Lately, I've been thinking a lot about passwords. Several of my friends and colleagues have had personal passwords stolen somehow, and their email accounts were broken into. For some reason I can't understand, the password thieves have used the stolen email accounts only to send links to malicious websites to various people on the victims' contact lists. Seems to me they could do a lot more damage. After all, isn't it kind of obvious that a friend's email account has been hacked when you receive a message from his address that contains nothing more than a seemingly random URL?
In any case, these account takeovers have led me to wonder how the passwords are getting stolen. At first, I assumed the victims chose easy-to-guess passwords (like a variation of their account name, or the word "password," or something simple like "letmein"). But as these account takeovers have occurred more frequently, I've questioned my acquaintances about their passwords. Most have assured me that they chose complex passwords. So what else could be happening? I suppose keyloggers are not out of the question, but the people I asked told me they run current antivirus software and keep their applications up to date. Perhaps the attackers are going after the password databases directly. But we're talking about major email service providers, along with other well-known places like Facebook. Could all of those providers have been breached and their password databases stolen? Or maybe the attacks are against the password reset mechanisms. Who knows?
The only thing I know for sure is that passwords are being stolen, somehow. And the victims come to me for advice, regardless of whether they are friends and family or professional colleagues. What can I tell them?
The best advice I can come up with is to choose longer passwords. The longer, the better. I tell people to pick two or more words and string them together, preferably with a number or punctuation mark in between. This is commonly referred to as a passphrase, rather than a password (to distinguish the technique by its length). Time will tell how well this technique foils the attackers.
Frustratingly, I've found that my own webmail provider won't take a password longer than 15 characters, and my in-home network equipment (made by a major manufacturer) can't take more than 12. That seems like a foolish limitation, and it constrains my ability to mandate longer passwords in the workplace. I'd like to make a security policy statement about making the minimum password length more than the age-old eight characters, but first I'll need to find out what each technology will support. I'd like to require passphrases of at least, say, 16 characters at my company, but I can't do it if the limitations of the authentication systems we use will make my policy unsupportable and unenforceable.
Like most people, I have dozens of passwords to keep track of. With all the thinking I've been doing lately about passwords, I've decided to change mine more frequently, use a different password for every service, and make them longer and more complex. I've started using a password manager to do this. It's the only way. The trade-off is that I have a single master password with access to all my accounts, but the benefit is "password agility" -- the ability to quickly change my passwords, and limit the damage caused by a single password theft (unless of course it's my master password that's stolen).
Replacing passwords entirely would be a better solution, but as far as I can tell, the practicality of alternative authentication methods is still off on the horizon. Smart cards, tokens, code generators, out-of-band authentication via smartphone, and biometrics all seem like good alternatives. I'm wondering how much longer it will be before the major technology vendors and service providers will support those and we can all look back on passwords as a bad memory from a distant past.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.