Passwords Part 2: Your Physical Well Being.

This is part two of two in a blog series regarding passwords. To read part one (Online Passwords), please follow this link.

In the world of IT security, passwords are the core of life. The reality is there’s very little standing in the way of gaining access to your computer or your online accounts. Passwords remain the most common defensive line of the technological world, and defensive lines aren’t always that great.

The makings of good habits when choosing machine passwords are approached differently than making online passwords.

First Thing’s First

As a tech company, Crossroads IT sees plenty of computers. From time to time we see machines that turn on and drop us right at the desktop. This happens when the computer has a user, but that user has declined to use any sort password. If this is you, I’m taking the time to beg you… literally beg you to fix this. I’ll even walk you through how to do it.

1. Hold down the CTRL + ALT + DELETE keys on your keyboard (Delete might be “DEL”). The screen will turn blue and you’ll see a menu.
2. Select Change a Password.
3. Type your old password (leave blank if you don’t have one)
4. Type your new, super-memorable password.
5. Confirm the new, super-memorable password.
6. Press Enter – you’re now lightyears more secure than you just were.

Easy enough? Yes… yes is your answer because yes is the only answer. 🙂

Protection Goes Beyond You

Crossroads IT, and every other competent IT entity everywhere will tell you that your computer houses way more personal information than you want released into the wild. Creating even a basic password to act a deterrent is more effective than you’d think. 

Think of it as a security system for your house. If you live in a neighborhood where everyone has a sign saying “Protected by…” and you lack anything, it stands out. In a community of signs, your house is the path of least resistance. Even if your security system goes unmarked, your house has earned a second glance. It’s worth not inviting the double-take.

With that in mind, if I have access to an office of 5 machines, and only four of them have passwords, I found my target. Most computers are hooked into some sort of network, so the lack of security spreads amongst all the connected devices. Getting into one computer means I probably have some sort of access to all five. Even a basic password is very helpful in giving someone pause. I don’t want to waste time and guess what it is, I’ll just move on to the next machine until I hit the lottery. 

Convinced yet? Good. No excuses… remember this is me begging.

What Makes a Good _physical_ Password?

While we would advocate for any sort of password in leiu of nothing, if you’re going to put one on your device, why not make it as effective as possible? 

What makes the best type of password? That’s the million-dollar question. Fact is, there’s a wide range of thoughts and opinions on the subject. I’d love to tell you the answer is something simple and easy, but to understand what a secure password looks like, you have to ask where the password is being used.

Remember, our scope is tangible machines. Laptops, desktops, routers, tablets, etc.. Standards  can change for different companies and different applications, but the US government has weighed in on what they feel is reasonably secure by setting HIPAA standards.

The Health Insurance Portability and Accountability Act talks a great deal about electronic data and the storage and transmission thereof. We have experience being HIPAA Compliance Officers, and the security is well regarded in and outside of healthcare.

HIPAA considers a secure password as at least 8 characters. Those 8 must include at least 1 each of a symbol, capitol letter, and number. HIPAA, while a great security baseline, strikes an infernal bargain between security and feasibility for password requirements. There’s the understanding that because you should never record your password, you need to remember it.

Research has shown that humans can reliably remember about 7 digits at a time (read: Phone Numbers, SSN, License Plates). Around seven, our working memory gets wonky. Eight characters is a fair compromise, but only because there has to be that meeting between effectiveness and plausibility. The HIPAA password standards are generally OK, but far from ideal.

Computers and Mobile Devices Login

My suggestion for laptops, desktops, tablets, etc. would be to use a long phrase in addition to the HIPAA requirements. While not bulletproof, length provides a great barrier to common types of attack.

Consider making up a phrase, or using one from a movie. To clarify, an _obscure_ phrase from a movie. If you have a desk full of Star Wars stuff and choose “usetheforce”, you’ve failed. If you can’t live without having a themed password (don’t have a themed password), then maybe “Y0ur destiny lies with me, Skywalker.”. We have a comma, a period, a couple capitols, the o is a zero, and it’s not an oft-quoted line. It’s memorable enough to keep in your head, but way down the list of guessable lines. It’s also unlikely to make it on any common password lists. Overall, that password is very, very good.

Whatever you Do, there’s definitely some Don’ts.

• No kids names, no pet names. Low hanging fruit, even combined with numbers, which is usually a birthday.
• “… but I like birthdays.” Me too. Fact remains they make terrible passwords.
• Avoid the actual word “Password” or any progressions of numbers “123456”, for example. This type of password made of 40% of the Top-25 Most Common Password lists for years.
• Sports teams, fictional characters, hobbies, and things of that ilk are ok, but not ideal. You likely have something in your office advertising your lifelong fan-hood.

