NCSAM post 2–passwords

National Cyber Security Awareness Month is October, and after a brief interruption, I’m continuing my series of posts that dump out some of the basic parts of security that make all the advanced stuff worthwhile.

Passwords are quite a challenge for many people, because they embody a number of things that people are bad at.

  1. Uniqueness
    A password should be unique, or at the very least sufficiently unusual as to be unguessable. It should also be different from passwords you use at other sites or applications.
  2. Randomness
    We know that a good password is not predictable, and is generally best when it is chosen at random, rather than using any kind of pattern that might be guessed.
  3. Unpredictability
    We’re all predictable by those that know us best. So a password has to be something that we made up ourselves, but that no one can imagine that we would make up.
  4. Length
    The longer you can make a password, the better – but then you have to type it. Practice typing your password quickly. Resist the temptation to use a password made of letters close to one another on the keyboard, because those are words that are guessable. Strange as it may sound, it’s easier to make a password more secure by making it longer than it is to do so by adding funky characters.
  5. Secrecy
    You shouldn’t share your password with anyone else. You should strongly question anyone who tells you that they need your password. In general, they don’t need it. If they are sufficiently powerful technical support folks, they won’t need your password, and if they aren’t sufficiently powerful, why are you asking them for help?

What is a password?

A password is a proof of identity. It confirms, or validates, who you have already claimed to be. It’s a secret quantity, and the operating system and applications you use spend significant effort to keep that password secret.

What isn’t a password?

Your username, by contrast, is a claim of identity – it’s who you are claiming to be. Your username is not a secret part of your security, just as your name isn’t a secret. It’s all over the place, in public places, and even if you spend the effort to go “off grid”, or to hide your name from the phone books, nobody else is geared up to help you with that process. Similarly, the operating system and applications will not try to hide your username.

This is why renaming the Administrator account, or generating usernames from random sequences of letters and numbers, will not increase security as significantly as the simple act of extending the minimum length of passwords.

What’s like a password?

There are many other concepts that are like a password, such as private keys on a certificate, or the combination to a safe, the key to a drawer or a door.

What’s not like a password?

Other things that you’d think are like a password, but aren’t, include:

  • Social Security Number
    This is an identifier. You share it with every organisation that collects taxes or reports on your taxes. Although many companies may behave as if this is a secret like a password, it’s not randomly selected, it’s not unpredictable, it’s short, and it’s shared with a large number of people and organisations. It’s certainly something that companies should keep private, but that’s largely because enough organisations treat it as a secret proof of identity that the exposure of an SSN is enough to allow for ‘identity theft’
  • Credit Card Number
    Again, although everyone, including the credit card companies, treat this as a secret, it’s a secret that you give out to everyone with whom you do business. Some credit card companies provide the ability to generate temporary or single-use card numbers, which allows you to reduce how many people have your true card number.

How should I protect my password?

There are numerous password protection and storage programs, for users and for enterprises. The words used to describe these programs are generally things like “safe” or “vault”. Using these programs will allow you to have large numbers of different passwords, which is only a good thing.

Imagine that one of your web sites gets a vulnerability, or has an administrator go bad. They could steal your password – but only for that site. Do you use that password for any other site? It’s very tempting now that most sites use email addresses as identifiers to use the same password as you use for your email account itself, but then that would mean that anyone who stole your password from one web site would be able to have access to all your other web sites, and your email as well.

Next, and I know this goes against what many people will tell you, you need to write some passwords down on a piece of paper.

First, we all carry around a device whose job is to protect small pieces of paper from falling into other people’s hands – it’s called a wallet, or a purse, and we’re all well-used to protecting those small pieces of paper in this fashion. Put a value on each of your passwords, and use this to decide whether to carry it in your wallet, or leave it in the safe, or put it in a safe deposit box.

Second, there will come a time when you have forgotten a password. In a work situation, there are generally easy ways to get your password reset, and you probably won’t lose a whole lot of data as a result. But for your home life, there’s rarely a good recovery store or process, and it will save you time if there’s a lock-box you can go to in order to recover your precious secret.

True story – a friend of mine had an accident that gave him a fractured skull and left him in a dubious state of consciousness for many weeks. He never remembered the passwords he had before the accident, and as a result, had to wipe out several machines rather than log on to them and recover them. He hadn’t written the passwords down or stored them in a safe deposit box, so his family and friends could not maintain his systems for him while he was ‘out’. He even lost his domain name to some domain squatters (though his friends very nicely bought it back for him).

