Knocked into a cocked (Panama) hat

11 04 2016

Unless you’ve been living under a rock for the past week you can’t have failed to be aware of the ‘Panama Papers’. 2.6Tb of data, 11.5m documents, 30,000 lorries worth if you printed then out and so on and so forth.

Information relating to offshore companies, tax avoidance and (possibly) tax evasion, dodgy art deals, alleged money laundering activities, corrupt country leaders and multi millionaires.

So what has this to do with my reader base? Well unless you’ve been keeping something from me and you’re actually an international bad guy, up there with Scaramanga and Blofeld, not a lot on the face of it.

But, let’s just take a step back and look at this from a slightly different angle.

Here we have a law firm, Mossack Fonseca, who prided themselves on guaranteeing confidentiality, indeed on their web site under data security they say “Your information has never been safer than with Mossack Fonseca’s secure Client Portal”. The people they dealt with chose them because they didn’t want their activities to be under public scrutiny, they designed company structures to be obscure and obtuse, everything was geared towards secrecy.

And yet, based on reviews carried out by various security firms, they were running software that was not only out of date, but which had well publicised (and exploited) vulnerabilities. Their servers were not protected by firewalls, the secret data was unencrypted, and it appears their monitoring was so poor (or maybe non-existent) that they failed to notice the exfiltration of vast amounts of data over many months.

So, just to repeat, this company existed in a world where secrecy and confidentiality was everything. Where their customers made fundamental assumptions that their activities would remain hidden from public gaze, and that they could trust their lawyers to protect their interests at all times.

Despite all of that, this organisation appears to have disregarded pretty much every rule of information security.

So if a firm operating in that environment could be so bad at looking after their customer’s data, what about the thousands of other companies with an internet presence who are holding YOUR data. The small (and not so small) organisations you share your details with on a daily basis, the ones you order from online, send emails to with personal details included, upload files of photos, documents or whatever. How confident can you be that they are any better prepared than Mossack Fonseca?

And that’s why this story is relevant to my readers. Poor information security practices are endemic across all industries and all sizes of organisation. We put up with it because we are not big enough to make the difference on our own, and not rich enough to organise the campaigns necessary to force changes through.

Mossack Fonseca is the 4th biggest player in this field, you can bet the clients of numbers 1,2 and 3 have been asking some very pointed questions over the past few days.

Maybe, just maybe, the exposure of the personal details of the richest, most powerful (and let’s be honest, most scary) people on the planet might be the trigger that pushes achieving real information security to the forefront of the thinking of governments and other influential bodies. Could this incident be the tipping point that’s always eluded us, because as sure as eggs are eggs the hundreds of millions of personal records of ‘ordinary’ people that have been leaked over the past year were not seen as important enough.

Fingers crossed.

David

 

Advertisements




Stand and deliver – your money or your (computer) life

28 03 2016

Ransomware. It’s been around for a few years now but in the last 6 months or so it’s really hit the mainstream press, and therefore entered the consciousness of the ‘ordinary person’. Recent high profile cases include a couple of hospitals in the US, a police station and a local authority in the UK.

Before I go into the details and explore what you can, or more likely can’t, do to protect yourself, I think it’s worth taking a step back and looking at the so called ‘underground economy’ of cyber crime.

Back in the day, the bad guys in the computer world were generally loners who did what they did for kicks and credibility amongst their peers. Very irritating, occasionally brilliant and generally disorganised.

That changed once it became clear that there was money to be made from what has come to be known as cybercrime. The professionals moved in as organised crime saw it as another lucrative string to their bow, promising low risk and high returns. Along with the increased organisation and the massive amounts of money, came demands for structure, specialists, quality control and co-ordination as well as the incessant demand for more and better products.

Nowadays a complete ecosystem is in place that is at least as organised as the mainstream legitimate economy. There are market places for the sale and exchange of everything from software to stolen credit cards. Code comes with money back guarantees, free trials, help manuals and even help desks. Every aspect of the economy has specialists who only focus on what they do best and hand on to the next person in the chain when their part is complete.

