A
uthentication is the process of identifying the authenticity of a user. It can be accomplished by means of a combination of login ID (identification) and password (authentication). People nowadays are struggling with their login IDs and passwords because of the need to access more and more systems.
Setting and remembering login credentials is becoming a painful experience because different systems enforce different security requirements. For example, people can choose preferred ID name for Gmail as long as there is no duplication with previously registered users while university ID might be assigned randomly by the campus IT administrator; Asia miles web portal requires the password to be composed of numeric numbers only but Internet banking system enforces password complexity consisting of uppercase, lowercase, non-alphanumeric characters and digits.
Login ID & Password ChallengingPassword policy often suggests choosing a complex and random combination of characters and numeric. Usersare also required to change password regularly before expiration and prevent repeated usage of recent passwords. Though theoretically this sounds secure, it is difficult for normal users to memorize different strong passwords for different systems. Eventually users will fall back to set the same password for different systems as much as possible.But if the password of a system is hacked, using the same compromised password to access other systems will pose great risks.
Besides choosing strong passwords, memorizing and managing passwords isalso another challenge. Some peoplemay simply write down login IDs and passwords on a memo and stick on conspicuous area. Some may mark the credentials on their phone notes or excel spreadsheets for easy retrieval. Such handling methods are considered as weaknesses in terms of password protection, because the memos and spreadsheetscan be read by others and the phone can be stolen or compromised.
Password Leakage CasesOn 11th September 2014, a list of nearly 5 million Gmail addresses paired with passwords was posted online1. This just occupied 2% of the total number of Google accounts. Some of these accounts were found inactive and some of these passwords were used previously at another online system. If you were one of the victims, please bear in mind to changing the passwords immediately.Nowadays, Gmail is now providingtwo-factor authentication by configuring the account settingsand setting the additional PIN code to be sent via SMS or email (an alternative email address) whenever you login.
On 4th December 2014, it was reported that Sony has leaked thousands of passwords stored in a folder called “Password”2.The salary figures of the top management hence were published due to this incident. FBI is now investigating the case. We can see that improper storage of passwords will lead to irreparable damage to corporate reputation.
The security incident of Dropbox3happened on 15th October 2014 is a living example to tell that people adopting the same password for several systems would lead to unauthorized access of all the systems once the password is obtained by hackers.
Page 1
Password Login FunctionsPeople normally come across login functions in the following situations during their daily life:
- University login
- Personal computer login
- Security guard lock at school and office
- Smartphone screen lock (iOS, Android, Windows, etc.)
- Internet Banking
- ATM debit card
- Social media login (Skype, Facebook, Twitter, etc.)
- Personal Email (Gmail, Yahoo, Hotmail, etc.)
- Online shopping (Taobao, eBay, etc.)
- Online payment (PPS)
- Cloud Service (Dropbox, iCloud, Google Drive, etc.)
Password Grouping
Instead of choosing a different password for different system which is impracticable to remember all (and not writing down on sticky notes), users can consider adoptingthe same password for a group of systems facing similar risk. For example, you can use the same password for social media sites and e-Card login.
Guidelines & Circulars4Strengthening Security Controls for Internet Banking Services
…Although the use of OTP for two factor authentication is still recognised as an effective security measure for Internet banking services, adequate protection of the OTP is essential for ensuring continuing effectiveness of two factor authentication. In this connection, AIs are required to implement, where applicable, the security measures set out in the Annex if these measures have not yet been put in place…
If the password of a system is compromised and leaked out due to poor security protection by a system provider, systems belonging to another group will not be directly affected because the passwords are different. Also, this saves the hassles of resetting passwords for too many systems but only those within the same group.
To achieve this, the systems should be first classified according to its perceived risk and severity. Some examples are listed below:
Risk / SystemHigh / Internet Banking
ATM debit card
University / Personal Email
University / Personal Computer Login
Cloud Service
Phone / Online Payment
Security Guard Lock
Medium / Smartphone Screen Lock
Online Group Purchase
Low / Social Media
e-Card Login
Some people may disagree above grouping, it actually depends on user practice for using any sensitive information over these systems. People can adjust their grouping detaillike this example to plan for their own password management.
Nowadays, online banking system are commonly used with security token as second layer for the authentication process. However, the first layer One-time Password (OTP) is still important. The official guidelines and circulars from Hong Kong Monetary Authority reminds banks to implement second authentication for end users4 to enhance the protection from unauthorized access online. Random number is generated each time when pressing the token button and used as dynamic key for authentication. Hence protection and safe storage of the hardware token requires special care by the key owners. If the token is lost or stolen by accident, immediate report to the token issuer is a must.
