Has the need to safeguard our personal information online created an insecurity?
As the vice president of security strategy at a top-ranked cybersecurity consulting firm, Clyde Hewitt has become accustomed to the development of cybersecurity best practices and the need to stay ahead of the privacy curve. But even he was in awe a bit when he set his family up with Windows 10 on their personal laptops.
“The first thing it wants to do is look at you, it’s looking for your face,” said Hewitt, referring to the program’s facial recognition feature as part of its security settings for registered users. “And trying to use a photograph of yourself won’t work, because you have to turn your face to the left and to the right to show the program that it’s looking at a 3-D image. Facial recognition has become one of the default ways into your laptop.”
Recorded through the use of a built-in laptop camera, the use of facial recognition (and the option to record one’s fingerprint as an identifier) is promoted by Microsoft officials as a way to log into Windows devices three times faster than through the use of a standard screen name and password. It’s instant recognition that utilizes a PIN number as a backup. Along with multifactor authentication, or the need to enter in a one-time, unique code number into a website or mobile app after entering in a password, the adaptation of online security has probably already presented itself to most people in 2019, at a time when it’s highly unlikely that there’s a way for any of us to access any website or app that contains our personal or business-related information without first having to enter in a unique password. From our health insurance profiles and our bank statements to our shopping sites and our music libraries, the entryway to seemingly anything we want access to is guarded by a password — a password that may be increasingly more difficult to create and then to remember for future access.
Does Password Hygiene Need Cleansing?
Think about it.
Can you recall the last time that you created a password (or renewed a password) that didn’t require you to adhere to an arbitrary set of rules for that password to be acceptable? Perhaps you had to create a password that had a minimum of 8 characters made up of at least one lowercase and uppercase letter as well as at least one number and the use of a special character (!@#$%^&*). Or, perhaps you had to choose a handful of images from among a random assortment of picture options (say, dogs, cats, cars, money, and do on) that you must key in every time you want to log into that site/app? It is also likely that after 30 or 90 days, you’ll be prompted to change that password and that you won’t be able to reuse a password that you’ve already used over the course of the previous year (or, say, your six most recent passwords). According to Hewitt, a member of the management team at CynergisTek Inc., Austin, TX, this need for password hygiene coupled with the need to create so many passwords to get through the course of our daily lives has contributed to what’s become a password lethargy in a sense – where we’re less likely to put a lot of thought into our passwords due to their temporary nature and simply because we are running out of password options that can easily be remembered. This has in turn manifested into reduced security of our private, sensitive information and data. At the same time, hackers are more likely to have an easier time when attempting to steal our passwords.
“People have started to get sloppy [with their passwords] because they’re running out of things to remember,” Hewitt said. “If you have a 90-day reset for 20 years and you’re not allowed to reuse a password that you’ve already used, it becomes a question of how many permutations can you come up with for something that’s stuck in your head. And then, for example, you may start going into [social media] accounts for ideas. And a hacker greatly reduces their target surface by just looking a social media. They look at the car, the street address, the house, the kids’ names, the pets’ names, the schools for them to use as a way to attack.”
The good news is that professionals like Hewitt are in the business of trying to help society remain as secure as possible by adapting and adopting digital security and privacy protocols. ADVANCE recently spoke with high-level executives in the field to help lay the groundwork for what is already becoming the future of online identification and protection.
From Passwords to Passphrases
Long ago were the basic password requirements, such as “Do not use your screen name,” “Do not use ‘12345,’” and “Do not use ‘QWERTY’— pronounced “querty,” — or the first six letters of the standard keyboard. The sophisticated means that thieves have initiated are simply too complex for basic hygiene to be fair guidance.
“I think we are experiencing a case where technology has caught up with practice,” Hewitt said. “[Many] years ago, we had six-character passwords, and they were probably good enough because computers couldn’t guess them easily. And if they did guess them, people would change them and the clock would reset. But then the hackers got smarter.”
As Hewitt explains, hackers previously conducted attacks on passwords doing manually by working through potential password scenarios until the case was cracked. Today, hacking methods include automated dictionary attacks that use an alphabetized list of headwords to generate possible passwords. Thus, the time it takes to successfully hack has lessened. “You can run a dictionary attack using a Pentium laptop processor in a couple of days,” Hewitt said. “Hackers will start with a name such as ‘admin’ and start to reverse engineer things because they take all the possible combinations of words — and use uppercase and lowercase letters and special characters.” A “rainbow table,” a listing of all possible plaintext permutations of encrypted passwords that are specific to a given algorithm is then created and utilized to detect passwords through the process of elimination. “And hackers have begun to decide that they aren’t going to randomly guess passwords – they are going to look on social media, for example, for clues to people’s passwords.”