Into this mix comes ransomware.

Ransomware is, to put it in simple terms, a piece of computer code that you inadvertantly download to your PC. It might infect your PC via an email attachment, a website or even from an advert you click on. However it gets in, it has one purpose, to encrypt your files, and once those files are encrypted they will stay encrypted unless you can obtain the decryption key. And here’s the clever bit, in exchange for a fee usually in bit coins the bad guys will send you the decryption key.

The first you will probably know about it is a screen that will pop up on your computer looking something like this which is from Cryptolocker,

blog-cryptolocker

but they are all pretty much the same. At that point you have three choices:

  1. Restore your files from the backup (you do have backups don’t you?)
  2. Pay the fee
  3. Accept you have lost the files for ever and just move on.

Option 1 is fine as long as the backups are not accessible from the PC and the ransomware has not already found them and encrypted them as well. Assuming they are OK you simply need to disinfect your PC by running up to date antivirus software (the av software usually runs a day or so behind new ransomware so it might not work immediately – check online), delete the encrypted files and restore from your backups.

Option 2 is not ideal for a couple of reasons. Firstly the current fee is around 4 Bit Coins, which at time of press is about $700. For a company, that might be a small price to pay, for the audience of this blog it’s a not inconsiderable amount. Secondly, whilst it’s in the interest of the bad guys to make the process work, there are a number of reasons why it could fail. There might be an error in their code, there might be a problem with their use of encryption or law enforcement may have found them and taken the website down that’s hosting the decryption key. But as I said previously, this is a business and they are keen to maintain their reputation, and anecdotal evidence suggests that paying the fee will result in you receiving the decryption key.

Option 3 depends on you knowing what’s on your PC and whether you care about it. You still need to disinfect your PC but that’s about it.

So what can you do to protect yourself from ransomware? To be honest, beyond the normal good practice of regularly applying security updates and running up to date antivirus software not a lot. The age old advice of avoiding ‘dodgy’ websites, whilst still valid is not sufficient as many mainstream websites are infected these days (often via their advertisers’ sites). Not clicking on unexpected email attachments or following unknown links in emails is also fundamental good practice but is no guarantee that you’ll be safe.

One thing you might want to consider is to remove the admin rights from your normal account and create a separate account that you only use for admin type things (such as installing software). Some of the ransomware relies on being the Administrator on the box, so if you are logged in as a ‘normal’ user then it won’t work, or at least will only work on those files you control. Not perfect, but something.

The bottom line is that you are in the same position as the rest of us in the Commercial world. You have to expect the attack and then plan your response and try and mitigate the impact.

What stuff on your PC do you care about? Unless you are running a business, it probably boils down to photos and music, with a few personal letters thrown in.

You should make sure that you have backup copies of these important things. My previous blog about the Cloud gives some suggestions, but you could also consider offline backups on USB drives, SD cards or whatever. The main thing is to have them somewhere that is not immediately accessible from your PC, so that if bad stuff happens you’ve still got those photos of great aunt Daisy’s 100th birthday.

So that’s it I’m afraid. Ransomware is here to stay and will get more effective and more prevalent as time passes. Using the Internet gets more like Russian roulette every day, bad stuff is out there and it’s likely to get you at some point. All you can do is do the basics right (many of which I’ve covered in previous blog entries), and know what you are going to do when it’s your turn to get hit.

Depressing? Probably, but like everything else, until the general public really cares about something, governments and business won’t pay attention and get the problems fixed. Internet security is bubbling to the surface but at the moment there is more lip service than customer service being paid to solving the problem. Whilst software companies can get away with writing poor code, ISPs can get away with not caring about what they are hosting and Joe Public continues to do stupid things Internet crime will continue on an upwards tick that shows no sign of flattening out anytime soon.

