Information Security Tips from Westfield Insurance

These days, keeping all your passwords straight can be an almost impossible task. Every website and application needs a password. Do you pick the same password and use it everywhere or do you write them down? If you use the same password, you'll lose them all as soon as any one of those systems gets compromised. But if you write them down, you lose them all when your sticky-note gets lost or stolen.

Here's a trick for making semi-customized passwords that will be easy to memorize but still unique to each site.

Pick a "static" password. (For this example, I'll use "Bluebird" but a passphrase is much better.) Now look at the website or application that you're signing onto. Make up a personal rule about the website name such as:

1. The first digit of my password will always be the second letter of the website's name.
2. The second digit of my password will always be the number of characters in the website's name.
3. The third digit will be a dash.

The password at Amazon would be "m6-Bluebird" and at eBay would be "b4-Bluebird". The password on your home Dell computer might be "e4-Bluebird". A password in this pattern is reasonably strong because it has all four character classes (uppercase, lowercase, number, punctuation) and because it doesn't follow the predictable tendency for English speakers to capitalize the first letter and put the number(s) at the end. Best of all, every password is different but you only have the one phrase to memorize and one rule.

There are a couple of limitations to this technique.

• You must be the only person who knows your exact rules. Do not use the exact rules above. Make your own choices about which letter, punctuation, etc.
• Some systems won't allow special characters (like the dash) or may have size limits on the password. Unfortunately, there's no easy way around those problems. Make the best choice you can given the limits of the system and write down only enough to remind yourself what's different (such as "401k - no dash"). If it's an important system (like your online bank), lobby the company to allow stronger passphrases.

As a user, you should never share your password with anyone. It is used to track who had access and made changes to specific information. You are responsible for everything done on the system using your ID and password.

As a manager, you must set up the processes and procedures so that your staff and customers do not need to share their passwords. They need a simple rule that anyone asking for their password is running a con.

• The user's co-workers should never have access to each others' passwords. If work needs to be shared, use shared folders or other collaboration tools that maintain tracabilty in the logs about who did what. If a co-worker needs temporary access to the user's files (for example, if covering for someone on vacation or emergency medical leave), have IT use their administrative tools to grant the access rights under their own ID, not by compromising the ID of the person who is out of the office.
• Not even your own IT staff should ask for a user's password. If IT needs the password to complete a repair, the IT person should insist that the user type in the password.
• You don't need their password either. If you need to access their files, you should have IT set up your rights so that you can monitor their work under your own ID and password. No one ever wants to be in the middle of an investigation but, if you are, you really don't want to have counter-accusations that the chain of evidence was compromised.

Too many people are running phishing and other cons that try to trick people into sharing their passwords. Make it possible to say with confidence that no one at your organization will ever ask you for your password.

According to a non-scientific survey I just conducted, the most common question this time of year is "How were your holidays?" The second most common question is "Have you broken your New Year's resolutions yet?"

Here's a trick to help keep at least a few of those resolutions by choosing stronger passwords. As we've talked about before, passwords are fairly easy to break because most of us pick an English word, capitalize the first character and add a number at the end. That's a statistically common trend among English-speakers. It meets the minimum complexity rules but will fail to a password cracking tool in 30 seconds or less.

If your New Year's resolution is your passphrase, you'll get a strong password that is hard for an outsider to break. (Microsoft's password rules allow up to 127 characters and permit any character on the keyboard, including the spacebar. You can pick a whole sentence including spaces and punctuation for your password.) And by typing it several times a day, well, maybe repetition will help me actually live up to the resolution. For example, I need to eat less and exercise more. If my password for the month is "Take the Stairs.", I'm reminding myself several times a day that I shouldn't be lazy – that those extra steps are good for me.

A couple of thoughts, though. First, don't make your password obvious to others. If your password is "Spend more time with your Kids!", don't make a poster with the same phrase and hang it in your office. Second, add unusual capitalization or swap a letter for a number in the middle of the phrase. For example, "Give more time 2 Charity." Even if someone does guess your resolution, they won't know what little change you've made to the way you type it. Put together, you'll have a strong password that's easy to remember and might actually help you keep that resolution a little longer.

Passwords are only useful if they are kept secret. That sounds obvious but we are still finding users who tape their passwords to the computer or "hide" them in an unlocked desk drawer.

Laptop and desktop computers represent the single greatest risk to the computer systems and customer private information of most organizations. A stolen or lost laptop is a gold mine for an identity thief. Laptops and desktops hold all kinds of private information (often including the access rights and certificates necessary for a hack to get onto the rest of the network).

