Password Hashword

This week’s news has been dominated by talk of the humble password, with three big stories.

The first was World Password Day on May 5th. Failing to jump on the May the fourth (be with you) bandwagon isn’t the first thing this crew has got wrong. The official website is amongst the most patronising and excruciating sites on the internet with an elderly American lady dispensing password advice from the comfort of her armchair. If you fancy losing the will to live have a look, but hide the knives and service revolver first.

The World Password Day massive do however offer a fairly reasonable summary of password best practice, which regular readers of this and just about every other security blog in the universe also recommend:

• Create strong passwords
• Use different passwords for each account
• Get a password manager and use it properly
• Turn on multi factor authentication wherever you can (most places these days)

Hot on the heels of this story came the announcement via Reuters no less that some Russian (SURPRISE) hacker was selling the credentials of 272.3 MEELION STOLEN ACCOUNTS for about 75 pence. 75 Pence would be unethical to the Security outfit that obtained the data, so presumably they were obtained by sweet-talking Ivan or telling him a bedtime story. We are talking of course of Hold Security that loves a massive headline as much as Rupert Murdoch. You can read the self-congratulatory, back slapping and slightly odious announcement here.

Since the news broke, pretty much everyone, including us, has called the credibility of the announcement and the data into question. Much of the data claims to be passwords recovered from mail providers, which on the whole do a better job than Ashley Madison, so this data must be from keystroke loggers and the numbers do not fit that MO particularly well. We think there is little cause for alarm. It has also not escaped our attention that the breach was announced on, err, World Password Day…..

So with all of this nonsense flooding the newswires, you may or may not have noticed a little announcement about Password management from no less than GCHQ. You can read it here.

What they are saying, in a much more balanced and readable tone, is that forcing users to frequently reset passwords does more harm than good, leading to passwords being written down, having numerical sequences etc. etc. and that it is better to use flags to inform users from where and when they last logged in, along with a number of other best practices. The paper above is well worth a read.

We stand by the password management recommendations above, adding that administrative passwords MUST use two-factor authentication and unusual privilege escalation activity should be monitored, logged and alerted. All of this is possible using ITC’s NetSure360° Managed Security Service.

If you would like to talk to us about passwords, two-factor authentication, NetSure360° or anything else interesting, please contact us on: 020 7517 3900 or email [email protected]