Think about what access you would lose in a similar situation – or what access your family would lose.

Don’t share your passwords, or at the very least, make sure that there’s no easy way for someone to have your passwords and access to use them.

A safe-deposit box, or some other device that can only be retrieved if you are killed, or incapacitated in some way, is really the only place to make your high-value passwords accessible to others.

If you share your passwords with other people, you immediately move any investigation into your computing behaviour from the realms of “innocent until proven guilty” (it couldn’t be you, because your account wasn’t being used) to “guilty until proven innocent” (not only were you disobeying rules by sharing your password, but the activity was traced to your account, making it incredibly difficult for you to prove it wasn’t you that controlled the account at the time).

Finally, and this is especially true if you are writing down passwords, you need to have a plan for changing your passwords in an emergency, and you need to exercise this plan regularly. This means you need to know how to change passwords, write down details of how to change passwords (except in the most obvious cases), and you need to make sure that your understanding of how to change passwords is still accurate.

I personally think that this is the biggest reason that you need to change your passwords regularly – although, if you are the sort of person who wantonly shares passwords, the fact of sharing passwords with another person is reason enough to frequently change them.

How broken is the banking system?

Jeremy Clarkson - we should all have his simple naivete and faith in the systemMy kid and I love watching Top Gear – me, because it’s nice to see him interested in a very traditional British TV programme (in the US, you can find it on BBC America), and him, because he just loves cars – particularly high-performance ones.

So I have to admit to having a little chuckle as I find what’s been going on in the life of its host, Jeremy Clarkson.

Well, in the wake of the recent loss of 25 million child benefit case records by the UK Government’s HMRC (tax and customs) department… what, you didn’t hear about it?

Okay, I’ll admit, I didn’t report on it, because I figured the world and his wife had already heard all there was to hear on the story. Cut to the chase – someone at the HMRC received a call from someone at the NAO (National Audit Office), asking for some records. Rather than asking if they were supposed to be handing those records over, or if the NAO actually had any rights to receive the records, the “junior official” involved sent a couple of disks … in internal mail (which turned out not to be so internal, having been contracted out to a courier) to the NAO.

The NAO called back after a few days, asking where their data was.

The junior official sent another copy!

At this point, somebody told someone, and a big stink got raised that there was all this data out there – 25 million records, 7.5 million families, containing names, addresses, bank account numbers, national insurance numbers (NI numbers – that’s our equivalent of Social Security Numbers or SSNs).

Okay, so in the wake of all this, lad Jeremy decides he’s fed up of all the press coverage of the waste of time investigation into the whole loss of two miserable little CDs.

He declares, in one of the UK national newspapers (the one with semi-naked women on one of its inside pages), that it’s all a load of fuss over nothing – even goes so far as to call it a “palaver” (which is not, apparently, a knitted garment – that would be either a pullover, or a balaclava).

Mr C even goes so far as to publish his own bank account number. With sort code (aka bank routing number, to those of us in the USA).

“All you’ll be able to do with them is put money into my account. Not take it out. Honestly, I’ve never known such a palaver about nothing,”

See – I told you he called it a palaver.

Sadly, as the BBC (don’t they broadcast Top Gear, or something?) reports, “Clarkson stung after bank prank“. I guess we couldn’t predict that.

“I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account,”

After explaining to some disbelieving friends how this could have happened, I realised that not everyone has had the chance to run their own business, and see what a mess the banking system is. We all assume that the banks have our best interests at heart, and operate securely in ways that ensure we can’t lose a penny.

Not really, no. They work (mostly) on the basis that it’s cheaper to refund your money if you notice a problem and complain, than it would be to fix the problem in the first place.

Here’s a simple explanation of how “direct debit” (in the US, “automated payment”) works:

Most commonly you would complete a written Direct Debit Instruction, obtained from the organisation you wish to pay and return it to them for onward transmission to your bank. Some direct debits may be set up over the phone or via the Internet. In these cases the organisation must subsequently write to you confirming what has been agreed.

So, the receiving organisation claims to the bank that someone claiming to be the account holder requested them to withdraw money from the account.

Note “claims”, because there’s no proof at that stage.

It’s not even as workable as “you write to the bank requesting they allow a direct debit from your account” – the bank has no opportunity to interact with the customer except by sending them their next bank statement!

