Page 1

uthentication is the process of identifying the authenticity of a user. It can be accomplished by means of a combination of login ID (identification) and password (authentication). People nowadays are

struggling with their login IDs and passwords because of the need to access more and more systems. Setting and remembering login credentials is becoming a painful experience because different systems enforce different security requirements. For example, people can choose preferred ID name for Gmail as long as there is no duplication with previously registered users while university ID might be assigned randomly by the campus IT administrator; Asia miles web portal requires the password to be composed of numeric numbers only but Internet banking system enforces password complexity consisting of uppercase, lowercase, non-alphanumeric characters and digits.

Password policy often suggests choosing a complex and random combination of characters and numeric. Users are also required to change password regularly before expiration and prevent repeated usage of recent passwords. Though theoretically this sounds secure, it is difficult for normal users to memorize different strong passwords for different systems. Eventually users will fall back to set the same password for different systems as much as possible. But if the password of a system is hacked, using the same compromised password to access other systems will pose great risks. Besides choosing strong passwords, memorizing and managing passwords is also another challenge. Some people may simply write down

login IDs and passwords on a memo and stick on conspicuous area. Some may mark the credentials on their phone notes or excel spreadsheets for easy retrieval. Such handling methods are considered as weaknesses in terms of password protection, because the memos and spreadsheets can be read by others and the phone can be stolen or compromised.

On 11th September 2014, a list of nearly 5 million Gmail addresses paired with passwords was posted

online1. This just occupied 2% of the total number of Google accounts. Some of these accounts were found inactive and some of these passwords were used previously at another online system. If you were one of the victims, please bear in mind to changing the passwords immediately. Nowadays, Gmail is now providing two-factor authentication by configuring the account settings and setting the additional PIN code to be sent via SMS or email (an alternative email address) whenever you login.

On 4th December 2014, it was reported that Sony has leaked thousands of passwords stored in a folder called “Password”2. The salary figures of the

top management hence were published due to this incident. FBI is now investigating the case. We can see that improper storage of passwords will lead to irreparable damage to corporate reputation.

The security incident of Dropbox3 happened on 15th October 2014 is a living example to tell that people adopting the same

password for several systems would lead to unauthorized access of all the systems once the password is obtained by hackers.

A

Login ID & Password Challenging

Password Leakage Cases

Password Management Security Update - Best Practices for General User

Page 2

People normally come across login functions in the following situations during their daily life:

University login Personal computer login Security guard lock at school and office Smartphone screen lock (iOS, Android,

Windows, etc.) Internet Banking ATM debit card Social media login (Skype, Facebook,

Twitter, etc.) Personal Email (Gmail, Yahoo, Hotmail,

etc.) Online shopping (Taobao, eBay, etc.) Online payment (PPS) Cloud Service (Dropbox, iCloud, Google

Drive, etc.)

Instead of choosing a different password for different system which is impracticable to remember all (and not writing down on sticky notes), users can consider adopting the same password for a group of systems facing similar risk. For example, you can use the same password for social media sites and e-Card login. If the password of a system is compromised and leaked out due to poor security protection by a system provider, systems belonging to another group will not be directly affected because the passwords are different. Also, this saves the hassles of resetting passwords for too many systems but only those within the same group.

To achieve this, the systems should be first classified according to its perceived risk and severity. Some examples are listed below:

Risk System High Internet Banking

ATM debit card University / Personal Email University / Personal Computer Login Cloud Service Phone / Online Payment Security Guard Lock

Medium Smartphone Screen Lock Online Group Purchase

Low Social Media e-Card Login

Some people may disagree above grouping, it actually depends on user practice for using any sensitive information over these systems. People can adjust their grouping detail like this example to plan for their own password management.

Nowadays, online banking system are commonly used with security token as second layer for the authentication process.

However, the first layer One-time Password (OTP) is still important. The official guidelines and circulars from Hong Kong Monetary Authority reminds banks to implement second authentication for end users4 to enhance the protection from unauthorized access online. Random number is generated each time when pressing the token button and used as dynamic key for authentication. Hence protection and safe storage of the hardware token requires special care by the key owners. If the token is lost or stolen by accident, immediate report to the token issuer is a must.

Password Login Functions

Password Grouping

Guidelines & Circulars4 Strengthening Security Controls for Internet Banking Services …Although the use of OTP for two factor authentication is still recognised as an effective security measure for Internet banking services, adequate protection of the OTP is essential for ensuring continuing effectiveness of two factor authentication. In this connection, AIs are required to implement, where applicable, the security measures set out in the Annex if these measures have not yet been put in place…

Page 3

Since many systems require people to choose strong passwords which can be difficult to select according to the system password policy (e.g. mixing alphabets with digits and special characters), several practical tips of choosing strong passwords are provided below for considerations.

Pattern 1 – Keyboard Sharping Users can choose password based on the character layout of the keyboard. It has no logic to follow but is easy to remember. For example, “QzEcTbYn”, “2x4v6n8I”. However, using characters nearby should be avoided. For example, “qawsedrf”, “1q2w3e4r”, etc. Keeping the keyboard in a good state is necessary since character often used will become blurred and make brute-force attack on your password easier. If blurred keys cannot be cleaned, replace the hardware keyboard.