 

Safe surfing

 

David

 

 

 

 





Cloudy security

24 02 2016

“Cloud computing” two words guaranteed to generate a multitude of reactions, from confusion to fear and much in between. Most have heard of it, many talk about it and some even understand it, but what has it got to do with Joe or Jane Public and should you care?

In this post I’m going to try to blow away some of the fog about Cloud, but as it’s only a blog entry and not a book I’m not going to have the space to address all of the issues, opportunities and plain BS that the topic encompasses.

This is not written for the expert, although I welcome your feedback and comments, it’s written for the man or woman in the street who is wittingly or unwittingly putting their personal information and precious photos out there in Cloud Land. Why write a blog post on something that has been around for years? Well I’m finding that as people become more adept at using technology the less they understand it. This is for those people.

So first things first, what (or even where) is the Cloud?

As is so often the case there is no simple answer, or even total agreement on what the answer is. One thing you can be sure about is that it’s not a cloud, or even ‘the internet’.

The Cloud can best be thought of as computing infrastructure that is run by other people where you can store your electronic files or do computing stuff.

Cloud breaks down into three main types, public (anyone can use it), private (only you can use it) or hybrid (a bit of both), and the services offered break down into PaaS (Platform as a Service), SaaS (Software as a Service) or IaaS (Infrastructure as a Service). There is also FOaaS but I’ll let you Google that one.

For most of us we could not care less if it’s a P an I or an S, or even if it’s public or private (but trust me it will usually be public), all we care about is that we have somewhere to store our pictures or music or whatever and we can access them from our phone, tablet or desktop from anywhere in the world, and share them with anyone we want to at any time, ideally with the minimum of fuss.

I’m not not going to touch on Office 365 or Dropbox, or how those of you running your own businesses might want to make use of the Cloud (maybe that’s a topic for another blog), just the ‘in your face’ ones that almost everyone is using by default.

iCloud (Apple), OneDrive (Microsoft), Google Drive (Google) to name but a few, all give you free storage ranging from 5Gb to 25Gb with the option to buy more if you want it, and they are all linked to your vendor account (Apple-id, Outlook or Google etc) so are (theoretically) secure. These are all public clouds in that it’s a ‘one size fits all’ model – no tailoring of the service allowed, with access available to anyone who wants it (albeit with access to your bit restricted to you and (hopefully) blocked to everyone else (apart from those people listed below and those you’ve chosen to share it with)).

So far so hunky dory. Loads of storage, easily accessible and free, what’s not to love?

Well, to  be honest, if you don’t care where your stuff is stored (Europe, America, Asia, under the Atlantic (well maybe not yet but watch this space)), and you don’t care how many employees, contractors, third parties or other relations of your chosen supplier can access your stuff in the spirit of ‘system management’, and you don’t know or care who they can share it with, then not much. But therein lies the rub, with most of the free cloud storage, and quite a bit of the not so free, you have no control over any of this. When you sign up for your cloud storage you agree to all manner of things in the Terms and Conditions (Apple’s runs to over 20,000 words), and unless you hit “I Agree” you can’t use the service. No discussion, no negotiation just a simple “accept or go elsewhere”.

When you put your music collection, precious photos or critical documents “into the Cloud”, what are you actually expecting to happen? How long do you think they will be there, are they backed up, can you transfer them somewhere else (such as if you decide to move from Apple to Android)? The bottom line is you don’t know because you never asked. You just blindly went with the flow because it was there and it was free.

Will Apple stop offering i-Cloud or Microsoft OneDrive? Will they change the T&C and start to charge you for the storage? Will they decide that as part of the free deal they can use your stuff for their own purposes (as Instagram tried to do when they suddenly announced they were going to sell YOUR photos for THEIR benefit – and only backed down after they started to lose market share)? The bottom line is you don’t know, and you can’t know because you don’t have any say in the infrastructure. You’ve given everything to someone else to store in their datacentres and you aren’t even paying them for the privilege.