In order to mitigate the risk, many organizations have encrypted their computers – scrambled the content so that, in theory, if a computer is stolen, the thief gets away with a $2000 doorstop. Unfortunately, that encryption is often completely dependent on the password. If the thief also gets away with the password, they have access to everything and all the organization's defenses are for naught.

Make it very clear to your staff that leaving a password unprotected is a very serious violation of your security policies. If they see an unsecured password, have them report it immediately to their manager or supervisor.

If you have a home network or wireless router, it can add a layer of security to your computer. But if you haven't changed the default password on your home router, that can be worse than doing nothing. Hackers have recently developed some new tricks to automatically attack your computer's router just because you were at an infected site. It might not even be the primary site you were visiting – it could be the site hosting one of the ads on the page.

In this attack, hackers use small bits of code that automatically try to log in to the router using the default password. The default password is the one that came on the router when you got it from the manufacturer. It's usually something like "admin", "password", "1234" or sometimes blank. Default passwords are printed in the user manual (which is also available online). An online search for "default password list" turned up over 60,000 sites sharing this information, most of them hacker sites.

In a variation, some local hackers will try the same default password against your wireless router as they drive through your neighborhood.

Once the bit of code has successfully logged into the router, it opens a port. The hacker will later come back to your computer and attack it through that port. One common attack is to send false directions to the computer so that when you attempt to log in to your bank's website, the compromised router instead sends your request to a fraudulent site designed to look and feel like your bank's website. Read this CSOonline article for more.

If you haven't changed the default password, do it today! Follow the router manufacturer's instructions to change the password. Make sure you pick a strong password when you change it.

Resolve to pick stronger passwords for the New Year.

A surprising number of people still think that January07 is a good password. Admittedly, it does pass the Microsoft password-complexity rules. It has an upper-case letter, several lower-case letters and two numbers. The problem is that it's an English word with the capital letter at the front and the numbers at the end. English-speakers have a natural tendency to follow this pattern. We know it – and the hackers know it too. That password can be cracked in under 30 seconds.

Pick whole sentences for your password. A whole sentence (including spaces and punctuation) makes a very strong password that is easy to remember and to type. Windows accepts any key on the keyboard in your password (and some that aren't on your keyboard) and allows it to be up to 127 characters long. You only need a 4 or 5 word sentence to make a very strong passphrase. I particularly like sentences from children's counting books.

For systems with limits on password length or allowable characters (like mainframe accounts), you can keep your passwords in synch by using rules to transform your sentence into a shorter code. For example, you could start with the number of words in the sentence, then take the second and last letters of each word in the sentence, capitalizing each third letter. As long as you follow the same rules each time, you can consistently convert your easy-to-remember passphrase into a strong random-looking password.

Remember – your password is the key to all of your electronic defenses. Keep it safe, never share it and pick them strong enough that they can not be easily cracked.

If you have your internet browser set to store your usernames and passwords, disable it immediately.

A vulnerability was just discovered in the both Microsoft's Internet Explorer and Mozilla's Firefox browsers which allows a hacker to create a fake login page. When your browser auto-fills the username and password into the form, the data is passed off to the hacker.

This vulnerability has been named a "reverse cross-site request" vulnerability by its discoverer, Robert Chapin. It has been found on at least one MySpace.com page and is a risk to any user who goes to forum or blog websites.

So far, there is no known fix except to disable the password fill-in feature.

• In Microsoft Internet Explorer, use the menu to go to Tools/Internet Options. On the Content tab, select AutoComplete and make sure that "Usernames and passwords on forms" is not checked. (If the entire line is grayed out or "ghosted", you are okay.) You might want to click the "Clear Passwords" button while you're here just in case there were some in history.
• In Firefox, use the menu to go to Tools/Options. On the Security tab, make sure that "Remember passwords for sites" is not checked. Click on the "Show Passwords" button to remove any that have been saved previously.

For years, security professionals said "Never write down your password." In many situations, that's still good advice. Anything you write down can be lost or stolen. But when you have dozens of passwords, PINs and other security codes - some work-related, many personal, some static, some changing regularly, some simple, some complex, some used daily, others that go weeks between uses - it's hard not to. If you cannot memorize your passwords and must write them down, here are the ways for doing it at reduced risk.

• Don't store your passwords on your computer. It doesn't matter how well you hide the file, hackers know how to search the contents of your computer to find likely password files.
• Don't record the complete password. Write down just enough to remind yourself of the rest of it.
• Keep the password hints with you at all times. Your wallet is a good place. Don't leave the list in your desk or under your keyboard. Hackers and thieves know where to look.
• If you have a PDA or Blackberry, use a secure, approved password vault on the device. These applications use strong encryption to protect your password list.
• If the list is out of your control even briefly, quickly change your passwords to maintain their security.