starts with a letter toward the middle of the alphabet

 

V – Thou Shalt Protect Your Identity

A determined and persistent attacker could build a database of your personal information by carefully mining password recovery questions.

Always LIE LIE LIE, but make sure you either write it down, or have a scheme for the answers.

 

VI – Thou Shalt Protect Your E-Mail

Virtually everything you do online ties back to your e-mail.

i – Thou Shalt Use a Unique Password for E-mail

ii – Thou Shalt Use a Strong Password for E-mail

iii – Thou Shalt use a Secure E-mail Platform

iv – Thou Shalt Not Use Your ISP for E-mail

v – Thou Shalt Change Your E-mail Password (often)

vi – Thou Shalt Not Stay Signed In To E-mail

vii – Thou Shalt Maintain a Working Password Recovery E-mail and Phone Number

 

VII – Thou Shalt Use Unique User Names

If an attacker knows that you use the same user name or your real e-mail address for every website, then half of their work is done!

Always use a unique username.  Keep a list of user names and websites in an encrypted file.

Consider using a service such as SneakEmail for disposable e-mail addresses.

 

VIII – Thou Shalt Protect Your Finances

Use a unique username + password pair for each website that has access to your money – banks, credit cards, stock trading, paypal, etc.

Use multifactor authentication, such as PhoneFactor, if your bank offers it.

Also, Thou Shalt use a separate bank account for direct debit, so that a computer error doesn’t take all of your money and overdraft your bank account.

 

IX – Thou Shalt Not Stay Signed In

If you stay signed in, and someone gains access to your browser session, they ARE YOU.

It takes just a few seconds to log in to a website, and most websites have a 2 hour timer (or longer) so that you don’t have to constantly re-authenticate.

If a website presents you with check box that says “keep me signed in”, don’t use it!

 

X – Thou Shalt Follow a Risk-Based Approach for Passwords

Your password is more than just a key – it’s also a lock that protects something.

If something is important or sensitive, make sure your password is strong enough to protect it.

Whenever you create a new password, ask yourself, what could someone who hates me do, if they gained access to what this password protects?

 

 

 

 

 

 

One comment on “Password Commandments

  1. Pingback: The Credit Card Industry’s Dirty Secret | Justin A. Parr - Technologist

Leave a Reply