An Impromptu Lesson on Passwords ..

Published: 2012-04-30. Last Updated: 2012-04-30 01:10:21 UTC
by Rob VandenBrink (Version: 1)
6 comment(s)

I was reading the other night, which since I've migrated my library means that I was on my iPad.

My kid (he's 11) happened to be in the room, playing a game on one console or another.  I'm deep in my book, and he's deep in his game, when he pipes up with "Y'know Dad?"

"Yea?"

"You should enable complex passwords on your tablet"
(Really, he said exactly that!  I guess he was in Settings / Security and wasn't playing a game after all ! )

"Why is that?" I said - (I'm hoping he comes up with a good answer here)

"Because if somebody takes your tablet, it'll be harder for them to guess your password"  (good answer!)

"Good idea - is there anything else I should know?"

"If they guess your password wrong 10 times, your tablet will get wiped out, so they won't get your stuff"  (Oh - bonus points!)

So aside from me having a really proud parent moment, why is this on the ISC page?  It's really good advice, that's why !

It's surprising how many people use the last 4 digits of their phone number, their birthday, or worse yet, their bank card PIN (yes, really) for a password, or have no password at all.  And yet, we have all kinds of confidential information on our tablets and phones - mostly in the form of corporate emails and sometimes documents.

As is the case in so many things, when we in the security community discuss tablet security, it's usually about the more advanced and interesting topics like remote management, remote data wipe or forensics.  These are valuable discussions - but in a lot of cases, basic (and I mean REALLY BASIC) security 101 advice to our user community will go a lot further in enhancing our security position.  Advice like I got from my kid:

  • Set a password !
  • Make sure that it's reasonably complex (letters and numbers)
  • Make sure that it's not a family member name, phone number, birthday, bank PIN or something that might be found on your facebook page
  • Set a screen saver timeout
  • Set the device to lock when you close the cover
  • Delete any documents that you are finished with - remember, the doc on your tablet is just an out of date copy

This may seem like really basic advice, and that's because it is.  But in the current wave of BYOD (Bring Your Own Device) policies that we're seeing at many organizations, we're seeing almost zero attention put on the security of the organization's data.  BYOD seems to be about transferring costs to our users on one hand, and keeping them happy by letting them use their tablets and phones at work (or school).

Good resources for iPad security (as well as Android and other tablets also) can be found in the SANS Reading Room ( http://www.sans.org/reading_room/ )

Vendors also maintain security documentation - Apple has some good (but basic) guidance at ==> http://www.apple.com/ipad/business/docs/iPad_Security.pdf

NIST has guidance for Android and Apple (though both are  bit out of date):
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=403
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=398
 

Please, use our COMMENT FORM to pass along any tablet security tips or links you may have.

 

===============
Rob VandenBrink
Metafore

Keywords:
6 comment(s)

Comments

Config benchmark from CIS (up to 5.01) might be helpful as well:
https://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.iphone.140
If you use a stylus for your tablet, it becomes much harder for a thief to guess your PIN or dot pattern.
The flip side of this is that many companies now have "policies" that force people to change their passwords every so often. This together with password complexity rules effectively mean that people can't remember their passwords, and end up writing them down on a post-it and sticking it next to their monitor, and this defeats much of the purpose of the whole exercise.

Or another thing people do is change from FooBar1 to FooBar2, which the algorithms recognize as different, and yet isn't substantially different from the original password, and is easily guessable if one were to crack the original.

It seems that the rules about frequently changing passwords could really only help with the case where the password is inadvertently disclosed somehow. But I guess the question I have is whether the rules about frequently changing passwords is still good advice or not.

While this is a proud moment, how clever is your son? I've seen a few situations where kids tell their parents they should password lock device and set a 'Wipe on X Failures'. Which is normally a respectable moment in parenthood, there is a catch. The next time the child is upset, X attempts later, time to reinstall/reload device.

-Beau
Why is the post-it with the complex password such a bad thing ? It is the absolutely best protection against remote password guessing / remote attacks (compared to weak passwords).

If you do not protect your physical machine, you have no secuirty anyway (there are many ways to take over a computer when given physical access).

I consider the hidden Post-It the best solution for the unskilled low-tech employees.


http://howsecureismypassword.net/ this site and its sister site have been a help here with generating passwords for twitter/facebook etc.

Diary Archives