Welcome!

Blog Feed Post

8 Thoughts on Passwords and Password Management

In light of the recent disclosures (within 24 hours of each other) of the stealing of passwords (or password hashes) from LinkedIn, last.fm, and eHarmony, I thought I’d share a few thoughts and tips on passwords and password management.

For users:

  1. As Ed Amoroso said in this video use different passwords for different accounts.  If the bad guys manage to compromise one account, they don’t have access to everything you have everywhere.
  2. Use a password manager or encrypted notepad app to keep track of them.  If you are going to use different passwords, you probably won’t be able to remember them, so use one of the applications out there that help you manage them.  The advice for years has been not to write them down, but to some extent we no longer have any choice.  At the very least, there are “notepad” apps for mobile devices that use strong encryption and allow you to encrypt individual notes.  Use a VERY STRONG password to encrypt these other passwords.
  3. A longer (moderately) less complex password is better than a short complex one. On the AT&T ThreatTraq webcast, immediately after the disclosure of these breaches we were discussing a little about how modern password attacks work.  If the hashes are stolen, they can be cracked offline using lots and lots of computing power for both brute force and dictionary attacks. For this reason,  longer passwords (using the standard complexity rules of requiring upper and lower case, digits, and special characters) help when the bad guys can generate billions of guesses per second with modern GPUs

  4. Don’t help the bad guys by typing them into sites to “see if they were on the list.”  This one may seem a little odd, but in the aftermath of these breaches, some websites sprung up offering to tell you if your password was on the list.  While some of them may have been legitimate, if the bad guys set something up like this, you just helped them crack passwords they may not have already cracked. Just assume yours was cracked and change it.
  5. As soon as you are aware of the breach, change your passwords, but be ready to change them again, because you can’t be sure they aren’t still in there stealing the new one. Be ready to change passwords in the initial aftermath and again relatively soon afterward.

For those managing passwords in their applications/databases:

  1. Salt them.  If the bad guys get the hashes, make them crack every one instead of getting off easy by potentially getting the passwords for multiple users by cracking just one hash.
  2. Consider using something slower than MD5/SHA for the hashing. This one is related to #3 for users and was explained well in a post on the security company F-Secure’s blog and one by security researcher Thierry Zoller.  While most operating systems (and many applications) have a built-in limit on the number of login attempts in a given amount of time (and then lock out future attempts for some period of time), if the hashes are stolen and the bad guys are attempting to crack offline, make them use a more complex algorithm. The algorithm should only allow them to guess on the order of 10,000-100,000 per second rather than a billion per second. Speed is good for many hashing algorithms, but here it is not.
  3. Allow longer passwords and special characters.  Nothing frustrates me more than setting up an account on a banking site only to discover that your password cannot be longer than 8 characters and can only consist of letters and digits.  This is 2012. Let your users create long passphrases that include !@#$%^&&*()_-+=/?.>,<;:’”
So, what do you think?  Have I forgotten any useful tips or tricks for handling passwords?

Read the original blog entry...

More Stories By Steve Caniano

Steve Caniano is VP, Hosting, Application & Cloud Services at AT&T Business Solutions. As leader of AT&T's global Hosting, Application and Cloud infrastructure business, he is instrumental in forging key partner alliances and scaling AT&T's cloud services globally. He regularly collaborates with customers and represents AT&T at key industry events like Cloud Expo.

Latest Stories
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We provide IoT solutions. We provide the most compatible solutions for many applications. Our solutions are industry agnostic and also protocol agnostic," explained Richard Han, Head of Sales and Marketing and Engineering at Systena America, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are an IT services solution provider and we sell software to support those solutions. Our focus and key areas are around security, enterprise monitoring, and continuous delivery optimization," noted John Balsavage, President of A&I Solutions, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...