Skip to navigation
Real World Computing
Login screen

The hard disks you can "secure" with a single-digit password

Posted on 26 Nov 2012 at 09:22

Jon Honeyball is shocked how poorly password protection is implemented on hard disks and online services

I’ve been looking at external hard disks recently, because some clients wanted to know what would be a good choice to give to their field salesmen for local backup and extra storage.

Their decision to try this out had overruled my loud wailing that it was entirely the wrong way of doing a backup, and that it was far better to ensure that everything was not only taken off the laptop’s hard disk but out of the hotel room, too. At the very least, give the salesmen a large USB key to keep on the keyring that holds their house and car keys; better still would be to use Dropbox or SkyDrive to move and secure the data into the cloud. Best of all would be to do both. But an external hard disk drive?

It’s about time that even Microsoft allowed for truly strong passwords in its authentication systems

Some vendors do make external drives that have a numeric keypad, because they have hard encryption built into the disk controller and a pin number needs to be entered via this keypad to unlock the drive. You can’t just take two of these devices and swap them over either, because the encryption key pairs are unique to each chassis and drive. But such devices don’t come cheap.

My clients wanted to look at some of the software encryption and lock/unlock facilities provided with these external drives, so I looked at one from a very well-known vendor. The setup program for this feature looked suspiciously simplistic: in the screen where you enter your encryption password there was no sign of "best practice" – that is, no visible instructions that your password needs to be ten characters long, mixed case and include some numbers.

I entered "bone" and pressed enter, and that was fine! I undid that password, reset the drive and tried again. This time I tried "b" – yep, just a single letter. That was fine too. Upon receiving this information, the clients decided that perhaps such a brain-dead and simplistic solution wasn’t appropriate for the data in their line of business.

You might be surprised to know that even the big boys can get this wrong. I signed up to the new Outlook.com, which uses the standard Microsoft login. Here, the minimum length of your case-sensitive password must be eight characters. So I went over to 1Password and got it to generate me a 24-character, randomised password, which is the length required to drive that security "fuel gauge" all the way to 100%.

Such a password looks like this: fNXmVnjAEBApZW3qjyvxB4PY. But no, this wasn’t acceptable to Microsoft, because it seems you can’t have a password longer than 16 characters. Now I accept that 16 is better than eight, and very much better than four, but maybe it’s about time that even Microsoft allowed for truly strong passwords in its authentication systems.

Two-factor authentication

Which brings me on to the subject of two-factor authentication. Two-factor means that the system won’t accept just one password or authentication token, but needs something more. Some vendors have fitted fingerprint readers into their devices, especially laptops, and I must admit that I’m a fan.

I know there are all those ghoulish stories about how the more sophisticated fingerprint readers can detect whether the finger has a pulse or not, and rejects anything that isn’t actually still alive. While I might be slightly impressed by such an ability, I’ll confess that I’d probably have handed over all my passwords to the robbers long before anyone actually cut my finger off...

Rumour has it that Apple might be fitting a fingerprint reader to the next version of the iPhone, and if so this would be an excellent move (one that Microsoft really should have made with the Windows Phone 7.x specification to differentiate it from the competition).

Other services are moving over to two-factor by using the mobile phone itself as an authentication tool. Personally, I’m reassured that a numerical code is sent to my phone via SMS when I try to make a payment through PayPal; Google has similar facilities, and it’s in final beta for Dropbox, too. The use of such techniques are to be applauded, and we should be encouraged to use combinations that work well for us, such as fingerprint and SMS, or face recognition and fingerprint, or strong password and fingerprint.

What’s perfectly clear, though, is that the good old days when we reused passwords with gay abandon are now gone, and it’s time to ensure that our information is kept safe. And that safety requires that a problem in one part of my digital life doesn’t become a firestorm that rages through all aspects of your digital life.

Download a year of Jon Honeyball's Advanced Windows columns by heading to our Free Downloads site

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Fingerprint...

I'd watch out, last month the UPEK software for the fingerprint readers built into most laptops came under fire, because it stores all passwords in the open area of the Registry "almost in plain text, barely scrambled but not encrypted."

"All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk."

This also renders the EFS (encrypted file system) useless, because the password is stored on an unencrypted part of the disk!

Newer laptops (post 2010), using the AuthenTec software should not be affected.

Affected manufacturers include: Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony and Toshiba


http://twit.tv/show/security-now/373

http://www.networkworld.com/community/blog/laptop-
fingerprint-reader-destroys-entire-security-model-
windows-accounts

By big_D on 26 Nov 2012

Picture Passwords

Any thoughts on the picture passwords used in Windows 8 and why Apple didn't put a fingerprint reader into the recent iPhone 5, iPad 4, iPad Mini to differentiate it from the competition?

By stephen_d_morris on 26 Nov 2012

They wouldn't have to cut your finger off, finger prints are scarely easy to copy off a glass surface using cheap and commonly available materials.

By john_coller on 26 Nov 2012

Missing the point completely - online only systems don't benefit from very long passwords

With upper & lower case letters and digits, a 16-character password has 4e28 combinations. Or, to put it another way, assuming I can try a billion combination a second (which is, itself completely impossible against an internet-accessed service), it will take, on average, 50 times longer than the lifetime of the universe to brute-force a 16 character password.

I'd love to know why you think that's not good enough.

By ElectronShepherd on 5 Dec 2012

Apple with a fingerprint reader? Yeah right. I'm highly skeptical that the average mac user cares about security that much... Or do they?

By sergvolkov00 on 9 Dec 2012

Leave a comment

You need to Login or Register to comment.

(optional)

Jon Honeyball

Jon Honeyball

Jon is one of the UK's most respected IT journalists and a contributing editor to PC Pro since it launched in 1994. He specialises in Microsoft technologies, including client/server and office automation applications.

Read more More by Jon Honeyball

advertisement

Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.