Choosing Strong PasswordSince many systems require people to choose strong passwords which can be difficult to select according to the system password policy (e.g. mixing alphabets with digits and special characters), several practical tips of choosing strong passwords are provided below for considerations.
Pattern 1 – Keyboard Sharping
Userscan choose password based on the character layout of the keyboard. It has no logic to follow but is easy to remember. For example, “QzEcTbYn”, “2x4v6n8I”. However, using characters nearby should be avoided. For example, “qawsedrf”, “1q2w3e4r”, etc.
Keepingthe keyboard in a good state is necessarysincecharacter often used will becomeblurred and make brute-force attack on your password easier.If blurred keys cannot be cleaned, replace the hardware keyboard.
Pattern 2 – Numeric & Alphabet Mix
It is common practice for choosing the password with characters and digits mix. However, it is not suggested to use a meaningful vocabulary such as “Car2001”, “America1980”, etc. To avoid the password phrase to be easily guessed, random combination of numeric and alphabetic characters, such as “C2a0r01”, “A1m9e8r0ica”, are highly recommended. Since there is no familiar pattern to follow, it may be difficult to remember.
Pattern 3 – 1st Letter in a Sentence
Generally speaking, using familiar terms as passwords, like birth date, phone number and street name, are commonly seen. However, it violates the secure password principle. Personal particulars might be leaked without notice; hence this password is trivial for malicious users to retrieve. Yet secure and easy-for-memorization password contradicts each other. The compromised alternatives for your consideration are listed below as examples:
I like to take coffee in my breakfast every day.
Password can be created by choosing the first letter of each word here: ilttcimbed
Some may prefer another combination from this example by exchanging alphabetic with digits and vice versa: Il2tcimBeD
In addition, password can be enriched by adding some digits before OR after it. Take the same example to illustrate:
19Il2tcimBeD90
1990 is separated into two parts and placed at the beginning and last position of the password.
Pattern 4 – Double Password
Double the existing password is another practical pattern for user to secure the password. For example, use “A1p3p5l7e9A1p3p5l7e9” instead of “Apple13579”. Users should take note that it will make password length longer and hence possibility of mistakenly typing will increase.
Best and Worst PracticesWhile the best practices for password management is evolving, the following table compares best versus weak practices of managing password:
Best Practices / Weak PracticesStrong Password:
Refer to Password Pattern 1 to 4 / Weak Password:
12345678
Regular Password Renewal:
Change Periodically / Permanent Password:
Password Never Expired
Using Password Securely:
Computer with antivirus latest signature updated / Using Password Insecurely:
Computer at Starbucks
Best Practices / Weak Practices
Different Password Sets:
By severity / Same Password Sets:
Online Banking Facebook
Password Storage:
Password Manager / Password Storage:
Memo paper stick near the computer
Other Best Practice
The following practices should be further considered when handling passwords in addition to choosing strong passwords:
1 – Secured Password Storage
Password Manager is a software which can ease user difficulties to remember all the passwords and map against user IDs. Many of the Password Managersoftware support various operating systemsincludingsmart phones. Some of them are free of charge but with limited functions and features(e.g. LastPass, Intuitive Password and PasswordBox). Usersshould check carefully the software capability and their usage needsbefore upgrading to commercial versions. For more information about mentioned tools, please refer to the PC Magazine6.
On the other hand, some people will simply keep the passwordsin a file such as Microsoft Excel worksheet. Users should make sure these sensitive files are kept securely.
2 – Password Safety Awareness
Most of the password leakage incidents are related to human mistakes. Universities are advised to remind users about the importance of password safety. For example, users can be reminded about phishing attack which is a method to attach suspicious linksor filesto email allowing malicious attackers to gain valuable information such as stealing passwordwhen users type transmit passwords.
3 – Secured Endpoints
Anotherrecommendation for password management is endpoint protection. Users are discouraged to use public computersto process and transmit sensitive informationsuch as accessing online banking, or retrieving university emails. This is because it is difficult to ascertain whether the public computers are secure or already compromised with computer viruses and other malicious software such as Trojan horse program or keystroke logger.
4 – Multi-factor Authentication
Last but not least, multi-factor authentication is highly recommended for sensitive transactions. Internet banking is a good example using multi-factors authentication to protect its customers from easily compromising passwords. With the dynamically generated passcode, identity theft will be extremely difficult.
ConclusionUsers should be responsible for their own password protection and management. With the fast pace of technology innovation and the increase of cyber threats, users should adopt best practices to manage “access key” (password) in the cyber world.
Page 1