The result has been a lot of identity theft that studies show is still on the increase. According to Javelin Strategy & Research, a research-based advisory firm located in Pleasanton, CA, there were 16.7 million victims of identity fraud in 2017, a record-high number that followed a previous record set in 2016. And while there are many reasons for this, including the obvious acknowledgment that there are people intent on stealing information, money, and other items of value from others, the potential of the passwords themselves to foster an unreliable sense of security is also becoming evident. The sheer volume of the passwords that we are accumulating in our lives is in essence causing a security breach because we are becoming less likely to create truly unique passwords, Hewitt said. We also may be becoming more likely to have to replicate passwords across multiple platforms in order to remember all of our sign-in information. For those of us who have become severely inundated with passwords, we may even be resorting to writing them down the listing of our active and past passwords on a cheat sheet and/or storing them in our phone’s notepad (which in and of itself requires password access). The storing of our passwords on a single sheet of paper or a digital note taker only increases the chances of our information being compromised should our notes end up in the hands of a criminal. Passwords today require some combination of uppercase and lowercase letters, numbers, and special characters. But this does not appear to be enough to protect our digital privacy anymore.
“We went from six characters, to seven characters, to eight characters, which seems to be the standard today,” Hewitt said. “It’s always going to be a game of cat and mouse. [The password problem] has been a combination of us allowing technology, and that’s not a bad thing, to actually get in front of our practice. And that’s the reason that passwords are probably going to be dead.”
This eventual death of the password will make way to the use of the “passphrase,” a creative sequence of words or other text that is similar to a password in usage, but is generally longer for added security. The idea is to create a phrase based on specifics that nobody else could reasonably know about. As an example, Hewitt offers “NailMaple$125Tire”, a passphrase that could stand for, as an example, “I ran over a nail on Maple Street and it cost me $125 to get my flat tire replaced.” “Those four unique but seemingly unrelated words would take millions of years to reverse engineer it, even with today’s technology.” Passphrases will likely be combined with facial recognition, fingerprinting, biometrics, or a combination of all of these items as standards of multifactor authentication to allow us into computers moving forward. Hewitt estimates that he’s been using passphrases for at least 10 years.
Roger Shindell, CHPS, CISA, CIPM, founder, president, and chief executive officer of Carosh Compliance Solutions, an organization that specializes in providing HIPAA privacy and security consulting services, said that he prefers generating a passphrase by selecting two random words from a dictionary and tying them together with a special character. “For years, I used ‘Hokey&Scroll,’ a difficult guess that’s easy to remember,” he said. “I also like to use famous places or dates from history with special characters interspaced, for example, ‘Box!3!948,’ which stands for the box (13) of votes that mysteriously appeared so that Lyndon B. Johnson could win his first senate race in 1948, or ‘National!28,’ meaning that John Wilkes Booth stayed in Room 128 of the National Hotel the night before he shot Abraham Lincoln. You just need to be sure you don’t use personal dates or places, given those are easy to guess.”
While the thought of substituting passwords with passphrases may on its face seem to increase the difficulty of remembering how to gain access to sites and apps, bot Hewitt and Shindell insist that this is not the case. However, the powers that be who are setting the password criteria will have to do their part to enable this reality safely.
“The first thing that we have to do is get to the security officers and compliance offers and educate them that they can get rid of that 30-day reset requirement if they mandate a passphrase requirement,” Hewitt said. “Because if you’re going to mandate that someone has to keep changing their passphrase, then you have just placed a strong de-motivator into the process. What’s the point of using a complex, 20-character passphrase that you can remember for life if you’re not going to be allowed to remember it for more than 30 days? By using two generally unrelated words, we defeat the processing power. With three unrelated words, the complexity goes to 2.7 times 1027 possible combinations.” Shindell also suggests the “password vault” as a solution, which he describes as encrypted databases of one’s passwords that save all logins, especially as far as covered entities are concerned in relation to HIPAA. “So you only need to remember one password, and they have the added advantage of being able to be administered centrally, so if you need to remove an employee from software packages and cloud-based applications, it can be accomplished in one fell swoop,” he said. Hewitt believes that continued use of multifactor authentication will help protect passphrases and help to better thwart phishing emails because of the need to retrieve a one-time code through a text message or email address should reasonably be only in the possession of the account holder. “But even that is not totally foolproof, because just as soon as you think you are smart enough to implement multifactor authentication, someone is getting smarter to break it,” he said. “If criminals got ahold of what’s called the SAM file — the security accounts manager file — they can look at that rainbow table and translate a 250-character string.”
How Far We’ve Come
As Hewitt remembers it, the first electronic health records used a three-letter username, which generally equated to the physician’s initials, and passwords 2-3 characters long because the “physicians didn’t want to be bothered to slow down. The National Institute of Standards and Technology (NIST) has updated its digital identity guidelines1 that have revised password complexity and expiration requirements. The new standard has no added impact to HIPAA, however. The U.S. Department of Health & Human Services instructs covered entities and business associates to ask themselves if there are policies in place that prevent workforce members from sharing passwords with others, if the workforce is advised to commit their passwords to memory, and if common sense precautions are taken, such as not writing passwords down and leaving them in areas that are visible or accessible to others. Hewitt also suggests that multifactor authentication be mandatory for all admin and system accounts.
- Digital Identity Guidelines: Now Available. NIST. 2017. Accessed online: https://pages.nist.gov/800-63-3