Passwords: cracking the code

18 October, 2012

Interesting post by Willard Foxton on password security, describing how the 2009 hacking of the RockYou gaming website started a cascade of website cracking – all too easy in an era where “cryptographic feats that were the stuff of legend in the Second World War” can now “be done on your iPhone”.

Foxton summarises “current best advice” on password security as follows:

 

The current best advice is to have passwords composed of 20 characters, with no real words, and your gobbledegook has to include upper and lower case letters, symbols, numbers and punctuation, all randomly scattered through the word. On top of that, you need to have a different password for every site you use and change your password for all of them every three months.

 

I think it’s safe to say that a system whose “best practice” amounts to that is a system that is irretrievably broken.

Are there any legal implications to this? Well, the Data Protection Act requires organisations holding personal data to take:

 

Appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Act does not prescribe any specific security measures, but the Information Commissioner’s current advice to organisations on passwords recommends:

use a strong password – these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols.

This is some way short of the “best advice” set out by Foxton, though how much actual practical difference it makes to security may be a different matter – for now. “Appropriate” measures include striking a balance between theoretical security and practical workability, depending on the risks involved. But it would seem likely that, over time, the gap between what is “appropriate” and Foxton’s counsel of perfection will close.

Rather than tightening up password policies beyond the ICO’s recommendations, there may be a stronger case for looking at measures such as two-factor authentication. I adopted this for my personal email account after reading this chilling account of how a hacked Gmail account enabled Mat Honan’s entire digital life to be wiped out earlier this year. Google offer two-step verification for their accounts, which is relatively simple to set up and use, at least if you own a smartphone.

I’m not aware of any guidance from the ICO as yet on the use of two-factor authentication. What the ICO does insist upon, however, is the use of encryption for any mobile devices holding personal data (laptops, memory sticks, tablets). If your organisation is using such devices without encryption, you should correct this straight away – or risk joining Greater Manchester Police in the dock with a £120,000 (or more) penalty.