• Making them hard to guess,
• Never writing them down,
• Limiting the scope of passwords, and
• Limiting the ability of an attacker to make repeated guesses.

Password Complexity

A recent study on password memorability and security uncovered two surprising results:

• The most important factor in the security of passwords is consistency—implementing technical controls to enforce password quality.
• So-called “passphrase” passwords are equal in quality to completely random passwords, yet are no more difficult to remember than any other user-chosen password.

Good passwords (those that are least vulnerable to password cracking attacks) utilize the full spectrum of allowable characters (Capital and lower case letters, numbers and symbols) and are long enough to force password crackers to use their slowest “brute force” technique.

Memorable Passwords

“Passphrase” passwords meet both of these requirements. To create one, just choose a memorable sentence and make it your password. Windows considers the space character to be a special character, so setting your password to “I love the Buckeyes!” meets the Windows password complexity requirement, gives you a password 20 characters long, and declares your allegiance just as well as “goBUCKS!” without falling to a password cracker in the first two seconds.

If your computer system limits you to relatively short passwords (say, 8 or 10 characters), or if you are a two-finger typist, take a simple sentence, assemble the first letters from each word in the sentence (as with an acronym), including appropriate capitalization and punctuation, then modify the new password slightly using numbers or special characters. For example, the phrase, “Obama declares nuclear war; details at 11” might be entered as “Odnw;d@11” which looks like a random password, yet is easy to remember. Similarly, the phrase, “It’s noon and I am hungry” could be typed in as “It’s12&Iah.” Unlike random passwords, passwords of this style are not any harder to memorize than shorter ones.

Length is Key

The power tools used by the bad guys can make quick work of password hash files these days, but choosing a password at least 15 or 16 characters long can move the advantage back to your side.

Rainbow tables can crack any password hash up to the length limit of the table in a very short time. Since these tables grow exponentially large with the password length, there are probably few or no existing rainbow tables (yet!) for passwords longer than 15 or 16 characters.

Additionally, traditional Windows password crackers such as John the Ripper typically only crack the LAN Manager hash, a relatively insecure password storage method that can only handle passwords 14 characters long or shorter. Choosing a 15-character password forces the hacker to resort to the more esoteric and less computationally efficient NTLM (MD4) password hash algorithm. Knowing this, you can make the bad guy’s job a whole lot harder by not storing the LAN manager hash of your password in the first place.

Password Scope and Availability

Even with an excellent password, however, an attacker can still break in if he has the opportunity (and patience) to make a hundred billion guesses at your password. It is also critically important to:

1. Limit the number of failed password attempts, or at least limit the rate, and
2. Log repeated failures so that action can be taken.

Similarly, choosing excellent passwords has little value if you use the same password for your business VPN and your Facebook or Amazon account. A hacker who manages to gain access to all of Amazon’s account holders is very quickly going to see if the user foxk@lithik.com with the password H@rd2gess has VPN access to lithik.com with username foxk and the same password. This type of attack is easily automated across thousands of stolen passwords.

It doesn’t have to be that way.

There are some tried-and-true, basic steps you can take to dramatically reduce the cost to your organization of data loss due to laptop theft or malicious penetration when using your computer in a public place. Implement them all and you can come close to eliminating the possibility of a data breach. The following steps are organized by the threat they mitigate.

Theft

The best way to deal with the risk of laptop theft is to ensure that the thief cannot possibly get any of your information off of the computer. If you work for a real business, the cost of having private information (proprietary data, HIPAA Protected Health Information, PCI records, etc.) fall into the hands of the bad guys is immeasurably greater than the value of the physical laptop. Insurance will probably pay for new equipment anyway. Fortunately, good technology is available to protect your information at a reasonable price. My favorite price is free.

TrueCrypt is a free, open-source, high-quality Full Disk Encryption (FDE) product. It supports a wide variety of modern encryption algorithms that are sure to foil any information thief. But remember that once somebody has possession of your computer, it would be a very simple thing to boot it from a CD-ROM containing an FDE password cracker, a tool that would make short work of a simple boot-time encryption password like “letmein“. So choose a really good password, where really good means really long. Something like “till the end of time” (20 characters) will keep any current password cracker hunting for a few hundred years, or until someone adds phrases from popular songs or the Bible to the word lists employed by these hacker tools. You can mix it up with strange capitalization or a misspelling (say, “@ the end of Time”) to make it even harder, but the best way to make it better is to make it longer.

Packet Sniffing

You may have confidence in your WPA2 wireless G network at work, but what about when you’re on the unencrypted wireless network at Starbucks or plugged into the Ethernet at your hotel? This is where the Virtual Private Network (VPN) shines, and there’s a really nice one out there at my favorite price.

