Choosing a secure password

IT Services will soon be deploying a new system for changing and resetting passwords which will be accompanied by updated guidelines for choosing secure passwords. This post outlines some of the thinking behind these new password guidelines and we welcome feedback.

Three steps to better passwords

  1. Size Matters – four random words is much better than 8 random characters
  2. Don’t use your Edge Hill password anywhere else
  3. Never share your password with anyone else or on a non-Edge Hill website

Let’s look at these recommendations in more detail.

Size Matters

When it comes to making passwords secure and hard to guess, the most important thing is that they are long. Historically, many websites and organisations have insisted on choosing a password containing a mixture of upper and lowercase letters, number and special characters but this just makes passwords that are hard to remember and hard to type.

It is much better to choose a longer password of four or more random words that someone wouldn’t be able to guess, even if they know you. This is better because there are more combinations of words to pick from in the English language (and you could choose a foreign or made up word!) than there are shorter passwords made up of letters, numbers and special characters.

This difference was summed up by the web comic xkcd several years ago:

There are many ways to pick some random words but one idea is to picture yourself sitting somewhere you know well – like your kitchen – and choose things you can visualise as you “look” from left to right… “toaster espresso saucepan stool”. Even if someone knew you’d based your password on things in your kitchen they’d still need to guess your combination of how you see things.

Don’t reuse passwords

After choosing really basic passwords like “password” or “letmein”, the most common cause of an account being broken into is reusing the same password in different places. This is because when a company is hacked and their list of passwords stolen, these will be used to break into other accounts either of the same person, or just trying them against any username.

For this reason you must never reuse your Edge Hill password for any other website or service. When you change your password you should also never reuse an old password, either directly or by changing it just a bit (don’t just add “1” to the end of the password!)

You can test your choice of password against lists of compromised passwords on the Have I Been Pwned website – this shows that “everton1!” has been seen over 30 times in breached websites.

Remembering a different (secure!) password for every website is very hard so you could make use of a password manager. This is a piece of software running on your computer and phone, or a web service, that will securely store all your passwords. You’ll only be able to access them after you’ve entered a master password.

Read more about password managers on the Which? website.

Never share your password

You are responsible for actions when logged in with your account so never share your password with anyone else.

It is against the University IT Acceptable Use Policy to share your password with anyone else. If you suspect someone else knows your password or you are issued with a temporary password by IT Services, you must change it straight away.

Staff in IT Services will never ask you for your current password so don’t tell anyone purporting to need it. If you need assistance, IT Services can either take remote control of your Edge Hill computer where you can enter passwords yourself or they will reset your password and issue a new temporary once they have finished.

You should only enter your username and password into websites you trust to belong to Edge Hill. Look in the address bar to ensure it’s a secure connection on an edgehill.ac.uk site. Be on the lookout for disguised phishing websites, for example:

https://login.edgehill.ac.uk.secure.phising-website.university/

Note the missing slash after edgehill.ac.uk which means it’s not our website. If you come across a phishing website or email do not enter your password and inform the IT Service Desk.


This is still very much work in progress so please leave any comments below.

[If this sounds familiar, it’s because this is basically what I’ve recommended for the last 7 years]

The Cookie Monster is here

Cookie Monster

The UK’s implementation of EU Cookie regulations come into force this Saturday and the web design world is frantically trying to work out what to do! Firstly a bit of background into cookies and why we are where we are!

Cookies make the web go round – they’re how a website remembers who you are so you don’t have to remind it every time you load a page; they allow websites to personalise what you see; they make online shopping possible by remembering what’s in your shopping basket and they allow website owners to track the performance of sites to determine what’s working and what isn’t. Suffice to say without cookies the web would be a sorry place.

But they also have the potential to be abused. They can reduce your privacy on the web by tracking what you do on the web. By linking information together it could be possible for sites to build up a detailed profile of your online behaviour and the EU decided to act to better protect users’ privacy.

The UK’s implementation of the EU regulations is being enforced by the ICO who have issued guidance but things are never that simple! There isn’t – so far – an accepted “right” solution to compliance. The ICO themselves have taken quite a hardline approach – a bar across the top of every page asking for permission to set cookies. When this launched it had a devastating affect on their ability to analyse site usage which is vital if you’re going to build good websites.

BT and the BBC take a bit more of an opt-out approach by telling site visitors they will receive cookies unless they say otherwise.

These show the first time a visitor comes to the site and in BT’s case disappears after 10 seconds – much less off-putting and probably clearer than a simple “Do you want cookies?” prompt, but is it enough to satisfy the ICO? Only time will tell!

While the implied consent may still be unknown one thing that is generally agreed is that providing the user with more information in a form that they can understand is a Good Thing™ so that’s where we’ve started.

[I should note much of what we’ve implemented so far is based on a very pragmatic post by James Cridland of Media UK]

  1. We’ve added notices to key login pages like GO to say that you’re going to have to accept cookies if you want to log in. We’ll expand this to other services like the online shop and Rose Theatre ticket office in due course.
  2. We’ve added a Cookies page the the site listing how we use cookies and what for. I’m sure this isn’t 100% complete so if anyone would like to let me know gaps then please shout!
  3. We make a distinction between cookies which link to personal information and those that don’t.
  4. We link to instructions on how to manage cookie settings and mention “private browsing” modes in modern browsers as an easy alternative.