That’s broken – but then again, I’ve written before about how broken the credit card system for web purchases is. Again, the actual issuing bank, the one with whom you have a relationship, and who could validate your identity, is kept out of the transaction until it’s already finished.

What would be super is if a celerity like Jerembly Clarkson would start a campaign to have the banks be required to all team up and do a properly secure set of protocols for credit card and payment authorisations. Then merchants like me wouldn’t whine about repeated charge-backs that we can’t actually refute, and people like him, ignorant about the truth of the banking industry’s inability to secure the very money they are entrusted with, wouldn’t go handing out money willy-nilly to random charities just to prove that his trust is woefully misplaced.

I just don’t think it’ll happen.

I hope there was only £500 in the account, and that Mr Clarkson has already closed that account, and opened one whose number he will keep secret, sharing only with the bank, the company that prints his cheques, everyone he ever pays by cheque… now there’s another broken system.

Finally, credit cards done right… maybe

For the longest time, I’ve been mystified at the way in which we as an information-based society conduct online transactions.

Here’s how it goes right now:

  1. Customer sends secret information (card number and maybe CVV2) to vendor.

  2. Vendor promises not to disclose information to anyone but the bank.

  3. Vendor accidentally or deliberately discloses secret information to thieves.

  4. Thieves run up huge credit card bills with other vendors (call them “suckers”).

  5. Customer reports unapproved use of credit card.

  6. Bank takes money out of sucker vendors’ accounts in the amount of the theft plus a fine. Oh, and charges a percentage of the transaction cost in both directions.

  7. Rinse, lather, repeat.

Obviously, those vendors that are accepting credit cards are complete suckers, because they get fined for accepting credit card numbers from the thieves, when of course the bank has provided them with no means of confirming the identity of the person placing the order.

It’s really obvious that the way this should proceed in an Internet-connected society is as follows:

  1. Customer identifies herself to the bank (through secret information or public key infrastructure, doesn’t much matter, because there are only two parties concerned – bank and customer)

  2. Customer tells bank what vendor they want to pay, and how much.

  3. Bank provides customer with a difficult-to-forge, non-repeatable, time-sensitive code tied to this one purchase.

  4. Customer sends code to vendor.

  5. Vendor can post code on billboards, for all anyone cares, because that code is only usable by that vendor, for this transaction, for this amount, over the next couple of days (hey, vendors are slow to cash credit card transactions).

  6. Vendor sends code to bank.

  7. Bank pays vendor from customer’s account.

  8. Vendor can post code on billboards, for all anyone cares, because that code is now not usable by any vendor, for any transaction.

Obviously, there’s still opportunity for fraud – if the customer or the bank share their shared secret with someone else. But then, that’s two parties who have engaged in a contract to trust one another for monetary exchange, and who have adequate reason to keep that information secret – plus, if the secret is exposed, there’s already an approved method to re-assign new secrets.

Sadly, there’s no incentive for the system to change this way – neither the customer nor the banks have any incentive to change, because they don’t lost money when credit cards are used fraudulently – it’s only the sucker vendor who loses money, and the sucker vendor has to accept credit cards, because there’s no other way to take money over the Internet.

All that is about to change, I hope.

PayPal, a division of eBay, is one of the biggest sucker vendors there can be. Clearly, they’ve gotten tired of having to pay the fees, fines, and cost of lost goods, when credit cards are fraudulently used. Because they’ve finally come up with the right way to do things!

Okay, so it’s not quite as I outlined, because of course PayPal decided to do it in such a way that a vendor doesn’t even have to know that they’re dealing with PayPal’s new scheme – the secret code is exactly a MasterCard number.

Apart from this significant problem – that vendors still have no way to ensure that they are dealing with a more secure payment means, and therefore can’t offer faster service, less chance of fraud checking triggering an alert, etc – this is a good scheme, and I want to see it proceed to fruition.

It’ll be even better if someone at PayPal wises up to the idea of providing a simple means to check that the MasterCard number provided is from the secured payment program (PayPal calls it “Virtual Debit Card” or “VDC” for the present).

This scheme, or something similar, has been operated previously by other banks and in other countries, but the fact that PayPal, a large provider, is going to adopt it means that we should be on the road to a more secure future, where vendors aren’t dunned by banks and thieves alike for credit card fraud that is beyond the vendors’ control.