I’m not saying don’t use the Cloud, what I am saying though use it with your eyes open and consider spreading the risk. Think about what you are uploading and how much it matters to you. If it’s your photo collection then upload them to more than one Cloud provider after all they’re free and it would be rude not to take advantage (I have mine in both Google and OneDrive, just in case one of them has a problem, and there’s always the copy on my own devices).

The same for documents that are not sensitive. But if they are sensitive (for whatever reason) just remember that whilst your strong password (see a previous blog) will stop miscreants cracking into your account and reading your stuff, the Cloud provider’s staff will have access for perfectly valid reasons such as keeping the systems running, and unless the data is encrypted (which is unlikely) they will be able to read it. Now, are they going to target your files out of the Petabytes of data they are holding, well it depends on who you are, but the fact is they could, and if that bothers you, maybe the Cloud is not the right place for you and your data.

So in summary. The Cloud is the perfect Martini solution (Google it if you’re under 35) for your electronic information. But in exchange for the ease of use and free storage you are giving control over the security of your stuff to someone else. If you don’t care, then fill your boots as they say. If you do then maybe you need to be more selective.

As Mr Wordsworth said “I wandered lonely as a cloud, That floats on high o’er vales and hills” it’s just that you have no idea where those vales and hills may be.

Happy surfing

David





Encryption and back doors

21 02 2016

A lot has been written over the past few months about demands that the providers of encryption software provide ‘backdoors’ so that law enforcement can decrypt information that the ‘bad guys’ want to hide. So I thought I’d add my h’app’enth worth into the debate.

As is so often the case in technical matters, much of what has been written is biased or just plain wrong, with vested interests (on both sides of the debate) trying to promote their angle though misinformation and the spread of FUD (fear, uncertainty and doubt).

The current FBI vs Apple law suit is just another thread in this saga, and whilst it is not explicitly about the encryption on the device, the ‘backdoor’ argument is the same.

So lets strip this debate back to it’s bare bones, by posing a few very simple questions.

  1. Is encryption a fundamental necessity for the way we use computing in the 21st Century?
  2. Do we believe that, in the age of ubiquitous social media and the proliferation of computing devices and technologies across the globe, a secret (such as the backdoor key) can be kept out of the hands of those not meant to know it?
  3. Do we trust those in posession of the secret to only use it for the intended purpose, and that all of the checks and balances introduced to manage the use of the secret will be adhered to by all parties?

Starting with the first question, I believe the answer is “absolutely”. Trillions of £’s worth of transactions occur every day across the globe, ranging from international finance down to buying a book off Amazon. Personal details (medical, political, sexual orientation etc) of individuals are stored and shared by and between companies and the wider population to make our services function. Trade secrets are stored to provide long term security to companies and their employees, and so the list goes on. All of these require the information to be secure and trusted and encryption is the only way we can go anyways towards achieving this in the computer age.

The second one is even easier to answer. Edward Snowdon, Chelsea Manning and a host of other less well known whistleblowers have shown that Governments cannot keep their secrets safe, however hard they try. Companies lose hundreds of millions of customer records every year from within their boundaries, and people (who are what everything comes down to in the end) continue to do stupid things, sharing their passwords, downloading viruses and falling for social engineering scams. To my mind this proves that secrets cannot be kept. People will always make mistakes or leak information that they believe should be in the public domain. And that does not even begin to cover the likelihood of threats of violence or extortion to make people reveal information against their will.

The final one is slightly harder to answer. Conspiracy theorists and libertarians will answer with a resounding “No!”. Government spokespeople will offer all sorts of assurances, and the truth lies somewhere in between. To my mind the important point is that ‘governments’, ‘law enforcement’ and ‘secret services’ are not things. They are made up from the people who work there, the same people who do stupid or bad things, often for what they consider to be the right reasons. So in my view there will always be those who can find a justification for bypassing the rules which makes this control unreliable.

