ian hughes wireless security consultant ian.c.hughes@bt

13: Unlucky for some?…or how to test your WLAN passwords to

make sure that it’s the hacker who is “unlucky”

Ian Hughes

Wireless Security Consultant

[email protected]

The world around us is changing

The threats presented by “insecure” Wireless LAN (WLAN) systems

change with time.

How good are your WLAN passwords?

As computers become more powerful and the tools they use become faster we must review the

way in which we implement effective security

The use of “simple” passwords is no longer acceptable, since these can be

obtained or broken by brute force tools

Test your passwords

Answer the following 13 questions.

At the end of the test you can review your answers and see where you could make

improvements to your organisations Wireless LAN security.

Test your passwords

1. How long is your password?

• Less than 8 characters

• Between 8 and 15 characters

• Between 15 and 30 characters

• More than 31 characters

Test your passwords

2. What characters do you use in your password?

• All letters, all upper or all lower case, or all numbers only

• A mix of mostly letters - mixed case - and some numbers

• A mix of mostly letters, some numbers and punctuation

• A mix of totally random characters (including !”£$%^&* etc.)

Test your passwords

3. Do you use a password reminder?

• No – I don’t need to

• Yes, it asks a question and the answer is my password

• Yes, it asks a question, to remind me of my password, but the answer is not my password

• Yes, the “question” is my password

Test your passwords

4. Does you password contain personal information?

• Yes

• Yes, but only known to my colleagues & friends

• Yes, but only known to my close family members

• No

Test your passwords

5. If you entered your password in a Web search engine, how many results would you get?

• Zero

• less than 10

• less than 1000

• 1000 or more

Test your passwords

6. Can you remember your password without having to look it up?

• Yes, always

• Mostly, sometimes I forget it after a holiday or soon after changing it

• Sometimes, I need to remind myself a few times each week

• No, I’m always forgetting it

Test your passwords

7. Where do you keep a record of your password?

• Nowhere – I don’t need to

• In the company fire safe

• In a sealed envelope in my locked desk drawer

• In a sealed envelope in my managers locked desk drawer

Test your passwords

8. How many pieces of random information does your password contain?

• Just the one

• Two

• Three

• More than three

Test your passwords

9. When did you last change your password?

• More than six months ago

• Less than six months ago

• Less than three months ago

• Less than one month ago

Test your passwords

10. Can you type your password without making mistakes?

• Yes

• Mostly

• Occasionally

• No

Test your passwords

11. Who else knows your password?

• My manager

• A work colleague

• The system administrator

• No one

Test your passwords

12. Where else do you use your password?

• On other work related systems

• On other non-company systems (personal email etc.)

• On my eBanking account

• Nowhere else – all of my passwords are unique

Test your passwords

13. How long does it take you to produce a new password when asked?

• Less than 30 seconds

• Between 30 seconds and one minute

• Between one to five minutes

• More than five minutes

So how well did you do?

Test your passwords - Answers

1. How long is your password?

Passwords that are less than 8 characters long, especially if they are a dictionary word are poor, as they can easily be determined using brute force tools and techniques. SCORE = 0

Passwords between 8 and 15 characters are better, but should still not be a single dictionary word. A pass-phrase should always be used where possible. SCORE = 1

Passwords between 15 and 30 characters tend to be pass-phrases due to their length and can offer a good level of security – but see the later questions to ensure this is the case. SCORE = 3

Passwords in excess of 30 characters can be very secure, but their complexity makes them harder to remember and this may compromise them in other ways. SCORE = 1


2. What characters do you use in your password?

Passwords containing only letters, or worse only numbers, are much more easily recovered using brute force techniques – especially if they are dictionary words and contain only upper or only lower case characters. SCORE = 0

Passwords containing a mixture of mixed case letters with some numbers are better, but avoid commonly known “number for letter” substitutions (e.g. I = 1, S = 5, O = 0, E = 3, A = 4 etc) or upper case letters only at the beginning of a word. SCORE = 2

Passwords containing a mixture of mixed case letters with some numbers and other characters (@£$%& etc.) are much stronger and are much more resistant to currently available brute force tools and techniques. SCORE = 3

Passwords containing totally random characters are very strong, but far more difficult to remember. SCORE = 1


3. Do you use a password reminder?

Not using a password reminder, where other secure methods are available, is acceptable but being unable to recover your password may be a greater problem. SCORE = 1

Take care – is the question and answer pairing obvious, either to a stranger or someone who knows something about you? Try to avoid personal information or anything relating to your job function or organisation. What does a Web search bring up in answer to your “question”? SCORE = 1

If the reminder works for you, but does not directly relate to the password itself, then well done! SCORE = 3

Not so much a reminder, more a major security flaw. SCORE = 0


4. Does your password contain personal information?

Personal information (favourite football team, pet names, children’s names, nick names etc) are a bad choice and can be easily predicted – not so much brute force as a good guess based on widely available knowledge. SCORE = 0

Your colleagues and friends may pass this information on to others - would you give them your bank card & PIN? SCORE = 0

You may think that only close family members know this information – how sure are you? SCORE = 1

A good password contains no clues or references to you as an individual, so is much harder to predict or guess. SCORE = 3


5. If you entered your password in a Web search engine, how many results would you get?

Zero results shows that this information is probably a good password, with a good degree of randomness SCORE = 3 (or maybe you need a better Web search engine?)

