NCA questionable advice over password best practise
4 Jun 2014Best practice is to have a separate password for ‘every’ website you use says tech entrepreneur Kate Craig-Wood
The UK’s National Crime Agency (NCA) is using the two-week threat of a mass cyber attack to make the UK public aware that they are taking insufficient precautions to protect their sensitive information such as bank account details and passwords.
NCA’s Get Safe Online campaign is telling users to never store passwords on your computer.
However, UK Tech entrepreneur Kate Craig-Wood says this is very questionable advice, and strongly disagrees with their advice about not storing passwords on a computer. Best practice is to have a separate password for ‘every’ web site you use, and those passwords should be machine-generated.
You should then have a master password, also machine-generated, which you use to gain access to a password safe like KeePassX where you store all those passwords. KeePassX and similar tools all use on-disk encryption which make it difficult, if not impossible, for malware to access the stored passwords themselves.
Machine-generated passwords is protocol at Craig-Wood’s IT hosting company, Memset, in fact, she has developed the Memset password generator that anyone can freely use to generate their own passwords.
Assuming people are doing the common sense IT housekeeping steps of keeping their systems up to date and employing some anti-malware/virus, then three of the biggest cyber threats, according to Craig-Wood are:
1) Spearphishing attacks. This is where someone sends you an email that looks legitimate (eg. from your bank or social media site) which sends you to an also-legitimate-looking related Web page that asks you to log in. Both the email and Web site are spoofs and phishing attacks are becoming increasingly sophisticated, with the site and email being almost indistinguishable from the ones they emulate. This risk is mitigated by having a different password for every site (ie. they don't then have access to everything), but can only truly be defended against by being diligent in checking the URL.
2) Keyloggers. These are quiet bits of software that run in the background on your computer and collect all your keystrokes (passwords, credit card numbers, the works), periodically sending them off to the criminals for future use. Using the above approach for passwords can help protect your system since you are then not entering in your passwords manually, just copying-and-pasting.
3) Companies losing your data. There have recently been numerous high-profile breaches of consumer data from the Sony Playstation Network to the recent eBay security breach. This goes further to emphasis the importance of having different passwords for different websites.
-ends-