The hard disks you can "secure" with a single-digit password
Posted on 26 Nov 2012 at 09:22
Jon Honeyball is shocked how poorly password protection is implemented on hard disks and online services
I’ve been looking at external hard disks recently, because some clients wanted to know what would be a good choice to give to their field salesmen for local backup and extra storage.
Their decision to try this out had overruled my loud wailing that it was entirely the wrong way of doing a backup, and that it was far better to ensure that everything was not only taken off the laptop’s hard disk but out of the hotel room, too. At the very least, give the salesmen a large USB key to keep on the keyring that holds their house and car keys; better still would be to use Dropbox or SkyDrive to move and secure the data into the cloud. Best of all would be to do both. But an external hard disk drive?
It’s about time that even Microsoft allowed for truly strong passwords in its authentication systems
Some vendors do make external drives that have a numeric keypad, because they have hard encryption built into the disk controller and a pin number needs to be entered via this keypad to unlock the drive. You can’t just take two of these devices and swap them over either, because the encryption key pairs are unique to each chassis and drive. But such devices don’t come cheap.
My clients wanted to look at some of the software encryption and lock/unlock facilities provided with these external drives, so I looked at one from a very well-known vendor. The setup program for this feature looked suspiciously simplistic: in the screen where you enter your encryption password there was no sign of "best practice" – that is, no visible instructions that your password needs to be ten characters long, mixed case and include some numbers.
I entered "bone" and pressed enter, and that was fine! I undid that password, reset the drive and tried again. This time I tried "b" – yep, just a single letter. That was fine too. Upon receiving this information, the clients decided that perhaps such a brain-dead and simplistic solution wasn’t appropriate for the data in their line of business.
You might be surprised to know that even the big boys can get this wrong. I signed up to the new Outlook.com, which uses the standard Microsoft login. Here, the minimum length of your case-sensitive password must be eight characters. So I went over to 1Password and got it to generate me a 24-character, randomised password, which is the length required to drive that security "fuel gauge" all the way to 100%.
Such a password looks like this: fNXmVnjAEBApZW3qjyvxB4PY. But no, this wasn’t acceptable to Microsoft, because it seems you can’t have a password longer than 16 characters. Now I accept that 16 is better than eight, and very much better than four, but maybe it’s about time that even Microsoft allowed for truly strong passwords in its authentication systems.
Which brings me on to the subject of two-factor authentication. Two-factor means that the system won’t accept just one password or authentication token, but needs something more. Some vendors have fitted fingerprint readers into their devices, especially laptops, and I must admit that I’m a fan.
I know there are all those ghoulish stories about how the more sophisticated fingerprint readers can detect whether the finger has a pulse or not, and rejects anything that isn’t actually still alive. While I might be slightly impressed by such an ability, I’ll confess that I’d probably have handed over all my passwords to the robbers long before anyone actually cut my finger off...
Rumour has it that Apple might be fitting a fingerprint reader to the next version of the iPhone, and if so this would be an excellent move (one that Microsoft really should have made with the Windows Phone 7.x specification to differentiate it from the competition).
Other services are moving over to two-factor by using the mobile phone itself as an authentication tool. Personally, I’m reassured that a numerical code is sent to my phone via SMS when I try to make a payment through PayPal; Google has similar facilities, and it’s in final beta for Dropbox, too. The use of such techniques are to be applauded, and we should be encouraged to use combinations that work well for us, such as fingerprint and SMS, or face recognition and fingerprint, or strong password and fingerprint.
What’s perfectly clear, though, is that the good old days when we reused passwords with gay abandon are now gone, and it’s time to ensure that our information is kept safe. And that safety requires that a problem in one part of my digital life doesn’t become a firestorm that rages through all aspects of your digital life.
I'd watch out, last month the UPEK software for the fingerprint readers built into most laptops came under fire, because it stores all passwords in the open area of the Registry "almost in plain text, barely scrambled but not encrypted."
"All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk."
This also renders the EFS (encrypted file system) useless, because the password is stored on an unencrypted part of the disk!
Newer laptops (post 2010), using the AuthenTec software should not be affected.
Affected manufacturers include: Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony and Toshiba
By big_D on 26 Nov 2012
Any thoughts on the picture passwords used in Windows 8 and why Apple didn't put a fingerprint reader into the recent iPhone 5, iPad 4, iPad Mini to differentiate it from the competition?
By stephen_d_morris on 26 Nov 2012
They wouldn't have to cut your finger off, finger prints are scarely easy to copy off a glass surface using cheap and commonly available materials.
By john_coller on 26 Nov 2012
Missing the point completely - online only systems don't benefit from very long passwords
With upper & lower case letters and digits, a 16-character password has 4e28 combinations. Or, to put it another way, assuming I can try a billion combination a second (which is, itself completely impossible against an internet-accessed service), it will take, on average, 50 times longer than the lifetime of the universe to brute-force a 16 character password.
I'd love to know why you think that's not good enough.
By ElectronShepherd on 5 Dec 2012
Apple with a fingerprint reader? Yeah right. I'm highly skeptical that the average mac user cares about security that much... Or do they?
By sergvolkov00 on 9 Dec 2012
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade
- Still on IE8? You've got 18 months to upgrade
- Who's buying Chromebooks? American schools
- Microsoft targets Windows in next Patch Tuesday
- Microsoft to block old ActiveX controls in security push
- Samsung and Apple call off all legal disputes, except in the US
- Microsoft ordered to hand over European data