A user’s guide to passwords

November 20, 2013

Carla Browning

computer_securityBy Nathan Zierfuss-Hubbard, Chief Information Security Officer
Consensus in the security world is passwords are a necessary but problematic way to secure computers and online accounts. However, by managing your passwords and not letting them manage you, it is much simpler to keep up with all of your digital assets including your personal accounts such as bank accounts, social media, etc.

UA has come a long way. Several years ago we had dozens of systems with dozens of separate usernames and passwords. We have and continue to consolidate to a single credential, the UAUsername and password. It’s important to remember ELMO https://elmo.alaska.edu is the only place to reset or manage this UA account. Emails urging you to use other sites should be ignored and deleted.

Begin with strong passwords
There are two things to consider regarding strong passwords: complexity and uniqueness. These things are also why we have so much trouble with passwords. Strong passwords are hard to remember and the number of places we need them has exploded. Strong passwords are characterized by length and the number of different character types used. At UA we have an eight-character minimum length and require three-of-the-four character classes (upper case alpha, lower case alpha, numeric and special {!@#$%^&*()}) be used. By developing a system for making your passwords unique you can make them strong, memorable and unique.

Use a tool like Password Meter to test the strength of your passwords.

Develop a password schema
A core password that’s strong but made specific for each service or computer it’s used with can help your memory. For example, ILo^3snow or R3dl!ght might be your core password then adding the first character of the place you use it to the front or back will make it unique and easy to remember. If you use it on Facebook, you might have “fILo^3snow” for Facebook or “uILo^3snow” for UA.

Secure tools can help
1Password and LastPass are examples of two commonly used methods to securely manage passwords. One uses encrypted local storage to save passwords (1Password) and the other uses storage of encrypted passwords in the cloud (LastPass). Local storage on a computer or device is more secure but less convenient for the way many of us work today. Cloud-based storage and retrieval can offer more flexibility, but we must place more trust in the encryption of passwords stored with the service since they leave our physical custody.

The key to storing all your passwords in one place securely is encryption. Any tool or method you use to manage several passwords should include strong encryption and a master password you will NEVER forget. Writing down and storing in a secure (locked) place is a good idea.

New technologies for security
The next wave of technologies that is helping us deal with passwords and securing computers and online accounts is multi-factor authentication. The password is your first authentication factor. The second is something you have that’s a physical component such as a phone, a keyfob, a smartcard, etc., and is associated with your account. This takes part of the authentication process out of the virtual world and adds a physical aspect to it. Facebook, Google and in the cloud loud all offer multi-factor authentication to secure accounts.

UA is currently testing a multi-factor solution with a variety of second factor options.

References