For those in the infosec world, (or indeed anyone that values their own data, bank balance and privacy), password security is a black and white matter – you either practice it or risk losing some or all of the above.
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!— Nadine Dorries (@NadineDorries) December 2, 2017
At the weekend, the Conservative politician, Nadine Dorries, made several surprising statements on Twitter regarding sharing passwords with colleagues and allowing others access to her work computer. This Tweet was in response to the allegations that MP Damian Green had viewed legal pornography on his government computer, which he denies.
But among those responding to condemn Nadine Dorries, quickly there began a growing number of Tweets being published in her defence – indeed, many claiming that they too disclose passwords to their parliamentary staff to allow them to ‘do their jobs’ and that it was ‘commonplace’.
I seem to have started a hare running. As an MP I employ 4 people to deal with the emails and letters constituents send me. They need access to these communications to do their jobs. No one else has access. Passwords are regularly changed.— Nick Boles MP (@NickBoles) December 3, 2017
Less login sharing and more that I leave my machine unlocked so they can use it if needs be. My office manager does know my login though. Ultimately I trust my team.— Will Quince MP (@willquince) December 3, 2017
Now, while this is shocking to hear, as PMs will have access to a great deal of data on a personal, national and international level, we know that this practice of password sharing goes on in organisations of all sizes. And as many of the responding Tweets demonstrated, often the buck is passed to the IT department for not managing the issues, or not providing ‘adequate’ systems leaving staff no option but to compromise data.
Are our MPs above the data protection law?
The short answer is no. In fact, the House of Commons published a document that relates to the Data Protection Act 1998 and Personal information about constituents and others, for its members and their staff to adhere to.
Chapter 23: Information Security Responsibilities states that members and staff should ‘not share passwords’ and that their PC passwords should be ‘secure’. So this means not given to anyone else or written down by their staff because their staff have their own passwords to remember, presumably.
What is considered password best practice?
Back in 2003, security guru Bill Burr published a guide in the Wall Street Journal, with instructions that included changing your passwords every 90 days, and replacing letters with numbers and symbols. He now acknowledges that this was not the best advice and the guide did not work in practice, particularly against the ever-growing complexity of illegal hackers and viruses.
The idea that passwords should be changed frequently, can begin to take its toll on users, meaning they start to reuse their passwords and make them easier to remember (weaker) each time, eg fluffy1, fluffy2, and so on.
The National Cyber Security Centre recommends that a simplified approach to password security is the key.
Make it easy on yourself
The NCSC suggests the first place to start is to change any default passwords, such as mobile phones, routers and other connected devices. They also recommend the use of a software password manager but warn that this software can also be compromised.
Plain text passwords
Passwords should never be stored as plain text and instead should be protected using hashing.
2 Factor Authentication
2FA is an additional layer of security which prevents data being accessed by someone pretending to be you. This can be in the form of a text message being sent containing a code that needs to be entered into a computer, along with the password, before it will allow entry.
- Use 3 random words, adding numbers or special characters if required, eg ‘redchickentray’
- 8 characters or more in length
- Above all, use a password!
- Don’t use names of family members, pets or your favourite football team
- Your email address or name
- The word ‘password’ or ‘123456’
Surely in the current climate, when we’re hearing reports of large-scale data breaches almost every day, should individuals not be taking responsibility for their own information security standards?
If the events of the weekend have reminded us of anything at all, it’s that information security needs to be lived and breathed. Infosec needs to be a culture that’s second nature and a shared responsibility. Not a hindrance to your day to day life, that should be blamed on another department if it all goes wrong.