Some time ago, Bill Gates (yes, that Bill Gates) was speaking at an RSA Security Conference, and he stated that the way most people set up and use passwords don’t stand up to the challenge of actually providing security. His reasoning was that for people to try to remember complex passwords was logistically a burden and cumbersome in daily practice. And did you see the recent article on passwords in the New York Times that pointed out that back at the dawn of the Web, the most popular account password was “12345”? Today, its one digit longer but hardly any safer: “123456.”
So it comes as no surprise to find that most people are using basic, easy-to-remember passwords that are easily broken by the most common hacking tools. This practice poses security risks down the road for those homeowners who are integrating complex home network systems and multiple IP-addressable products throughout the house.
As the changes in today’s digital landscape require consumers to better address the security of their log-in credentials, the problem grows exponentially for system integrators who have to set usernames/passwords for each of their client’s IP addressable products. The sheer volume of products that an integrator has to manage in order to provide ongoing service for their clients leads to a common practice of resorting to a password scheme (For example: last name of the client followed by the last 4 digits of the dealer’s phone number), which can be easily hacked and poses little long-term security if ex-employees or third-party IT companies gain the knowledge of the client’s IP addresses and log-in credentials. Let’s look at a few things you can do to get better control of password management.
What is a good password?
To understand what makes a strong password, you need to understand how a weak password is broken. First, before we go into password cracking, be careful if a device or website offers you a security question in order for you to reset your password on the fly; be very careful with the questions and answers you choose. Sarah Palin’s e-mail (yes, that Sarah Palin) was broken into because she used a security question for her Yahoo email account “When is your birthday?” which the attacker was able to look up on her Wikipedia page in under 15 seconds! It does not matter how strong your password is if someone can reset it easily.
Second, how would someone even attempt to get into your client’s router or computers that have been set up with a good username and password? There are several automated tools freely available for download that use some form of Brute Force Dictionary attacks or Rainbow Table Attacks. These tools keep entering combinations of words and numbers until they guess the password correctly. These tools can make thousands of guesses in a very short period of time and require little-to-no interaction from the user. If the devices you are installing support account lock-outs after a certain number of failed attempts, I suggest you enable this valuable feature.
Bottom line, you should set username/passwords that contain a combination of letters, numbers and other characters (#, %, &, etc) that do not make up words found in a dictionary and are a minimum of 13 total characters.
How are you communicating passwords to the devices?
Having strong usernames/passwords is just half the battle. Another key security issue for today’s residential integrator, who has to routinely and remotely access client devices, is the actual method used to transfer the username and password from your computer to the devices you are connecting to. From a high level, there are really only a couple of methods for devices to support usernames and passwords being passed to them. This is an extremely important topic to understand, so let’s break it down.
Devices that support “basic authentication,” which is the vast majority of them, will send your username and password in CLEAR TEXT from your computer to the device. This means that anyone who can get in the middle of that message can easily read your log-in credentials. This is what is known as a man-in-the-middle attack and is very common.
Thankfully, many devices support what is called SSL (Secure Socket Layer). SSL, for example, is what makes your bank website secure. You are encrypting the password between your machine and the device you are talking to. If any of the devices you are installing into your clients’ homes support SSL, you should be using it. If any devices do not support SSL, it is time to talk to the manufacturer and ask them to deliver better Internet security protocols for their equipment, or begin looking for another piece of gear that does.
Who has access to your list of unique passwords?
Finally, after you’ve taken the time to set up robust usernames/passwords and begun using SSL encryption for when you need remote access into your clients’ home networks, the next big challenge is keeping access to those strong passwords to a minimum. As I mentioned earlier, due to the difficulty in managing such a wide range of unique passwords, I know from talking to many of you that you have to print them out on spreadsheets (a potential security risk). But, those dealers who have their clients’ best interests in mind go to great lengths to restrict access to those spreadsheets. Best practices will insure that your clients have an added layer of security, while also protecting against unauthorized third parties gaining access to your clients’ home networks and computers.
If you have any questions about setting unique and secure usernames/passwords or need information on how to efficiently manage passwords, feel free to contact me at CalebY@CertifiedCyberSolutions.com.