OpenVPN is a free, open-source VPN tool that runs on Windows, Linux, and even wireless access points. When using TLS (the successor to SSL) to negotiate 256-bit AES encryption authenticated with 1024-bit RSA certificates, this is a solid protocol with excellent credentials. When carried over UDP, it has none of the difficulty traversing NAT routers or firewalls that bedevils IPSec users. We set it up so that it’s always on, staying out of the way when no network is attached or when accessing public web sites, but connecting automatically when possible to allow secure access to corporate internal systems. It’s especially secure if all your traffic goes through the VPN, even when performing such mundane tasks as browsing public web sites. Setting up OpenVPN, however, is not for the faint of heart, so hire a professional to do it for you.

Network Attacks

Being sniffed is not the only threat you face on public networks. You are also open to direct attack from other network dwellers, so don’t make it easy on them by leaving your file shares open to the world. The best configuration is termed “stealth”, where your computer refuses to respond to any incoming traffic at all. No file sharing, no iTunes sharing, no remote desktop and no ping. Only ARP remains operational, but it has to because you need it so that other devices can respond to your outbound web and other requests.

Fortunately, you can probably have your cake and eat it too. Windows XP has two separate sets of firewall configuration rules, one for when you’re attached to a corporate Active Directory domain and one for when you’re not. If you use Active Directory at work, you can set up the “domain profile” to allow management by your IT staff and configure the “standard profile” to be stealth when you’re on the road.

If you use Vista, you have even more choices. There are three different firewall profiles: domain, public and private. With Vista, you can have one set of rules for work, one for your home, and one for Starbucks and other dangerous places.

But what if you work at a small place that doesn’t use Active Directory? You still have options. On Vista, you can use your private firewall profile for work and the public one for everywhere else. If you’re running XP, though, it’s a little tougher. Have your IT folks set up rules in your standard firewall profile that are very tightly fitted to their setup. Perhaps allow Remote Desktop and remote administration only from the corporate server’s IP address. It’s not perfect, but an attacker will never know the difference unless you just happen to be on a public network with the same IP network number as your office and he happens to have the same IP address as your corporate server. Not perfect, but pretty darn good.

Passive Attacks

Nearly all successful penetrations of home or corporate desktops occur through passive attacks such as visiting an infected web site or opening an infected e-mail attachment. We’re so familiar with this kind of attack that it should come as no surprise that the mitigation is also familiar. Keep your computer up-to-date with all the latest Windows and other patches, and use a good antivirus system. Set your computer to update automatically with Windows as well as other applications: Adobe Reader, Flash, Apple QuickTime, etc. Not all antivirus systems are created equal, either. Check out AV-Comparatives.org to find out which are the best.

“Drive-by” Attacks

Someone plugs a hacked USB drive into your computer. Or they load a CD-ROM while you’re in the bathroom. Or you leave it unattended and someone reads your e-mail or steals a file by e-mailing it to himself. These scenarios tend to be more paranoid than the ones above because you typically leave your computer unattended only in environments where the people are trustworthy. Or so you think.

We keep hearing the statistic that 80% of all data breaches are perpetrated by insiders, but we can’t think of anyone where we work who would ever do that. But they must exist, and, of course, any such person would keep such evil thoughts very, very private. So let’s make a few changes that keep easy access to your computer just out of reach.

The first and easiest step is setting up a locking screensaver. On nearly ever screensaver, there is an option to have it prompt for a password before returning to normal operation. Some computers also allow you to set up a quick and easy way to engage the screensaver, such as moving the mouse pointer to one of the corners of the screen. Or you can press the Windows logo key (if you have one) plus the L key to immediately engage the screensaver.

Sometimes the Windows autorun feature is handy, but just as often I find it annoying. But it can be positively dangerous if inserting a USB drive or CD-ROM automatically runs software from the device, especially if you think your computer is safe because the screen is locked. Get rid of this behavior by disabling autorun (not autoplay—that’s different and not dangerous). Just google for the phrase “disable autorun” and you’ll find dozens of step-by-step recipes.

Finally, any malicious person or software will find it much more difficult to infect your computer if you log in under an account that does not have administrative powers. You need to be an administrator to do things like install new software, but that’s best done in a separate account. Go to Control Panel -> User Accounts and create a new login with account type set to Computer administrator, then change the type of your regular account to Limited. This is what Apple recommends its users do on OS X, and it plays a significant role in making Macs more secure than Windows computers.

Summary

You can carry a secure laptop, and it doesn’t have to be painful or expensive. Here’s the list again:

• Use Full Disk Encryption (FDE)
• Choose a long FDE password
• Use a VPN to connect to your company’s systems
• Set Windows firewall to stealth
• Configure Automatic Updates
• Install a good antivirus system
• Use a locking screensaver
• Disable autorun
• Use a non-privileged account for normal computer uses