So, in summary.

In my opinion, the encryption that we rely on must be secure and effective; we can’t expect the secrets to remain secret; and we can’t reasonably expect all of those in possession of the secret to only use it when legally permitted. That means the argument for mandatory backdoors is fundamentally flawed, even before you consider the technical challenges of trying to create one.

Everything else just becomes noise around the edges. Yes, of course bad guys will use encryption, but as the totally failed attempt of the USA to ban the export of encryption tools a few years back demonstrated, they will always find a tool where the government does not have the backdoor key.

At the end of the day an old secruity truism comes to the fore. “The wall is not there to keep you out, it’s there to see how badly you want to come in”. We know that when law enforcement REALLY want to get something they will, and the absence of a backdoor won’t stop them, but that’s a discussion for another day.

Happy surfing, and remember, just because you’re paranoid it does not mean the bad guys are not out to get you.

If you agree with me or think I’m totally missing the point please feel free to share your thoughts in the commnets section.

David

 





Of Passwords and PINS (3)

8 02 2013

In the final part of this series I’ll look at PINs and what you can do to make them easier to remember.

PIN numbers, generally 4 digits, and used to validate debit and credit cards, lock your i-phone, access buildings, secure safes and all manner of  other things have become one of those things we all have to remember. The 4 digit card PIN only offers 10,000 possible combinations, so it’s not really that secure, which is why so many systems operate the ‘3-strikes and you’re out’ control. But why only 4 digits? For the answer you have to ask John Shepherd-Barron the inventor of the ATM. It seems that Mr Shepherd-Barron favoured using 6 digits, but his wife preferred 4!

In the same way as there are commonly used passwords (see the previous post for more details), there are some PINs which appear on an all too frequent basis. A recent analysis by Data Genetics revealed how unimaginative people are.  Over 10% of the PIN codes analysed were 1234, and 6% were 1111. The least common PIN was 8068, but probably best not to use that now as the bad guys can also read the reports.

Maybe you need a different approach. In the same way as you can have a memorable password, why not have memorable PINs? No! Not your birthday, or your partners birthday, or your house number, too many people already know them. But why not use the letters A through J to reflect the numbers 1 to 0, and create a combination that is meaningful to you? First four words of a favourite tune, initials of four family members, first four letters of you home town.

Most organisations which require you to have a PIN allow you to change them, usually on-line or at the ATM, so that’s not much of a chore, BUT, don’t change them all to the same value. Like passwords, it makes sense to have a variety of PINs, and to he honest you’re unlikely to have as many PINs as you have passwords (unless you collect credit cards as a hobby).

The standard instruction (as with passwords) is not to write them down, but again, as with passwords, there are variations on a theme. Clearly no-one would write in their diary: Barclaycard 1234; Amex 3456; M&S 4567 would they (pause whilst some readers tear page out of diary), but it is possible to be more discreet and still record those which you use less often in the same way as you can record passwords.

The frequently used ones you will remember because you use them everyday, especially if you have made the memorable in the first place.

Anyway, that’s enough on Passwords and PINs, next time I’m going to start on Social Engineering and how the bad guys WILL obtain those carefully protected pieces of information you have created.

Until then, keep safe and keep aware

David





Of Passwords and PINS (2)

6 10 2012

In the last posting I briefly referred to ‘strong’ passwords and said I’d come back to them a bit later on. So, what is a ‘strong’ password? As I said last time, the holy grail of password creation is to have something which is easy to remember AND hard to guess. Individually these are simple to achieve, putting them together is a much harder task.
Before getting into the mechanics of password creation, let’s take a couple of seconds thinking about how the ‘bad guys’, (and gals), will try and misuse them. At the most basic, they sit at a computer, enter your account name and then just try and guess your password by hitting characters on the keyboard. If the system allows infinite attempts then they can continue until they get bored or strike lucky. The more sophisticated attacks will use technology, i.e. software, which will perform the same activity but automatically. So called ‘dictionary’ attacks, do just that. The software has millions of words in their database and they just trawl through them until they get a match or run out of words. The more sophisticated also include character replacement checks as well (more on that in a moment) which provides millions of additional permutations. The final way is to obtain the password file from the system itself which is hopefully encrypted. If it’s not then it doesn’t matter how good your password is, they’ve got it! If it is, then the complexity you use will make it that much harder for ‘them’ to decode it.

