In the first two articles of this series, we have been looing at the how and why of creating secure passwords, and cutting down the number of data storage media so that there are fewer potential causes of worry. Following on in that security theme, this week then, it is appropriate to look at how to keep the security secure. That may sound like an oxymoron, but it is surprisingly simple to overlook this aspect of making sure the data with which we are entrusted is kept safe from prying eyes, identity thieves, malware distributors, spammers, hackers and casual observers.
When it comes to remembering passwords, there is nothing more secure than keeping them in your head. This way, there is no physical or electronic record for others to obtain by fair means or foul. However, with the growing number of passwords each of us must manage, and their necessarily increasingly arcane nature, this may not be possible. Many of us write them down, often in a book specially for the purpose. How often does that book find itself in the case with the laptop? How about on the desk next to the office computer? If written down they must be, then there are steps all of us can take to keep them safe. The first of these is to deny access by using a book small enough to fit in a pocket or luggage other than a laptop case. That way only a violent assault will separate the record from you. Or, of course, the loss of luggage containing the book…
- How do you remember the passwords that you have carefully set up?
- What are the consequences of a number of failed login attempts?
- Are the measures as strong for every device through which data could be accessed?
- How many people need access to data?
- How many people actually have the potential to access data?
Here's a simple method of encryption for passwords written in a book or contained in an electronic document, that can help keep your passwords to yourself, even if the document is in somebody else's hands: Let's use a hypothetical password of Ko9QLp£T. It is not very long but reasonably secure. Note the use of the GBPound symbol, which may make it harder for foreign hackers who don't have that symbol readily available.
Now let's take an encryption key that is only known to you or those very close to you. I will take my own birthdate as an example; 10/02/1954, but you could use the date you passed your driving test, or graduated from college, or anything private to you. Only the day and the month count. The day gives you the position in a text string from which you start counting, so I generate nine random characters Gf8&v3Po2, and start counting at the tenth. Then, as the second number is 02, every other character is counted as part of the password, we know the number of characters is 8, so we get Kuo797Q^L!p$£+T. Naturally, the bold characters are purely for the purpose of this illustration, so would not be used in practice.
Finally, to complete the masking, add a random string of characters, as many or as few as you like. Let's say 'AuntieDoris99', just to get them thinking. That way, the representation of our password would look like this: Gf8&v3Po2Kuo797Q^L!p$£+TAuntieDoris99. Even if you lose your document or book, that should make guessing your password at least difficult enough to put the miscreant off trying to rob you and send them along to the next, easier target.
So, let's assume that your passwords are all being generated from random characters including upper case, lower case, numbers and symbols/punctuation, and being stored in a way that protects them. What if someone does try to guess? How many chances do they have before the system takes action? Depending on where your main data storage is, this can vary. For example, failed attempts to log in to any of our web servers are limited to three before the IP Address of the computer attempting to log in is blocked permanently. Where the information concerned is held on a local computer, laptop or mobile device, the consequences of failed logins should at least result in the system going into lockdown mode, so that only the rightful owner can wake it. For example, on Apple mobile devices there are different stages of lockout, with a few minutes lock for three failed attempts, an hour for five and complete lockout, or data erasure for ten failed attempts. Once this stage is reached, only synchronising with the owner's iTunes account can revive the device. That's just an example, and all operating systems for computers, phones and tablets offer similar options that can be set to suit individual needs. Check with your hardware manufacturer or OS provider for information. The vital thing to remember is that with all these options available, nobody should get unlimited attempts to log in.
So, who else knows your passwords? Friends? fFamily members? Colleagues, Ex-colleagues (that one is always a worry). The key here is that if anyone knows your passwords without a cast-iron reason to need them, the passwords must be changed immediately. But what if you get run over by a bus tomorrow and your business needs to continue, even though you are gone? With a master repository for passwords, that has its own security, preferably a password and Multi Factor Authentication, Access details can be lodged with your solicitor, along with your last will and testament, so that in the event of your unexpected demise, your business can be carried on by those left behind. There are services available online, including a function in your web site admin pages, that will do just this for you. Business continuity is vital and security measures need to facilitate this, not prevent it.
Lastly, how many people have access to your information? This is not just about the people who have access to the passwords either. How often have you seen a laptop left unattended on a train with a screen full of information just inviting the curious or the dishonest? The potential is for there to be thousands of people who can see what is on the screen. It's a long shot that anyone will make use of such a moment, but it only takes one complaint relating to personal data being potentially visible, to get an investigation under way from the Information Commissioner's Office, which could result in hefty fines and even personal actions for distress (a precedent in a British court recently valued this at £2840 per person) over data leakage. If your device is left unattended for even a moment, please remember to put it to sleep with password required to wake it, if only for your own peace of mind. Even people who should be more security conscious get slack sometimes, I recently heard of a Navy Admiral who lost his laptop, containing personal details of over 400 men in his command by leaving it vulnerable for a moment.
That, however is another story. Next week, we will take a look at physical security and how to keep what is private, really private. I hope you find this useful. As always, if you have any questions relating to password security, please don't hesitate to call or click in the header of any page to send me an email.
See more news items in our blog.