Sidewinder on why exploding trousers beat traditional pa55w0rd5

Davey Winder is shocked at just how ignorant most users are when it comes to password security. Worse still, some IT admins are just as bad. So what can be done about it?

With the Information Commissioner's Office (ICO) logging more than 140 security breaches since January, the National Health Service has been named and shamed as the number one public sector security black hole.

The simple fact is that the NHS has lost more personal data so far this year than the combined ranks of local and central government. The figures have been described by the ICO as evidence of a "complete disconnect" between management security procedures and what actually happens on the ground.

Meanwhile, Salford Healthcare NHS Foundation Trust has become the latest NHS organisation to be asked by the ICO to sign a formal declaration that it will abide by the Data Protection Act, following the loss of a computer with patient information that was not properly password protected – or encrypted. Part of that declaration requires data to be protected by strong passwords, which is quite right and proper.

Secure passwords: the basics

But do you know what a strong password actually is?  Let’s start with what it’s not. Another survey researched the most popular insecure passwords in common usage; and discovered that the top two were '123456' and 'password'.

Can you believe it? Other stunningly bad examples included 'qwerty' and, proving that geeks are perfectly capable of dropping the ball, that IT admin favourite 'root'.

But did you know that it takes just 65,780 guesses to be sure of cracking any lower-case five character password? Up the ante to an eight-character mixed alpha-numeric and special/symbol password and you’ll increase the odds of your password being cracked to upwards of 6 trillion combinations.

Perhaps we need to follow the Australian lead where, as part of a National eSecurity Awareness Week, there was a national Change Your Password day. The purpose was to encourage everyone to change to more secure passwords.

Lose the sticky notes

Then there’s the single biggest piece of password bad practice; 'sticky note syndrome'. Just recently a memory stick went missing containing the medical details of thousands of prisoners. The data itself was encrypted; which is good. The encryption password was taped onto the side of the storage device; which is not.

Implementing a password creation policy is not a bad idea if you want to ensure that users are security compliant. A good starting point is to insist on passwords being no less than eight characters in length but no more than 20, and for them to contain a mixture of English upper and lower case letters, numbers and special characters (pound signs and so forth).

In addition, insist that dictionary words are strictly verboten. Yes, even foreign dictionary words; as computers are pretty darn clever at speaking different languages. A secure password policy should also require passwords to be changed every 28 days, while remembering the previous 13 passwords, thus effectively ensuring a 12 month rotation for all users.

Phraseology

The problem is that all these password changes are complicated for users. One way to increase strength and complexity without sacrificing the all-important ability to keep passwords memorable would be to replace passwords with passphrases. 

Passphrase construction is best explained by way of example. Take the phrase ‘my trousers have exploded again’. It’s nonsensical but memorable.

“The data was encrypted; which is good. The encryption password was taped onto the side of the storage device; which is not.”

For password purposes, we can make it stronger by replacing the last character with a special character such as '£' to give ‘m£ trouser£ hav£ explode£ agai£”.

To add more strength, let’s replace every second character with a number sequence to give ‘m1 t2ouser£ h3v£ e4plode£ a5ai£’. This has now become very complex but remains extremely simple to remember, for you and you alone.

Exploding trousers may raise a laugh, but they’re far more effective than exploding media coverage – which will continue until we can nail the issue of data security in the NHS once and for all.

Tint panel - Password tips:

Strength not size is the key. An eight character password that follows the mixed alpha-numeric and special characters rule will be stronger than a 12 character dictionary word password.

Substituting numbers for letters may seem like a clever idea, (for example ‘ho5p1tal’ instead of ‘hospital’), but the hackers and crackers are on to that trick already; and hybrid attack software is already on the market to mechanically weed out this technique. Number substitutes are therefore no more secure than traditional dictionary words.

Using a UK-specific keyboard can actually strengthen passwords, as US character sets are more commonly found in password cracking applications. ‘£’ and ‘€’ characters are not available on US keyboards, so exploit that fact. And above all, bad passwords are ones that are never changed and often shared.