As James says in his post #3 is the most contentious:

ICO is primarily concerned with personal information and personal data – and I’m registered under the Data Protection Act and take personal data very seriously. However, Google Analytics and AdSense cookies, etc, are anonymous, and will only ever contain personal information if you deliberately log in to Google services (and even then Google claims not to link Analytics or AdSense with your Google account anyway). The same goes for Twitter and Facebook too. And the ICO go out of their way to say, in their advice: Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

What does this look like? The cookie page is linked to from the header and footer of every page:

The Learning Edge landing page is a bit more explicit about how it makes use of cookies:

Depending on feedback from our users and others in the sector we may roll out some form of non-interrupting information box along the same lines as the BBC’s approach. We have also done some work on a cookie level chooser like BT have but the technical implementation across multiple in-house and third party systems is non-trivial.

If you have any feedback or questions about Edge Hill’s approach to cookie legislation compliance please leave a comment or get in touch and I’m sure there will be more changes to come!

How to choose a password

Password security is very important to protect users and computer systems from malicious activity. Often complexity is encouraged by suggesting use of numbers and punctuation in an attempt to make passwords harder to break. This logic is to a large degree flawed as they’re not harder to crack and they are less memorable leading people to write them down (which, as I hope you know, is very bad practice).

But it is possible to have easy to remember and secure passwords by choosing a short phrase. Although it might look easy to crack, it’s not, and the brain is very good and memorising phrases.

Of course xkcd has a comic to demonstrate this perfectly:

Facebook Privacy

There’s been quite a lot in the news lately about a backlash against Facebook’s privacy settings with many people believing their attitude to personal information security is too lax. This isn’t a new issue – nearly three years ago I blogged about it – but now that Facebook is so huge across the board and not just amongst university and college students the debate has started to reach further.

Facebook have responded by trying to be more open about what configuration options are available and explaining how to control what you share. They provide shortcuts to restrict the level of information shared to “everyone”, “friends of friends” or just “friends” along with a comforting-sounding “recommended” settings. I imagine most people will choose this which is pretty scary. Take a look at what that means you will be publishing:

Recommended Sharing Settings

Choosing the recommended settings means everyone – not just Facebook members but the general public – will be able to see status updates like the ones you post when you’re mad with your boss or photos you took at the end of a night out or biographical details like where you work. Information available to “friends of friends” opens the door to the 1200 “friends” your 17 year old cousin has and do you really want them all seeing photos of you?

We shouldn’t be too critical of Facebook – they have a business to run and shareholders who expect them to maximise profit from advertising which means persuading you to be as open as possible with the information you share. The onus is on individuals to carefully consider the information they share and the implications it might have on their life. More importantly this isn’t a one off job – you should be reviewing privacy settings on a regular basis.

What do I do? I have a set of custom settings which generally means only friends can see what I publish except the groups “Limited Profile” and “Colleagues”:

Sharing on Facebook

On the other hand I use Twitter, Flickr, foursquare, delicious and many other services where information I publish is completely public but I understand the risks involved and am constantly aware that everything I write online could come back to bite me.

JANET CSIRT

Today I was at the JANET CSIRT Conference, held at the International Coffee Organisation facility in London (I booked on before I knew where it was being held… honest!).

The conference covered a variety of security related issues and I’ll cover a brief summary below.

A shared approach to Information Security – Matthew Cook, Loughborough University

The EMMAN Shared Information Security Service (ESISS) can provide a complete portfolio of services to your organisation. These services are designed to reduce the risk of significant information security breaches and reduce the associated costs of prevention, management, remediation and audit activities.

Matthew Cook gave an overview of some of the services offered by a new shared service from EMMAN. Much of it was what you’d expect – consultancy, penetration testing, network health checks and so on but I was surprised by one of their new services.

Currently in development/testing and to launch in the new year, they’ll be offering reputation management to monitor the interwebs and send a weekly report to technical and PR/marketing teams to alert them of any problems with your site.  It will check social networks like Twitter, blogs as well as more technical problems like spam comments on blogs linking to dodgy websites.

There are a number of companies that offer this type of service already and it will be interesting to see how they differentiate themselves.  I’ve not looked at many other services but ESISS’ pricing doesn’t seem outlandish… as long as it’s of benefit!

The issue I have with it is the weekly nature of the email reporting.  A week is a long time in Twitter. Recent examples of #janmoir and #carterruck have exploded in a matter of hours so waiting seven days before detecting and responding to criticisms online isn’t an option.

I do hope ESISS are successful with this service – there are far too many snake oil merchants in the reputation monitoring game and so an organisation without the commercial pressures would be welcome but whether they’re able to keep pace with the fast changing social media landscape – as well as provide their more traditional consultancy services – remains to be seen.

The Value of Security Testing – Rory McCune, NCC Group

A great Security Testing 101 session which really helped bring me up to speed with some of the terminology involved.  Showed the different levels of testing that can be undertaken.