So lets look at our two objectives separately to see how we can solve the problem.
Picking something really obvious would be daft of course and no-one would do that would they? Think again, surveys of the most common passwords are produced every other week such as this report in the Daily Mail, with ‘Password’ and ‘123456’ always being in the top 10, (quick pause here whilst you go off and change yours?).
It is generally easier to remember something which is personal to you rather than a completely abstract item, but make it too personal (pet’s name, your birthday, mother’s maiden name(!)) and far too many other people will already know it. Quick aside here, just because you are are asked to provide your mother’s maiden name at registration does not mean you actually have to provide the exact name. It’s a security control, not a test. Just make sure you remember what you tell them!
But there are things which are personal to you that you can use as long you mix it up a bit. Favourite places, favourite songs, recent events are all good sources for passwords, you can have those little triggers in the back of your mind to help you remember them BUT, as I’ve already said you need to mix it up a bit, which is where we apply the ‘hard to guess’ angle.
Let’s start with the basics. Say you wanted to use the name of a city where you had a great weekend, such as Norwich. It’s quite hard to guess, unless people knew you liked it, seven characters long so it’s not bad from that perspective, but it’s in every dictionary so would be a soft target from that angle. Simple character replacement and changing the case of the letters will immediately make it even harder to guess (e.g. N0rw1cH), and placing the first and last characters in the middle will defeat any dictionary attack however sophisticated (e.g. 0rwNH1c), simples (as the Meerkat says). But the root (Norwich) is still a valid word and potentially guessable, so another approach is to use a phrase as the root. Pick the first 8 words from a song and use the first letter from each word (e.g. gsogqllo – “God save our gracious queen…”), mix up the cases and do a bit of character replacement (G50gQll0), and bob is your mother’s brother as they say. You can try the same thing with first words from a favourite book, or just a favourite saying. Easy to remember and had to guess, just don’t hum the tune as you type it in!
Now for the really clever bit. Best practice says, have a different password for each account, common sense says you’re never going to remember all of those passwords. So how can you get the best of both worlds? If you take your common password, say G50gQ110, and then add two letters to signify the application you are using it for, e.g. FB for Facebook, HM for Hotmail, NW for your Nat West bank account etc., you have something you will always remember and something that will be extremely hard to guess.
So there you have it, strong passwords with minimal effort.

Till next time

d4v1D





Of Passwords and PINS (1)