Pattern 2 – Numeric & Alphabet Mix It is common practice for choosing the password with characters and digits mix. However, it is not suggested to use a meaningful vocabulary such as “Car2001”, “America1980”, etc. To avoid the password phrase to be easily guessed, random combination of numeric and alphabetic characters, such as “C2a0r01”, “A1m9e8r0ica”, are highly recommended. Since there is no familiar pattern to follow, it may be difficult to remember.

Pattern 3 – 1st Letter in a Sentence Generally speaking, using familiar terms as passwords, like birth date, phone number and street name, are commonly seen. However, it violates the secure password principle. Personal particulars might be leaked without notice; hence this password is trivial for malicious users to retrieve. Yet secure and easy-for-memorization password contradicts each other. The

compromised alternatives for your consideration are listed below as examples:

I like to take coffee in my breakfast every day.

Password can be created by choosing the first letter of each word here: ilttcimbed

Some may prefer another combination from this example by exchanging alphabetic with digits and vice versa: Il2tcimBeD

In addition, password can be enriched by adding some digits before OR after it. Take the same example to illustrate:

19Il2tcimBeD90

1990 is separated into two parts and placed at the beginning and last position of the password.

Pattern 4 – Double Password Double the existing password is another practical pattern for user to secure the password. For example, use “A1p3p5l7e9A1p3p5l7e9” instead of “Apple13579”. Users should take note that it will make password length longer and hence possibility of mistakenly typing will increase.

While the best practices for password management is evolving, the following table compares best versus weak practices of managing password:

Best Practices Weak Practices

Strong Password: Refer to Password

Pattern 1 to 4

Weak Password: 12345678

Regular Password Renewal:

Change Periodically

Permanent Password:

Password Never Expired

Using Password Securely:

Computer with antivirus latest

signature updated

Using Password Insecurely:

Computer at Starbucks

Choosing Strong Password

Best and Worst Practices

Page 4

Best Practices Weak Practices

Different Password Sets:

By severity

Same Password Sets:

Online Banking & Facebook

Password Storage: Password Manager

Password Storage: Memo paper stick near

the computer

The following practices should be further considered when handling passwords in addition to choosing strong passwords: 1 – Secured Password Storage

Password Manager is a software which can ease user difficulties to remember all the passwords and map against user IDs. Many of the Password Manager software support various operating systems including smart phones. Some of them are free of charge but with limited functions and features (e.g. LastPass, Intuitive Password and PasswordBox). Users should check carefully the software capability and their usage needs before upgrading to commercial versions. For more information about mentioned tools, please refer to the PC Magazine6.

On the other hand, some people will simply keep the passwords in a file such as Microsoft Excel

worksheet. Users should make sure these sensitive files are kept securely.

2 – Password Safety Awareness

Most of the password leakage incidents are related to human mistakes. Universities are advised to remind users about the importance of password safety. For example, users can be reminded about phishing attack which is a method to attach suspicious links or files to email allowing malicious attackers to gain valuable information such as stealing password when users type transmit passwords.

3 – Secured Endpoints

Another recommendation for password management is endpoint protection. Users are discouraged to use public computers to process and transmit sensitive information such as accessing online banking, or retrieving university emails. This is because it is difficult to ascertain whether the public computers are secure or already compromised with computer viruses and other malicious software such as Trojan horse program or keystroke logger.

4 – Multi-factor Authentication

Last but not least, multi-factor authentication is highly recommended for sensitive transactions. Internet banking is a good example using multi-factors authentication to protect its customers from easily compromising passwords. With the dynamically generated passcode, identity theft will be extremely difficult.

Users should be responsible for their own password protection and management. With the fast pace of technology innovation and the increase of cyber threats, users should adopt best practices to manage “access key” (password) in the cyber world.

Other Best Practice

Conclusion

Top 10 Password Manager in 20115

Page 5

References 1. “Google Says Not To Worry About 5 Million 'Gmail Passwords' Leaked” 11th September 2014. Web. 15

December 2014 2. “Thousands Of Leaked Sony Passwords Were Reportedly Kept In A Folder Marked 'Password” 4th

December 2014. Web. 15 December 2014 3. “Alleged Dropbox hack underlines danger of reusing passwords” 15th October 2014. Web. 9 December

2014 4. “Guidelines & Circulars – Hong Kong Monetary Authority” 13rd July 2009. Web. 13 January 2015 5. “Top 10 Password Manager” 17th September 2014. Web. 13 January 2015 6. “The Best Password Managers” 22nd August 2014. Web. 13 January 2015 7. “Information Security from University of BRISTOL” Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC) c/o Information Technology Services The University of Hong Kong Pokfulam Road, Hong Kongs

University data and you7: Research into data breaches in HE institutions indicates that the majority of incidents are due to:

Unauthorized access by insiders (accidental and malicious)

Accidental exposure of data online

Laptop theft The majority of data leakage is down to human fallibility. For example, people routinely give passwords over the phone or in response to emails without verifying whether the request is genuine and many of the government's high-profile leaks have been down to laptops left on trains and CDs posted without thinking through the consequences of loss and disclosure of the data within. Also, data is often routinely shared with colleagues that do not have a right or need to have access to that data, or data is needlessly copied, creating further opportunities for loss or theft.