The hard disks you can "secure" with a single-digit password

26 Nov 2012
Login screen

Jon Honeyball is shocked how poorly password protection is implemented on hard disks and online services

I’ve been looking at external hard disks recently, because some clients wanted to know what would be a good choice to give to their field salesmen for local backup and extra storage.

Their decision to try this out had overruled my loud wailing that it was entirely the wrong way of doing a backup, and that it was far better to ensure that everything was not only taken off the laptop’s hard disk but out of the hotel room, too. At the very least, give the salesmen a large USB key to keep on the keyring that holds their house and car keys; better still would be to use Dropbox or SkyDrive to move and secure the data into the cloud. Best of all would be to do both. But an external hard disk drive?

It’s about time that even Microsoft allowed for truly strong passwords in its authentication systems

Some vendors do make external drives that have a numeric keypad, because they have hard encryption built into the disk controller and a pin number needs to be entered via this keypad to unlock the drive. You can’t just take two of these devices and swap them over either, because the encryption key pairs are unique to each chassis and drive. But such devices don’t come cheap.

My clients wanted to look at some of the software encryption and lock/unlock facilities provided with these external drives, so I looked at one from a very well-known vendor. The setup program for this feature looked suspiciously simplistic: in the screen where you enter your encryption password there was no sign of "best practice" – that is, no visible instructions that your password needs to be ten characters long, mixed case and include some numbers.

I entered "bone" and pressed enter, and that was fine! I undid that password, reset the drive and tried again. This time I tried "b" – yep, just a single letter. That was fine too. Upon receiving this information, the clients decided that perhaps such a brain-dead and simplistic solution wasn’t appropriate for the data in their line of business.

You might be surprised to know that even the big boys can get this wrong. I signed up to the new Outlook.com, which uses the standard Microsoft login. Here, the minimum length of your case-sensitive password must be eight characters. So I went over to 1Password and got it to generate me a 24-character, randomised password, which is the length required to drive that security "fuel gauge" all the way to 100%.

Such a password looks like this: fNXmVnjAEBApZW3qjyvxB4PY. But no, this wasn’t acceptable to Microsoft, because it seems you can’t have a password longer than 16 characters. Now I accept that 16 is better than eight, and very much better than four, but maybe it’s about time that even Microsoft allowed for truly strong passwords in its authentication systems.

Two-factor authentication

Which brings me on to the subject of two-factor authentication. Two-factor means that the system won’t accept just one password or authentication token, but needs something more. Some vendors have fitted fingerprint readers into their devices, especially laptops, and I must admit that I’m a fan.

I know there are all those ghoulish stories about how the more sophisticated fingerprint readers can detect whether the finger has a pulse or not, and rejects anything that isn’t actually still alive. While I might be slightly impressed by such an ability, I’ll confess that I’d probably have handed over all my passwords to the robbers long before anyone actually cut my finger off...

Rumour has it that Apple might be fitting a fingerprint reader to the next version of the iPhone, and if so this would be an excellent move (one that Microsoft really should have made with the Windows Phone 7.x specification to differentiate it from the competition).

Other services are moving over to two-factor by using the mobile phone itself as an authentication tool. Personally, I’m reassured that a numerical code is sent to my phone via SMS when I try to make a payment through PayPal; Google has similar facilities, and it’s in final beta for Dropbox, too. The use of such techniques are to be applauded, and we should be encouraged to use combinations that work well for us, such as fingerprint and SMS, or face recognition and fingerprint, or strong password and fingerprint.

What’s perfectly clear, though, is that the good old days when we reused passwords with gay abandon are now gone, and it’s time to ensure that our information is kept safe. And that safety requires that a problem in one part of my digital life doesn’t become a firestorm that rages through all aspects of your digital life.