Wednesday, May 7, 2014

Password - The weakest factor online

Passwords has been a proven way to protect your account and keep your info secure and private.  
Passwords are common and we do use it everyday. Access emails, your system,  Facebook, unlocking your phone, access bank online,  and many more. An average of 10 passwords are used by any individual (like you) everyday as per reports.  

With internet and the number of things you can do online, password has been a common practice. To play a game or post review, you need an account and thus the password. Concept of an account has been strongly developed in internet so that you can log back in anytime and continue to access the information back where you left. An account maps your work, activity on that website which can be saved and later referred back. Now that there is data associated with you account, websites wants to protect users data and thus the password which forms the easies way to authenticate a user.  

Hackers and malware are on their peek and always looking for access to your account more than anytime before. Password thus has became the weakest factor online. Your privacy, your work, your money, your data and your friends are all maintained by a password. 

Password statistics:
  • 90% of passwords are vulnerable to hacking. More details here. 
  • With top 10,000 most common passwords, 98% of accounts would be accessed 
  • 70% of the people do NOT use unique password for different websites. Report here.  
  • Around 82% of people have forgotten password used on a website 
  • 80% of people do not change bank card PIN. Report here 

Here are top 500 passwords which forms the 80% of the passwords. Bigger the size, more frequently they are used. 




Why username and passwords required everywhere? 

Why a website that you just need to provide review/rating about hotel/movie/restaurant needs you to create a new user account ?  There are many such scenarios where in account creation is just not required, however users are forced to do so. 

In most of the cases password does make sense, however in many of the cases, password ideally is an overkill; websites do have commercial reasons attached to force users to create account or access their site using Facebook/Google+ profiles. Every company wants to grow their user base and that directly maps to their profits and business. No wonder why a site that is just asking you to provide a review/rating also needs you to register as user.  

Thus looking at web trend, passwords are more going to be asked by websites and you are going to create either new accounts or use your Facebook/Google+ profiles to register. Either of this puts you in trouble as to maintain a good password for new website or keep an eye on usage of your Facebook/Google+ profile by this website.   

Everyone wants your email ID. Almost all websites now uses email ID as user name. You activate website functionality by validating your email address and thus website gains your email address to send more stuff or remind to revisit the site. Thus account creation becomes the primary requirement on such websites and this is common trend with big and small players on web.   


Same passwords for multiple sites? 
Its hard to remember strong passwords and that tends to use same password again and again on different websites. A very common trend that needs a change. Using right tools and practice its doable.  Below are some techniques to help you generate strong passwords and either remember them or maintain them securely. 

Email ID as user name : 
Email address as user name is common trend. Your email ID is known to world by different ways and thus half of the info about credentials is exposed. The other half is your password. It then becomes mandatory for your password be strong enough to fight hackers around world as they already know your email ID. 

Many of us use 1 or 2 primary email IDs. We share these IDs with people to communicate and use same for user name. Thus your email ID has become part of your identity on internet and you share it freely with friends and many offline registrations forms. Any one that now has your name and email ID can give a try to hack your accounts with most common passwords available online. 


Strong password difficult to remember ? 

Here are some techniques to create strong passwords and remember them  
  • Create a pass phrase rather than just a password. It can be your favorite line from book or song. There are plenty of songs that you love and sing 
  • Be creative and imaginative to create unique characters that don’t exist 
  • Use Book title, serial name or food dish  
  • Combination of Multiple cities/places 
  • Combination of company names, car models or sports person 
  • Combination of name, place or year 

Avoid using these for passwords 
  • Wife, girlfriend, mom, kids, pets names 
  • Place where you live 
  • Date of birth of your favorite people 
  • Common passwords  

Listed below are tools to help you generate strong passwords and maintain them. These tools have been proven and are industry standards which you should leverage to ease out creating strong passwords and then remembering them.  

Google and Facebook as common method to login: 

Social network has provided a new and unique way of login and that is leveraged by many websites. You don’t need to create account on every websites, however use Google+ or facebook login method provided on third-party websites. These websites integrate with social networking authentication mechanism to validate a user and then provide you access to functionality. 

It’s a easy and quick way to gain access to website content/functionality without creating new account. However you have to be careful here are you are exposing lot of data to these websites than you should be. Your email ID, name, where you live, your friend list, your work place, and also an option to post on your wall when they want. That’s too much of info for too little. You may better end up creating a new account rather than giving access to above info to be secure.  

One advantage with Social authentication is that you can go back to facebook/google+ and revert the access to third-party apps/websites anytime. those apps will never be able to gain your updated info or friend list or post on your wall. But they do have your old info which you can not revert. 


Better ways to solve the password problem:  


Two factor authentication -  
In simple terms you can consider two factor authentication as "Two Locks" for your account. You need to open both the locks before your get into your account. And to open two locks you of course need two separate keys.  

Two factor authentication is security process in which you use your userID+Password and physical token. Its "something you know" and "Something you have". E.g. If you wish to login to your email account, your email ID & password is what "You know" and an addition short numeric code(Verification code) that is available on your phone which acts as "You have". 

Two factor authentication has became industry standard to protect your account and now is provided by many websites. Here is my detailed blog  on two factor authentication -http://softwaresecurityforyou.blogspot.com/2014/04/securing-your-account-with-password.html


Lastpass and Keepass - Password managers you need 

Lastpass is a browser plugin that manages(stores) your passwords and provides strong security model around itself to avoid exposing your passwords to other. It allows you to create strong passwords by auto-generating complex passwords and then maintaining them for you. Anytime later you revisit that site and navigate to login page, it will populate your username/password once you enter master-password. www.lastpass.com 

You just have to remember one password after that; and that is of lastpass itself. Lastpass provides good integration with websites and browsers. Also all your data is encrypted and maintained online and thus your password storage is available for you anytime. They provide web and mobile app for ease of use. 

Ensure you use two-factor authentication with lastpass to make it max secured and give you peace of mind enough though all your passwords are stored online. 

Here is short video on what is lastpass 



Keepass & KeepassX password manager -

Keepass is free, open-source and easy-to-use password manager.  It maintains data locally in encrypted fashion and also has master-password to access all your lasswords. KeepassX is linux version of it.
Keepass provides strong password generator functionality and maintenance of it. It create a file that you can take it with you and use on other computer. Keepass is purely local installation and does not talk to server or sends your passwords to server. 

Security model used by Keepass and its functionality has gained high number of award and is very well known by professionals around. http://keepass.info/index.html  




Common sense about passwords : 

  • Create unique passwords for every website 
  • Don’t write down your password 
  • Don’t share your password with anyone 
  • Don’t store password on public computer 
  • Change your password every 6 months 
  • Use two-factor authentication for your important web accounts 
  • Change your password immediately, if you think it is compromised 
  • Don’t use common passwords. Create strong passwords 
  • Use password managers  

Conclusion: 
With Internet, your accounts can be access globally and that's great. However hackers around globe too can give it a try to hack your account and steal the info and you will never notice. With more accounts required online, you need to have a long term strategy to maintain passwords and follow practices around it. Above article list the ground rules that everyone on internet should follow to maintain high level privacy & security. 

No comments:

Post a Comment

Transform your $15 router to $200 security router for FREE

Technology is evolving faster and there are more IoT devices at home/office than a few years back. Software Security companies are movi...