25 08 2012

In the world of Information Security, few things generate more debate and argument than how to authenticate a user.
Authentication is one of the two pillars of access, the other being authorisation. One to prove who you are, the other to control what you are allowed to do. You can have authorisation without authentication (for example anyone can use Google to search for something on the web) and you can have authentication without authorisation (“you may well be David, but you aren’t getting in here my son!”).
The most common authentication mechanism around is the good old userid/password combination. The biggest problem with this is that the userid is often easy to guess (or may even be made public intentionally), so it really falls back to the password on its own and for a password to be acceptable the party who owns what is to be accessed has to trust that the person who presents the password is actually the person who is meant to know it. We’ve all seen the films where the bad guys find out the secret password for entry to the castle and then massacre everyone inside. If you rely on a password as the authentication method then you have to rely on the person who knows it keeping it secret, and that it is pretty hard to guess!
Therein lies the problem. If you only have to remember one userid/password combination then it’s not beyond the wit of man to make it complex and keep it safe in your head, however a very quick count will show that you have lots of accounts which require you to authenticate yourself before you are granted access. Actually, let’s just take a few minutes to do just that. Count up all of the different computer accounts you have; at work, at home, with your bank(s?), e-mail accounts, Facebook, Twitter, don’t forget your phone, laptop, car(?) etc. etc. Passed 20 yet? Thirty, Forty, One Hundred? OK, now think how many DIFFERENT passwords you use across those accounts, is it one for all of them or a different one for each?
This is where the real world and ‘best practice’ collide, and where I will disagree with many of my colleagues. ‘Best practice’ for account management will offer you the following rules: 1. Have a different password for each account; 2. Never write your password down; 3. Change your password frequently; 4. Make your password hard to guess but easy to remember; 5. Never share your password with anyone.
4 and 5 I’ll go along with, and there are lots of places you can go to help you with the first part of 4, however the challenge can be achieving the second part at the same time. R&h(0kl.!B may well be a very strong password, but you’ll be hard pressed to remember it. I’ll come back to how to achieve both parts of (4) in the next post. To my mind 5 is a no brainer, but (and there is always a but), I’m sure you can think of situations where you want to share because it’s easier, and that is where Corporate rules and Personal choice can collide. Your employer may make it a disciplinary offence to share the password to your company account with a colleague, but you may choose to share your personal e-mail password with your partner (only you can decide if that is a good idea!!).
So let’s have a look at 1,2 and 3.
1. Have a different password for each account. Are you serious?? It’s hard enough to remember the separate accounts without having to remember all those passwords.
2. Never write your password down. You’ve just told me to have 50 different passwords, and now you expect me to remember them all? Dream on!
3. Change your password frequently. So, not only do I have to remember 50 separate, complex passwords, without writing them down, I’ve now got to change them every month or so.
And we wonder why users get upset with us.
So what can you do? This may not work for you, but it’s my solution and it seems to have kept me safe for a few years.
First step is to separate your accounts into their relative importance (perform a risk assessment if you will). Ask yourself how much pain you will suffer if someone else can use the account that you are protecting. If it’s your online bank account, then you want it pretty secure, other things you may care less about. For the ones I really care about, as there are not many of them and it’s not a massive overhead, I apply rules 1-5 in full. I then temper the rules as the risk decreases, to the point where I have a couple of passwords that I use for all of the unimportant accounts (insurance quotes, or brochure sites which feel obliged to force you to log in for some reason). Rules 4 and 5 still apply to these though.
So lets look at Rule 1. You may also decide to have one password to cover a particular group of accounts (e.g. your e-mail accounts, or your social media accounts), this has the advantage that you only have to remember one password and when it comes to changing it you only have to think up one new value. It does of course have the disadvantage that if it is compromised then all of those accounts could be at risk, so as soon as you think someone knows your password CHANGE IT! Hence the risk assessment.
On to Rule 2. If you are going to write your passwords down, then don’t write the password next to the account name it belongs to. As I said in an earlier posting, Information Security is basically common sense, and that would be plain stupid. Think of a clever way of making the relationship obvious to you, but impossible to guess for someone else. If you don’t need to carry them with you (and let’s be honest you probably don’t), then store them in a file on your computer (and don’t name it ‘my passwords’), which you could always protect with another password!
Finally Rule 3. When it comes to changing passwords, other than your Corporate accounts, I’m pretty sure that none will ever remind you, and most will never expire. Two tips here; one – if you hear about a company you have an account with being ‘hacked’ (such as the recent stories about Sony, LinkedIn and World of Warcraft), then change your passwords immediately, and 2 – never change your password in a hurry or when your mind is on something else. You WILL have forgotten it the next time you log in!

So, that’s a first toe-dip into the world of authentication. Lots more to cover in later postings, but in the meantime, as always, keep safe online, and remember –
Just because you’re paranoid it doesn’t mean they’re not out to get you!

David








%d bloggers like this: