Back to basics: password security
Another widespread, high-profile security breach — this one at Virginia’s largest health insurance provider, Anthem — serves as a reminder that our business and customer information is targeted in a very real way on a regular basis. Securing sensitive information can no longer be deferred to the back-office information technology staff. It has become the responsibility of all employees. And one of the most effective ways to protect information is by using strong passwords.
Passwords serve the same purpose as the keys on your key ring. Would you install a lock on your home, car, or safe with a generic key used by lots of other people? Probably not. Consider a password a key that you can create yourself. With a little forethought and planning, your passwords can be strong and protect your business’s information, be easy to remember and can even help you learn new things. Here are some tips to make passwords manageable.
Protecting really important information
Some information is so important that it needs a unique and very strong password. Your email, online bank account, and investment accounts are probably the highest risk data you access online. Each of these accounts should have a long, complex, unique password. Here are my suggestions for creating a strong unique password.
• Select a song, movie or book — for example, the Beatles song “While My Guitar Gently Weeps,” released in 1968. Take the first letter of each word, and add some special characters and/or more information to the beginning or end:
• Use a pass phrase. Long passwords are the strongest. If a password is long enough, it can include dictionary words without deprecating the password strength:
Protecting kind-of important information
All data are not created equal. Therefore, all passwords do not have to be created equally. For less-sensitive information, I suggest using what I call a Consistent Dynamic Password (CDP). This password has two parts. The first part is a strong default password. The second part is applicable to the data it is securing.
1. The first half of the CDP (the consistent part) is a strong default password with letters, numbers, a special character, no dictionary words, and at least 8 characters. You can use the suggestions above to create the first half. Continuing with the Beatles example, let’s use “WmGGW1968!” as the default password.
2. The second half of the CDP (the dynamic part) is to add a component applicable to the data being protected. For example, let’s say you are creating a password for your online Wall Street Journal subscription. The information protected by the password is not sensitive, but you still need a strong password. So, add something to the end of the default password like WallSt.
3. Combine the two components of the CDP to make a strong, easy to remember password: WmGGW1968!WallSt.
There are a few benefits to using the CDP for less sensitive accounts. First, although the data is less sensitive, the password is strong but easy to remember. Second, if the login credentials are compromised, they would not impact your other accounts because all of your passwords are different.
Using passwords to learn something new
Some passwords must be changed frequently, so you can use them to drill new information into your brain by finding something you want to learn and creating a password using that information. For example, I wanted to learn the military alphabet, so for about 18 months, my passwords included some derivative of Alpha, Bravo, Charlie, Delta, Echo, etc. You could consider historical events ([email protected]!c*) or phone numbers (867-5309#forJenny). A word of caution — most password cracking tools and rainbow tables account for the substitution of numbers or special characters for letters, so replacing A with @ and I with 1 does not help the cause.
Steve Gibson of Gibson Research Corp. suggests “password padding” as another method to craft easy to remember but difficult to crack passwords. Padding is the practice of adding a combination of characters to increase password length. For example, adding a character combination like, ^–^ to the beginning or end of a password makes it far less likely to be cracked. The password “password” would take 0.00217 seconds to crack. But padding it to create the password “password^–^” increases that time to 6.9 months! Another word of caution — using password as your password is a really bad idea.
Until all sensitive information includes some form of multi-factor authentication, passwords are sticking around. It’s best to accept this truism and make the best of it. Your data will continue to be targeted, and strong passwords will be the best first line of defense.
Bryan Newlin is an IT Audit Manager with Yount, Hyde & Barbour’s Risk Advisory Services Team in Winchester and a member of the Virginia Society of Certified Public Accountants (VSCPA). For more information contact Bryan at (540) 662-3417, [email protected], or by visiting http://yhbcpa.com.