Monday, January 27, 2014

Password management for crime analysts

For law enforcement agencies, the threat of unauthorized access to records management systems, criminal intelligence databases or other systems containing sensitive information is very real. Law enforcement systems are a very juicy target for hackers with a malicious intent. One of the ways these systems are protected from unauthorized access is through requiring passwords to log in to these systems.

With the growth of online services, we’ve all had an increase in the number of passwords that we need to keep up with. As a crime analyst, I have ended up with a staggering number of passwords to manage. Nearly every application or source of information I use is protected by a password. If this weren’t enough, in order to maintain compliance with the FBI’s Criminal Justice Information Services (CJIS) rules most of these systems require that passwords being changed on a regular basis and meet certain criteria for complexity. Because of this proliferation of password protected systems it becomes nearly impossible to remember all these complex passwords.

First, I want to discuss some password management practices that are critical to maintaining the security of these systems. These recommendations are based on a piece by computer security expert Bruce Schneier.

  • Don’t use simple or dictionary words for your password. Hackers have created tools that use word lists to try and guess passwords. Many of these tools use dictionaries in several languages as well as lists of passwords stolen from compromised previously sites. Some of these word lists contain millions of possible passwords. 
  • Don’t use passwords based on easily guessed personal information such as your children’s names, pet names, etc. 
  • Don’t reuse passwords. If your password is compromised one one site, then the unauthorized user will often try these credentials on other sites you use. If you reuse passwords you’ve just given them the keys to the kingdom. 
  • Make your passwords more complex by using more than just letters and numbers. Use special characters too and don’t repeat characters. Use the longest password the application will allow. Every additional character in a password increases the time and computing power needed to crack it. 

Probably the most important advice I can give you is to use a password manager to keep up with your passwords.

A password manager is an application used to securely create, store and manage a large number of logins and passwords. Many of them come with password generators that can create truly secure passwords. Others have features that can automatically enter these passwords into applications that use password logins. The real beauty in a password manager is that you just have to remember one password, the one that opens the password manager in order to keep up with hundreds of passwords. (Yes, I really have several hundred passwords to keep up with.) The password manager’s database is encrypted and if properly implemented can keep nearly anyone short of the NSA from obtaining the data contained therein.

There are a number of password managers out there. Two of my favorites are 1Password a paid commercial application and KeePass a free, open source application.

1Password got it’s start as a Mac OSX application. Not long after, they also created an iOS application for iPhone and iPad. They just recently launched a Windows version. The strong suit for 1Password is that if your devices are part of the Apple ecosystem, they seamlessly work together. For instance, 1Password on my MacBook syncs the database to my iPhone and iPad. If I make changes or add a password/login on one device, it will be synced to the others. It also integrates with the OSX web browser Safari to save new logins/passwords as well as automatically offering to enter them into sites you visit.

Additionally, 1Password will store encrypted notes, credit card numbers, driver’s license info, software license keys and WiFi authentication information in it’s database as well. This makes it a great choice for storing all those sensitive bits of information you need to keep track of, but need to keep private.

My other favorite is KeePass. KeePass got it’s start as an open source project for Windows OS. Lots of creative people volunteered their time and skills to create KeePass. Since the programming code is open for any to look at, many security and programming experts have vetted the code to ensure that the encryption behind it is secure and does not contain any “backdoors” to allow people to break the encryption.

Additionally, KeePass comes in both an installed version and a version that will run completely off a USB drive. The USB version is also helpful for those whose network security policy prevents them from installing software on their work machine. The best part is that it’s free. Since my work machines are all Windows OS, I use KeePass to keep up with passwords on these machines. There are also compatible versions for smartphones and Linux machines as well as many other devices.

There are certainly other password managers out there. I’ve even known people to create an encrypted spreadsheet or other document to keep up with them. If you’re going to go that route though, make sure you know what you’re doing in implementing the encryption.

Here’s a couple of tips from my workflow that might help. One, back up your password database religiously. Also, keep it accessible on several devices that way if one device is unavailable, you can still get to your passwords. I keep a version on my workstation and a backup on a USB drive.

How do you manage your passwords?

No comments:

Post a Comment

I reserve the right to remove defamatory, libelous, inappropriate or otherwise stupid comments. If you are a spammer or are link baiting in the comments, a pox be upon you. The same goes for people trying to sell stuff. Your comment will be deleted without mercy.