All posts by Chun Wong

Data Loss, Data Protection

Passwords – Not fit-for-purpose, misused and Ugly

It’s a perennial subject, but one worth reiterating, as old habits die hard. “Popular Passwords”, from the numerous loss and publication of unencrypted password lists, a league table has been created. The data is from 2014, but I very much doubt much has changed, so the message goes out again. Please avoid using regular names, sport teams and standard mis-spelling of dictionary words, such as P455word1, it’s better than 12354567 or qwertyuiop, but no way is it secure.

Is your password below ?

popular passwords

Source : www.informationisbeautiful.net

There are password guessers which substitutes 5,$ etc for S. The dictionary used covers the main languages used for commerce, English, French, Spanish, German and more commonly now Korean, Japanese and Chinese.

The safest password is one which is randomly generated or at least not a dictionary word. Using password managers is one strategy that people and organisations use, but that means putting your trust in that product and relying on you remembering your password to unlock that, but it is a better solution than many others.

Guidelines

  • Use 10 characters or more
  • Avoid dictionary words
  • Don’t reuse passwords across different services (for sensitive or high value services)
  • Don’t just rely on common substitutions
  • Write them down (keep the book/paper safe)

I know the last one is contentious. Better to write it down than to forget it or rely on another piece of software of technology that can be compromised. Your smartphone can be hacked anywhere in the world, your paper notebook is much, much harder to access.

 

Rank Password Change from 2013
1 123456 No Change
2 password No Change
3 12345 Up 17
4 12345678 Down 1
5 qwerty Down 1
6 123456789 No Change
7 1234 Up 9
8 baseball New
9 dragon New
10 football New
11 1234567 Down 4
12 monkey Up 5
13 letmein Up 1
14 abc123 Down 9
15 111111 Down 8
16 mustang New
17 access New
18 shadow Unchanged
19 master New
20 michael New
21 superman New
22 696969 New
23 123123 Down 12
24 batman New
25 trustno1 Down 1

 

Source : splashdata.com

Data Loss

My predictions for security/breaches/data loss in 2015 (and beyond)

Top of the list is existing vulnerabilities; the ones that have been published, the ones with patches issued 6 months ago. Coming joint first will be ingress aided by social engineering, the “click here for the latest on Brad Pitt and Angelina Jolie” or pop-up boxes with “Please enter your credentials to access xyz”.

The first bot on a kitchen appliance has already been reported. As more devices are connected to the ‘net, the more will be compromised and conscripted into the bot armies directed by techno-bandits. Baby monitors, home heating controls, solar panel generators and cars are part of IoT (internet of things).

Much more serious, is nation critical infrastructure being online, even if it supposed to be off net, you can bet that someone has connected it up via 3G, wireless, the forgotten ISDN line or even a dial-up modem. All for the sake of convenience, as convenience always trumps security, it will be a heady cocktail for someone to exploit. The technology is there, the momentum is increasing, but has the security kept up ? From past experience, I’d say not.

ATM (cash machines) will continue to be targeted, whether by skimming or wire-tapping or by re-programming by insiders or malware. Crime and criminals will always follow the money.

On the subject of corporate security failings, they’ll keep happening till the board embraces corporate responsibility for security and instils the necessary cultural changes throughout the company, from top down.