For my first blog post of 2012, I was going to focus on New Year's resolutions that every network administrator should consider. This was to include things like making sure you have a map of your network and having a log of what users are doing on your network. However, as I put my list together, I realized the most important one on it was that we all need to review how we use passwords both personally and at work.
Recent analysis of the Stratfor password list shows that people are continuing to use very weak passwords. It also shows that complex passwords are being cracked in less and less time with easy-to-use tools. Over on the Security Is Sexy blog, Darlene Storm also has an interesting post on this topic which looks at how brute force tools can also be used to crack Wi-Fi security.
Password theft is becoming more and more of a problem. It is estimated that the Ramnit worm, which first appeared in April 2010, has captured at least 45,000 Facebook logins and passwords. It operates by infecting Windows executables, Microsoft Office and HTML files. Once on a system it will attempt to gather user names, passwords and browser cookies.
When a Facebook account has been hacked, it can then be used for phishing attacks. Lucas Mearian recently published an article on this subject and he also includes some good advice on how to prevent your Facebook account from being hacked. The key advice that I took away from this article is to be always suspicious of anyone who asks for money over the Internet and choose a strong unique passphrase for each service that you subscribe to.
Unique passphrases are crucial but they are not enough in my opinion. I am a big fan of Google's two step authentication system. It prevents hackers from gaining access to your accounts if your passwords have been cracked. Recently a number of applications were released which allow devices to be unlocked once their owner appears in front of them. In the case of a mobile phone the applications use the forward facing camera and face recognition software. Apple filed a patent for similar face recognition technology back in 2010. However, some of this technology has already been defeated by placing photos in front of the cameras and, therefore, is not recommended as a primary method to secure devices. Personally I think this technology needs to move to been able to read expressions. A nod, a wink or something that is hard for someone else to copy.
If you are responsible for managing users on a network, password management can be a right pain. It is vital that users are required to log onto the network in order to gain access to resources. I still come across networks where users log on to locally to their own systems. It is almost impossible to find out what users are doing on your network if you don't have some centralized system that logs where users log on and what they are doing.
So as you head into 2012, make sure you adopt a strict policy when it comes to password management. Here are a few specific things you can do to make your online presence more secure:
- Stop using passwords and start using passphrases
- Make sure you have a unique passphrase for each service you access
- Look at implementing 2 factor authentication if its available. You don't need expensive token generating systems. Most software markets have free apps which will run on your smartphone.
- Never write down passwords. There are some great online password managers for keeping track of your logins.
- Remember that vulnerabilities are no longer required for network breaches.
Darragh Delaney is head of technical services at NetFort Technologies. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service. Follow Darragh on Twitter @darraghdelaney