BitLocker  – Microsoft’s Embedded Answer **

Windows 10 Professional version comes with a handy little application called BitLocker. BitLocker is a hard drive encryption program that plays an important security role should your computer get stolen or someone attempts unauthorized access. Beware though, BitLocker should be considered more of an anti-theft measure. This encryption is _not_ a substitution for a login password. It controls access to the hard drive, but should never be a substitute for a user or domain login. 

When your computer starts to boots up, the logic board runs preliminary commands (BIOS) directing the computer to read the hard drive, normally launching Windows. BitLocker can be configured to stand between the BIOS and the hard drive, asking the user for a security key before loading Windows.

Configured properly, BitLocker is considered to be very secure, albeit irritating. The key is 25 random characters, configured when BitLocker is enabled. If you forget or lose the password, recovering the key is not the most pleasant process. Alternatively, you can skip that initial key check, but so will everyone else trying to access the drive. 

BitLocker, as with nearly all things, has potential exploits. However, these exploits are fairly specific and take some initial investment in hardware that only a sliver of the population possesses, let alone understands. Despite this, on the least secure setting, BitLocker is a very good deterrent. If you leave your laptop in a Starbucks, BitLocker generally keeps most random clowns from getting into it. In most reasonable situations, that’s all you need to keep data secure.

External Hard Drives and USB Drives

As I’m writing this, I have five thumb drives on my desk. Right next to me are six external hard drives. I have two internal hard drives next to them, and a small SSD drive in my desk waiting for a home. Ask me if any of them are password protected and I’ll tell you no, but four of them should have been. The four that I’m refurbishing after they were left for anyone to take***.

Since Crossroad IT’s inception, we’ve seen too many external hard drives with sensitive information in recycling bins or abandoned in public places****. HIPAA requires that any external device used with any HIPAA-compliant computer be encrypted. This rule is both an important requirement, and an IT admin’s nightmare. It’s also a good idea in non-HIPAA scenarios where malpractice or libel problems might arise if the wrong information gets into the wrong places.

Short of disabling USB ports, it’s really difficult to enforce portable drive security. A nice feature of BitLocker is that it can encrypt any attached hard drives and USB thumb drives. Thankfully, it does allow you to choose your password for external devices. That helps to ease the burden or password retention. More importantly, if you trash or lose your drive, the world doesn’t have access.  

Remember Your Goal

Basically, having physical access to a machine is a hacker’s dream. It’s difficult to keep someone out of your things if they’re in front of your computer with the right knowledge, resources, and time. That doesn’t absolve you from trying however. The overwhelming majority of people have no idea how to circumvent a password-protected machine; especially one where the hard drive is encrypted.

Realistically, you should always be a house with a sign. Be a more difficult target and get passed over in favor of an easier mark. Even HIPAA concedes that breaches are likely when the wrong people have physical access to a computer. They’re usually happy seeing a reasonable effort to deter and protect information from 80%-90% of the population’s curious eyes.

Where We Come In

Of course, Crossroads IT can discuss HIPAA compliance, and can consult on your security situation in the office. We can help set up BitLocker and configure secure domains. As with most everything IT, we can take it further than it needs to go.

One thing we did not discuss was network passwords. Your Wifi password and your router’s admin access should always be password protected, even the guest networks. Keep an eye out of an upcoming blog series regarding general office IT security. We’ll highlight some best practices and give you some easy tips to make your business more secure and less of an enticing target.

Want to know more now? Contact us and we’ll be happy to discuss your situation. 

 ____________________________________

* – I spoke a bit about Brute Force attacks previously in my Online Password blog. This laborious exercise guesses every combination of characters until they get it right. 8 alpha-numeric characters would take about 22 minutes for a computer to crack it. 16 alpha-numeric with symbols? About 204 million years. An 8-character HIPAA-compliant password: 9 hours. My Star Wars password: 3*10^51 years. Cue the “Long Time Ago” and “Far, Far Away” references.

** – There are other encryption tools out there. I’m a fan of keeping things as copasetic as possible, and Windows has integrated with BitLocker really well. It also is available for Macintosh, but you need a special program as it’s not built in: M3 BitLocker Loader.

*** – Please never assume that just because you put things into the electronics recycling that the data is sanitized. Unless this is a specifically-noted service, you can never assume that the data is gone. Crossroads IT will provide you certifiable hard drive sanitization for any storage devices you want to erase completely. Don’t under-estimate the usefulness of this. Deleting a file off a hard drive is not erasing it. 

**** – If you ever find a USB or external hard drive, you have to fight the urge to plug it into your machine. It is the single easiest way to open up yourself to some sort of virus or malware. The only times we’ve ever done it were in isolated, offline environments where we planned on rebuilding the machines afterwards. I cannot stress this enough, don’t plug anything into your USB ports without knowing _exactly_ what is on it.