Pa55w0rd to Paradise - Who are your virtual key holders?

By Geoff Meads, Managing Director of Presto (CEDIA Member)

Slave to the password

It seems like every minute of the day we’re being asked to input a password. For online banking, social accounts, or to check a utility bill. An endless list of services now involves generating and using a password just for basic functionality. We’ve also seen the format of the passwords we choose grow from an ‘open season’ approach with any old string of text being adequate to more complex requirements including capitol and lowercase letters, numbers, special characters, and punctuation.

A recent survey suggested over 25% of corporate employees use the same password for every company system they use. That figure only represents those who admitted it, so the real number is likely to be higher!

So how do we, as human beings keep track of all these passwords and share them safely when other people need access to the same accounts? Do we need to take more care when creating, remembering and using passwords?

But first, how does a password work…

Making A Hash Of It

Generating a ‘safe’ password is a relatively simple affair. Start a word you’ll remember, change some characters to numbers (‘o’ to ‘0’, ‘s’ to ‘5’, see the title of this article as an example), change a letter or two to a capital, and add a couple of numbers from your birthday to the end. Job done. But what happens to the password once you’ve created it? If it's being stored in a database or filing system can’t just be read by a hacker?

In a word, no.

We’re all used to Wi-Fi networks that use encryption to hide the contents of our browsing from prying eyes. However, while Wi-Fi and other transmission protocols use two-way encryption, password encryption use something a little different — one-way encryption.

Two-way encryption encrypts the message at transmission using an agreed ‘key’ string and the recipient decrypts the message using the same key. Without the key the message is just garbage.

One-way encryption has no decrypt option. As the password is entered at the point of account creation it is immediately encrypted using a one-way ‘hashing’ algorithm. This takes the password and encrypts it to a jumbled fixed length piece of data that is unrecognisable from the password. As an example, the popular SHA-2 algorithm outputs a 256 piece of binary data. Each hash is unique and cannot be ‘reverse engineered’ back to the original string. In fact, the quickest mathematical way to get back to the original text is often to keep hashing possible input strings until the output matches the hash you’re trying to decode. Even a very powerful computer might take years to figure out the right password.

So, let’s imagine you’ve signed up for an account on a new website. The password you’ve chosen will be hashed and stored in a database with your other user information. When you come to login again, the password you enter at login will be hashed and the output compared to the one in the database. If there’s a match you’re logged in. If not, you’re kept out. Meanwhile, anyone reading the database will just see hashed versions of your password with no way to decode it.

How Many?

So, how many passwords is the average integrator likely to have to store? Well, putting aside your personal accounts (e.g. your bank account), let’s start with internal company systems. Let’s imagine you use a company-wide Dropbox account, Google Drive, and file server. Often these passwords are shared across employees. Next, you’ll have a work email account, maybe a Windows user group password, and company social media accounts too. Add in your credentials for websites form supplies, trade bodies, and professional awards bodies and the list is growing fast.

Now, what about client work? In a typical project, we might be required to store and use an ISP password, the router’s menu password, passwords for all the WAPs, layer 3 switches, NAS drives, PCs and MACs in the system, control devices, smart phones and tablets, media accounts (Netflix, Spotify, Tidal etc.), TV service, IP cameras, NVR, VPN… The list can seem endless but it’s certainly not unrealistic to image over 100 passwords per installation!

An Inconvenient Truth

So, let’s ask a difficult question… Who has control of the passwords being used within your company? Do you have a password storage solution in place?  Are only those employees working on a specific project allowed access to that project’s passwords? And finally, how many of the passwords in use within the company are common across employees or projects?

Let’s imagine a disaster scenario…

A previously trustworthy employee leaves under a cloud to join a competitor. How many internal systems can they still log into? How quickly can you shut them out from accessing your systems and data? How many other employees will now need a new password because you’ve changed it to prevent the rogue employee access?

Now, as a previously trustworthy employee, how many client systems did they have access to? How many of those systems use common passwords and how quickly can you get around to those systems and change all the passwords? And, how quickly can you update the passwords held by other employees, so they can still do their job?

And what if you’re a sole trader operating alone? If you were to die, are all your company passwords stored with a trusted third party like a lawyer or an accountant, so your family could wrap up your affairs now that you’re gone?

Feeling nervous yet? You are? Good.

Because Our Customers Have Better Lawyers Than We Do…

Hopefully, the above has at least started you thinking about how you store and use passwords both internally and for client projects. Here’s a couple of suggestions you might consider helping protect yourself and your clients from disaster:

  1. Register your top-level passwords with a trusted third party like an accountant or lawyer with instructions on what to do if you die. Think of it as a company will.
  2. Update those records as you change the passwords in the future!
  3. Ask your employees to sign a password control policy that prevents the storing, disclosing, or mis-using the passwords you’re entrusting to them. While suing a previous employee might be a painful process, asking them to sign an agreed policy can act as a strong deterrent.
  4. Investigate password vault services to store passwords securely and only allow access to users temporarily when needed.

And finally, remember that ‘12345’, ‘qwerty’ and ‘password’ are not secure passwords, even though they remain the most commonly used!