Information Technology HELPDESK

Password Security

Why Passwords are important.

We all have information that we don’t want to share with other people, whether it’s our bank account details, personal diaries etc. Businesses often hold personal details about us - name, address, phone number etc, which we would not want them to pass on to other people (Which is why we have a Data Protection Act in this country). Similarly at UEL there will be information that we do not want to share with other people, students may not want other people copying their assignments, lecturers will not want other people seeing exam papers before the exam.

There are three main levels of protection for data stored on computers

Prevent access to the computer holding the data. This is achieved by using firewall software to control which computers are allowed to talk to which. (Think of it as a locked gate, you can’t get access to any buildings on a site if you can’t even get through the gate!)
Require everyone accessing a computer to identify themselves by supplying a username, and to prove that they are who they claim to be by providing a password that only they know. (This gets you into the building).
Set access rights on folders and files on the computer so that only those accounts which have been specifically authorised to do so can access that data. (This gets you into the right room and filing cabinet)

A potential hacker must overcome all three of the above obstacles before they can make off with your life savings / read your personal diary / steal your assignment etc….

Firewall(s)

To bypass a firewall is technically difficult, but may not be necessary if physical access to computers inside the firewall can be gained. All computers physically on UEL premises are effectively inside the UEL firewall. This is obviously necessary as all staff and students are entitled to use the network, and that includes storage space on shared computers (i.e. servers), printers and other resources. However, this means that all UEL computers are therefore potentially accessible to 12,000 people!

Username and password

We are therefore dependant on the second level of security – usernames and passwords. Usernames could be quite cryptic (e.g. u0123456), or simple easily guessable names (e.g. mark). Since it is often necessary for other people to know these identifying names in order to share data, send email messages etc, it does not really matter if they are easy to guess or not since the information must be made available to other people (However, this information should not be generally available outside the UEL environment).

We are therefore mainly dependant on passwords for our security. These not only protect your own data, but also any shared data which you have access to.

Hacking and Cracking

Most security breaches occur because a password has been found out (i.e. cracked). Hacking is much rarer and is when someone exploits a technical weakness in a system to bypass the usual security systems.

Password Cracking

There are only three methods of discovering a password, guessing, social engineering and finding it written down.

Obviously writing passwords down means that your security is only as good as the security of the physical access to wherever you wrote it down. Ask yourself how many other people have access to your office? Does this include other members of your department, cleaners and maintenance staff, casual visitors, student tutorials...

Social engineering involves you giving away the password, this could be a blatant as a telephone call (“Hi, I’m your network supervisor. I need to check your account, can you let me have your username and password”). There should NEVER be any need to give out your password to anyone. If necessary, wait while they do the work and type the password yourself when necessary. Less blatant methods might consist of simply watching you type the password. Don’t be afraid to ask someone to look away while you type your password. Avoid conversations like “Oh, I always use my car registration. How do you decide what to use for a password?”

Guessing could involve someone simply typing in likely words or phrases (e.g. car registration, telephone numbers, partners/childrens/pets names), or it could be an automated program that tries thousands of possible passwords.

What makes a good password?

The longer a password, the harder it is to guess.
Passwords should not be proper words. Most automated programs will try every word in the dictionary! Substituting digits for letters is no defence since they will also try the obvious substitutions. They will also try common misspellings of words and words spelt backwards.
A combination of letters and digits can make a good password. Choose a word and number that you can easily remember and interweave them as your password (e.g. help and 2468 becomes h2e4l6p8)
Acronyms can also make good passwords, but beware of falling into the social engineering trap (bgrps might seem like a good password but if people know that you are a member of the Becton Gasworks Railway Preservation Society…)
Punctuation characters are also accepted by most password systems and can make passwords much more difficult to guess.
Passwords must be easy to remember. Bk64bgh&%vggEW%$kSj2i would be almost impossible to guess but very difficult to remember so it would probably get written down somewhere… oops!

Password changing

No matter how good a password is, the longer it is used the more chance there is of people discovering it. Passwords should therefore be changed at regular intervals and old passwords should not be reused.

UEL password policies

Passwords must be at least 5 characters long.
Password changes are required every 60 days and the previous 10 passwords can not be reused.
Accounts are locked out after 20 incorrect attempts and will remain locked for 5 minutes. (This will defeat automated password guessing programs as access to the account will still be denied even if the correct password is input during the lockout period.)