The big thing I took away from this session is not to trust third party vendors.  They usually have no interest in security so either test software yourself, or as part of a consortium.  Get security written into contracts to ensure that it’s the vendor’s responsibility to fix any problems.

Traffic monitoring and basic anomaly detection with Netflow – Nick Reynolds, ULCC

Using the NetFlow protocol built into Cisco and some other network kit, Nick showed how they are monitoring traffic at student residences and FE colleges in London. Building on basic MRTG charts they provide more advanced reporting for staff within colleges who may not have the time or skills to undertake regular monitoring.  From there they have built pattern analysis software which can look for unusual traffic patterns passing through routers as a sign of breaches in security or usage policies.  Still a little rough looking but it shows what’s possible using a few open source tools and a little development time.

SQL Injectors – Simon Baker, SEC-1

How to scare a web manager in 35 minutes…!  Using Microsoft SQL Server and ASPX as examples – not tools we develop in directly, but we do have third party SQL Server/IIS systems – Simon demonstrated a few SQL injection attach vectors which seem alarmingly easy.  Different attacks accomplish different things but with certain versions of SQL Server it’s even possible to execute commands!

If ever there was an argument for using an ORM to ensure all database interaction is correctly escaped then a session like this will prove it!  Prize goes to this session for best use of an xkcd comic strip in a presentation:

Web Application Security, OWASP – Dinis Cruz, OWASP

Somehow Dinis managed to get through three presentations each with dozens of slides in his 40 minute slot!  I must admit it was a little bit too much to take in, but the general gist was that OWASP (Open Web Application Security Project) is great and that we should all get involved.  It certainly seems to have a lot to offer.  Their best known project is their Top Ten website vulnerabilities:

  1. Cross Site Scripting
  2. Injection Flaws
  3. Malicious File Excecution
  4. Insecure Direct Object Reference
  5. Cross Site Request Forgery
  6. Information Leakage and Improper Error Handling
  7. Broken Authentication and Session Management
  8. Insecure Cryptographic Storage
  9. Insecure Communications
  10. Failure to Restrict URL Access

The use of a mature web framework helps avoid many of these problems but it’s probably time for us to do a full audit.

OWASP also offer a huge amount of other material from books to approval processes and tools.  One of their project strands concentrates on Education to get students trained up with the correct skills.  Dinis said something along the lines of:

The majority of IT Security professionals are screwed because they don’t know how to code.

Computing students and developers alike are well placed to get the skills required to create intrinsically secure websites – so-called “security experts” will struggle to match them on the details.

P2P File-Sharing and Copyright Infringement – Morgan Doyle, NetFort Technologies

Final session of the day was an interesting review of some research undertaken at NetFort into use of peer-to-peer file sharing – specifically BitTorrent – in a university environment and how it can be detected, tracked and reported on.  The reasons for wanting to do this were twofold – to be able to account for excessive bandwidth usage and to respond to DMCA notices.

I must stress that I Am Not A Lawyer, but I thought that DMCA was a American law so I’m not sure how it applies to UK file sharers, and that in most cases illegal filesharing was a civil offence.  I’m not condoning breaking the law, but I do question whether it’s the job of universities to do the dirty work of rights holders.

Wrap Up

ICO translation boothsSo on the whole a very interesting day.  Not necessarily what I expected but very useful and it’s given me lots to think about.  The International Coffee Organization is a great venue – where else can you find translation booths and flags on the wall?!  I must admit I was slightly disappointed in the quality of the coffee.  It was okay filter coffee but I would have expected something a bit more… gourmet?

Finally, it was interesting to note how little backchannel activity there was on The Twitter. A single post from someone saying they were at the conference with the rest posted by me with a few comments from my followers. What – if anything – does this say about networking or security professionals in Higher Education? 😉

Internet Explorer Security Alert

So the BBC have finally picked up the news and jumped on the bandwagon. Mass media are now telling you to switch to a more secure web browser (you know, the thing your using to view this web page with).

From the BBC:

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

As many as 10,000 websites have been compromised since last week to take advantage of the security flow, said antivirus software maker Trend Micro.

Are you ready to make the switch? I certainly don’t want my passwords or bank account details stolen and my bank account emptied, do you?

For you home computers and laptops: Get Firefox now!

Steve Daniels

Browser security

My web browser of choice is Firefox. One of the appeals is the pile of add-ons that you can use to personalise the way you view the web. If I were recommending a browser, that’s the one I’d go for.

Opera Stay SecureAs a web developer, I also need to test how pages look in other browsers so I tend to have the most up-to-date versions of the common ones, IE, Safari, Chrome and Opera.

Yesterday I was looking at Opera’s widgets and noticed “Stay Secure”. Useful for very quickly displaying the current vulnerabilities of Internet Explorer, Firefox, Opera, Safari and Konqueror in an unobtrusive graphic on your desktop.

The information is provided by Secunia and by clicking on any of the browser icons on the the graphic the detailed report from Secunia is accessed.

So now, if you were to ask me to recommend a browser, I’d say Firefox, but use Opera (and the Stay Secure widget) for your secure transactions (if the site works in Opera ).

>