Andrew Gluck

ContactAndrew Gluck is a veteran financial reporter and the founder and CEO of Advisor Products Inc., a marketing company serving 1,800 financial advisory firms.
read more ...

Advisor Products Inc.

If Anything Can Be Hacked, How Do You Protect Client Data? Here’s An Ingenious Technique For Making Strong Passwords More Memorable And Less Hackable edit
Monday, June 11, 2012 13:09

 

Computer programming professionals say anything can be hacked. It’s scary, but true. The best you can do is to make it difficult for hackers, so that they won’t bother you, or so that it will take so long to hack your system that you will detect an intrusion.
 

A One-Two Punch

While intrusion detection is a key part of online security, getting into the habit of creating strong passwords is more important to advisors in protecting clients’ personally identifiable information.
 
Advisors don’t directly purchase intrusion protection solutions because they cost thousands of dollars a month, but fiduciaries can ask vendors if they use an intrusion detection system, and which one. (Verify the information.)
 
Many vendors handle intrusion detection and prevention in-house. Because these apps are so specialized, however, outsourcing this solution is usually preferred — unless the host is Amazon or Microsoft or one of the other data giants. These apps put an independent, third-party vendor on the hook.
 
Intrusion protection alone is not enough, however. Strong passwords are also necessary. Used in tandem, intrusion detection and strong passwords strengthen security.
 
Advisors And Strong Passwords
Ironically, I’ve heard advisors complain about strong password policies. And when told why strong passwords are in their firm’s best interest, they don’t always agree, or they do so grudgingly.
 
As more consumers embrace apps like Box, DropBox, and other systems with consumer-level password requirements, advisors have an opportunity to be proponents for strong passwords. The battle for security on the Internet is an opportunity for you to be a good guy and do the right thing: educate clients on the use of strong passwords.
 
While it may be tempting to accommodate clients and use apps with easy or no password requirements, in the long run this would not serve clients well. In the long run, advisors want clients posting sensitive data to know about password strength. The right thing for advisors to do is to teach clients. The right thing is not to compromise on security.
 
By promoting the use of strong passwords to clients, you lessen your risk exposure as well as theirs. By conducting seminars and webinars about best practices for consumers and posting suggestions about how investors can protect themselves, you engage clients and prospects in a timely topic that’s important to them.
 
Moreover, teaching clients and prospects about protecting their data online also provides an way to get more clients using your online systems, which may unleash new efficiencies in your business.
 
Here are some of the facts to help you make a compelling case.
 
The Problem
Scan this list of the 30 most popular passwords of LinkedIn users, 6.46 million of which were hacked last week.  If you want to make your password “link,” “1234,” or everybody’s favorite, “god,” it’s not a problem on most consumer apps, as this LinkedIn list illustrates. Most document-sharing sites are not much better. Though some consumer apps do indeed enable an advisor to enforce strong passwords, you must correctly configure those features requiring clients use strong passwords to access their data your systems.
 
Apps for storing personally identifiable information (PII) that don’t enforce strong password policies are engaging in a cheap trick. Easy passwords are good for the apps because they get more users, but it’s bad you in the long run because you are obliged to protect your client data. As a society, we're all being encouraged to have sloppy security habits.
 

A Solution

Every password you use can be thought of as a needle hiding in a haystack,” says Steve Gibson, a computer security expert on Gibson Research’s website. “After all searches of common passwords and dictionaries have failed, an attacker must resort to a ‘brute force’ search — ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered. If every possible password is tried, sooner or later yours will be found.

 
“The question is: Will that be too soon . . . or enough later?,” says Gibson.
 
Best Practice For RIA Security
A strong password policy requires users — including clients accessing financial data you provide them as well as you and your staff— to make passwords that include at least one non-alphanumeric character, one number, and a capital letter, plus it should be at least eight characters, and preferably 10 characters long.
 
Obviously passwords like this are more complicated to create and remember.  That’s why advisors complain about apps that make such requirements.
 
Gibson argues convincingly for strong passwords that include at least one non-alphanumeric character, one number, and a capital letter. But what’s fascinating is a technique he calls “padding,” which makes passwords long but easy to remember.  It’s brilliant
 
Gibson uses this “trick question” to make his case:
 
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
 

D0g.....................

 

 

PrXyc.N(n4k77#L!eVdAfp9

 

 
Gibson says the simpler password is stronger because it is one character longer than the far more complex randomly generated password.
 
How could the simpler password be strong? Because , Gibson says, a hacker doesn’t know how long your password is, whether you used upper and lower case and non-alphanumeric characters. Consequently, a brute force attack where a “dictionary” is used to generate random passwords until your password is found takes much, much longer to solve for the simpler password.
 
By using a simple word (or phrase) like “dog” with the “o” presented as a zero, your word is not real, increasing its randomness. And, by following that word with a single character — a period repeated 21 times —the possible characters a hacker must guess increases hugely. Gibson’s analysis is brilliant because he is saying it’s not complexity and randomness that matters as much as the length of a password. “Padding” passwords with a string of symbols or characters makes your password memorable as well strong.
 
Gibson says substituting a symbol for a letter in a word increases the time it would take to hack that password. But his technique for padding is a great way to make passwords longer but not more complex.  Gibson’s post may be difficult to get through for non-geeks, which is why I’ve summarized it. But he deserves all the credit for coming up with the padding technique.
 
But do as he says by not using the exact same padding technique he has and use your own memorable fake word at the beginning or end of the password.    
 

 

This Website Is For Financial Professionals Only


Comments (6)

...
Patricia
I like to use RoboForm to store my passwords so that I can make up really complex passwords. Perhaps this simpler but apparently less hack-able approach would work for the actual passwords, AND for RoboForm?
Patricia , June 11, 2012
...
mitchellkeil
I have been following other professionals on this issue of password strengh and here is another trick I picked up. Make your password a phrase with the words containing numbers which can be substituted for letters.
An example:
Ihatecoolwine translated 1hat3c001w1n3
mitchellkeil , June 11, 2012
...
Vestpointe
Roboform has saved my life! I literally have about 80 passwords that it has accumulated. All saved on the fly with very little work involved. Thanks for passing this on, Andrew.
Vestpointe , June 12, 2012
...
BrianEdelman
All great advice. The one thing I would add. use links to get to your more important websites rather than typing the url. A keylogger can capture even complex passwords. If you used a link instead of typing the url the hacker would not know where to use the username and password they captured.
BrianEdelman , June 13, 2012
...
lisagray
Great article! Love the tip about password creation. The number and symbol substitution idea is brilliant.

And Brian, my computer guy said to always put the URL into my Google search box, then click on it when it comes up in the search. He said this is much better than typing it straight into the address box because you can make a typo and end up at some random site.
lisagray , June 14, 2012
...
Chris Winn
Good article and I agree with the comments. In addition, the requirement to update passwords regularly was omitted here and is critical.

Also, I agree swapping vowels for numbers is a good idea, but do think passwords like Chr1sW1nn1, to Chr1sW1nn2, to Chr1sW1nn3 are very secure in the long run. The post above has a nice complex example. I would suggest not only swapping vowels for numbers, but adding not alphanumeric characters when possible. And the capital letter does not always need to be the first letter.

Lastly, resist the urge to use the same password for everything. We see this quite a bit out there during security audits and IT policy designs. A single breach could be even more devastating.
Chris Winn , June 18, 2012

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy
 

Login

Banner
Banner
Banner
Banner

Comments

Banner
Banner
Banner
Banner
Banner

Reviews

Banner