A result of less than 10 shows a fair degree of randomness and/or unpredictability, but be careful that it is not something related to you, or your companies interests that may be guessed. SCORE = 2

A result of less than 1000 shows that randomness and unpredictability are reducing. Try making some simple changes to reduce the number of results found. SCORE = 1

More than 1000? Not a good choice. SCORE = 0


6. Can you remember your password without having to look it up?

If you can always remember your password you may have an excellent memory, so challenge it a little more and make your password slightly more complicated. SCORE = 2

Your ability to remember your password most of the time shows that it is reasonably complex – or at least offers the best mix of security and memorability for you the user. SCORE = 3

If you need to remind yourself several times a week, the password recovery process (paper or online) may become a potential weakness. SCORE = 1

Always forgetting? Try to generate strong but more memorable passwords. SCORE = 0


7. Where do you keep a record of your password?

Not keeping a password record, if suitable secure methods are available, risks you being unable to recover your password if forgotten. Whilst secure this method has other risks. SCORE = 1

Keeping a record in the company fire safe leaves all credentials in a common location - and security will depend on the physical access controls to the fire safe. SCORE = 0

Keeping a sealed envelope in your own locked desk drawer distributes the risk, provided access to your drawer is restricted, and allows you to periodically check on the integrity of the envelope – any problems or evidence of tampering should require an immediate password change. SCORE = 3

A sealed envelope in your managers drawer may be an issue if they have many staff – will they notice if yours is opened/goes missing? Also a problem as many credentials can be compromised at once – as with the fire safe. SCORE = 1


8. How many pieces of random information does your password contain?

Just one, or a common theme, can make the password much easier to break. SCORE = 1

Using two or more separate elements greatly improves security – so long as they are unrelated. SCORE = 2

Using three unrelated elements adds a high level of security, and should not be too overly complex for the password owner to remember. SCORE = 3

Using more than three unrelated random elements continues to increase the security of your password, but memorability may become an issue – both for normal use and for any password recovery process. SCORE = 1


9. When did you last change your password?

Time is the enemy – if you have not changed your password for at least six months the probability of it being broken by brute force methods is much greater. SCORE = 0

A password that has been in use for between 3 – 6 months must be considered weaker. Even for low risk systems, such as personal email or chat rooms, six months would be the absolute maximum period for any password before renewal. SCORE = 1

Three months is a sensible limit for any “user” level passwords. Admin or “superuser” passwords should be changed more often to maintain adequate security. SCORE = 2

Monthly changes to your passwords add considerably to the security of your systems and should be considered mandatory for Admin and “superuser” accounts. SCORE = 3


10. Can you type your password without making mistakes?

Your ability to quickly type your password makes it less likely that someone will be able to observe, or “shoulder surf”, your password as you type it. SCORE = 3

Your poor typing skills may cause you to occasionally mistype you password – take care not to slow too much or people may observe you when typing your password. SCORE = 2

Your password may be overly complex, and for all but the most sensitive systems a balance needs to be made between usability and security. Repeated typing makes it easier for someone observing you to see your password. SCORE = 1

Maybe you need to learn to type, or get a better password? It may be too complex, too long, or just not practical. SCORE = 0


11. Who else knows your password?

Your manager may need to access any systems you use, but should have their own log-on credentials to do so. SCORE = 0

Never share your passwords with colleagues – they should have their own unique account and password if they need access to a system. Even if you have a job share, you should never share passwords. SCORE = 0

The system administrator should be able to reset your password, but you should change this to something only you know if possible. Avoid common “system” passwords if possible and administer systems at an individual user level. SCORE = 1

If you are the only person who knows your password, and it is held in a secure and encrypted format on the system to which it provides access – well done! SCORE = 3


12. Where else do you use your password?

Using your password across multiple separate systems, where each systems requires authentication to access it, can lead to a risk of exposure if using a common password. SCORE = 1

Using a work related password on non-work related systems should be avoided at all costs – especially if you also supply a work email address as your identity! SCORE = 0

Sensitive accounts, such as eBanking, should always have their own unique and strong passwords. Never share passwords between systems with different security requirements. SCORE = 0

Well done. By using unique passwords you limit the exposure between the various systems you use. Should one be compromised only that system is at risk, and you only have to change the password on that one system. SCORE = 3


13. How long does it take you to produce a new password when asked?

Less than 30 seconds – you probably used the first thing that came into your head, or tried modifying your old password somehow. How easily could this be guessed, or brute force techniques be used to recover it? SCORE = 0

30 seconds to a minute. Maybe you are a slow thinker, or maybe you did spend a little more time and effort and did not use the first thing that came into your head? SCORE = 2

Between one to five minutes – probably an excellent idea if you are changing an Admin or “superuser” password. Spend a few minutes looking at some basic techniques to make your passwords stronger before choosing a new one. SCORE = 3

More than five minutes may be excessive – especially if you have multiple passwords to change regularly. SCORE = 1

Test your passwords - Scores

What was your overall score?

30+ Well done. Review your answers to see if there are any

further simple improvements that you can make.

24 - 29 A good result, but some key elements may need to be

reassessed.

18 - 23 Some areas addressed, but others leave some

exposure that leads to greater risk in the longer term.

10 - 17 A poor result – needs immediate attention to mitigate

considerable risk exposure.

9 or less A formal review of security techniques and methods is

required urgently.

ian hughes wireless security consultant ian.c.hughes@bt

Documents