October is National Cyber Security Awareness Month (NCSAM), and I thought it would be a neat idea to offer some ideas about best practices for good passwords. Since I have written about this before, I figured it would be the easiest thing ever, especially with all the advances in password management technology, and the new NIST Guidelines. I could talk about the usual things, like:
- Use a password manager;
- Use a passphrase instead of a password;
- Don’t re-use passwords;
- YAWN;
- Etc.
All these tips seem so “common”, tired, and repetitive. We have heard this all before from some of the giants of the InfoSec community. There are hundreds of articles from every known source that offer the same tips on best practices for passwords, dating back many years. Clearly, the problem is not a lack of information. The problem is not with the message, as that is clearly splashed all over the internet.
Some of us, myself included, have previously followed the misguided approach that we should treat the patient, rather than the disease. However, the disease is outpacing the cures.
As Bruce Schneier has stated, the problem is not with the patient.
Technology has created a world of easy access, and it keeps getting easier. Everything is available at the click of a link, yet we security folks, the messengers of online safety, spend much of our time like a bad piano teacher with a ruler, ready to slap the fingers of the person who clicks that link without first thinking of the consequences.
There have been so many advances in the technology that can unobtrusively improve the security experience for everyone. All the tools exist to create a silent security wall that protects the online experience. For example:
- Multi-Factor authentication has been a major leap towards protecting identities, preventing many credential-theft scams. I have posited in the past that this needs to mandatory for all online systems.
- URL obfuscation, which masks a hyperlink and checks it against known exploits before loading the destination page, can protect against clicking a link that is not what it purports to be. With everything based in the cloud, this is an easy redirection scheme to silently protect online browsing.
- Browser plug-ins, such as IDN-Safe, which protects you against malicious sites that use hidden Unicode characters in URL names.
- Safe Wi-Fi – Products, such as LookOut Mobile, offer a feature that will detect SSL stripping to protect consumers against connecting to rogue Wi-Fi hotspots.
The main hurdle to overcome with some of these tools is that their best features are unavailable at the consumer level. While that may make good business sense, it leaves us with the same problem of the crutch of “user awareness” as our primary tool towards security.
This all leads me back to my “password best practices” advice for NCSAM. Yes, all of the standard password rules still apply, but only because that is the current state of affairs.
What can we do to change this approach? Is it possible to demand better built-in security for our protection? Can we shift the burden to those who want us to use their systems, rather than the current model of making us responsible for our own online safety?
Moreover, how can we achieve such advances towards personal safety without the need for regulations and litigation? Or, with the emergence of the many cybersecurity protection regulations and GDPR, has this wave of shifted responsibility already begun?
With all the advances in our midst, will we eventually be able to celebrate Cyber Security Awareness Month as a fond memory?
I have been faulted before for saying so, but, the future looks bright!
