Passwords That Defend
When used properly, system passwords can be a powerful defense; or, in the case of the recent DDoS attack using IoT device, they can serve as a weak entry point for potential hackers. When the educated IT professional has the opportunity to control the passwords, or at least the requirements for the password, we find that organizations are less vulnerable because in most cases this educated professional is following some great guidance on secure passwords. But, what happens when a less aware end user is implementing a system and is not properly trained about proper password etiquette? Let’s explore some ideas. For this blog I will focus on IoT at the home. This is relevant to business because most knowledge workers today will work from home, coffee shops or other places that could be compromised and thus impact our business. Spreading awareness helps the entire ecosystem.
This past weekend I had the opportunity to finally watch The Imitation Game, which is a movie about breaking the then impenetrable Enigma machine that Hitler’s team used to send encrypted messages. The key to unlock these messages had 159 Million possibilities and the best Cryptanalyst of the time had no idea how to crack this code. Along comes a child prodigy with the unthinkable idea of using a machine to defeat a machine rather than human intellect alone. That machine is the precursor to many modern day computers and cryptology advances. Once the key was cracked the allies were able to put plans together to defeat Hitler. I enjoyed the movie, however more importantly I enjoyed the “techie” component even more.
For the systems we want to protect, our key is the password. The more complex the key the harder it is for anyone to gain access. Most any key can be discovered. The question is how long it will take and how many resources are required. Our goal is to make our passwords strong enough that most will not bother putting forth the resources and time to try. The hackers are looking for the easy targets to exploit. Avoid being the weak easy target.
NIST recently released SP800-160 which talks at length about some ideas end users and industry can do to improve the IoT security. To no one’s surprise, changing the default password is recommended. This should always be done with any new system going online. For the layman however, this is often not done and exactly what the hackers exploit.
For those layman astute enough to change the password, a simple easy to remember password is chosen. The hackers love this as well because not much time or resources are necessary to gain access. Another common challenge is reusing passwords, even complex passwords so that one can remember. The obvious challenge with reuse is compromise in one system leads to compromise in multiple systems. I talk to many people who have 100 or more systems that access on a regular basis (think Facebook, email, bank account, Xbox etc… these add up quickly) and managing the passwords to all these systems can be a daunting task. So what should the layman do?
The SANS Institute offer some guidance on password protection and password construction. Below are a few guidelines that layman can implement at home before putting systems online and definitely before attaching corporate resources to the home environment.
Implement “Strong Passwords”: 12+ characters using numbers, letters and special symbols.
Avoid “Weak Passwords”: Easy to guess words or phrases, slang, personal info etc. (see SANS guidance for more)
Consider a “Passphrase”: long construction of multiple words, symbols, and numbers
Organizations spend more time on the policies and guidelines as complexity rises with more people, but for the layman these guidelines should help.
Remember, the goal is not to produce the next Enigma type challenge for the hackers. You just want them to bypass your system and move on to the next target.
Thomas Addison has more than 20 years of experience in the technology industry where he has spent time as an engineer, consultant and sales leader.