A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

September 10, 2007 • Issue 07:09:01

Power up your password protection

By Joel and Rachael Rydbeck
Nubrek Inc.

As ISOs and merchant level salespeople (MLSs), many of you are acutely aware of the need for password protection. But it never hurts to revisit the issue, especially since electronic theft is so prevalent.

The recent ATM hacking in Virginia Beach, Va., is one example. In that case, the owner of the store housing the ATM (which Tranax Technologies Inc. manufactured) had never changed the default master password.

He changed the administrative password, which is used for daily tasks (adding money, checking the balance and so forth). But he was unaware of the additional master password that controls the machine's configuration.

Thus, fraudsters were able to alter the ATM's settings and steal a tidy sum of money. For the skinny on the hackers' methods, visit www.wired.com/science/discoveries/news/2006/09/71832.

There are many safe and unsafe ways to store passwords. The problem is that we have a ridiculous number of them to store. It's risky to reuse the same password over and over.

However, coming up with a new password all the time means writing it down and making it easily accessible, which is even riskier.

Unless you have an extraordinary memory, a good solution is to invest in an application or software that will store your passwords for you for easy retrieval.

Apple Mac OS X users are in luck in this area; the Apple Keychain application has provided simple and integrated password protection for years. Apple Keychain will store passwords for you, but only Web passwords.

For other Mac password storage needs, use Apple's Keychain Access application. Visit www.apple.com/science/macosx.html for more information.

For Microsoft Windows users, a variety of applications, when combined, can provide a solution.

Microsoft Office file encryption might be suitable for you. Microsoft Office has offered file-level encryption for some time. This provides a free-form way to store account and credential information in a Word or Excel file.

Use 256-bit advanced encryption standard (AES) encryption or better. And tightly control who has access to the file.

Passwords Max (www.authord.com/PP) syncs with Palm and Pocket PC devices. It tracks passwords, Web logins, credit cards, bank account data, Social Security numbers and more.

Information is protected by six proven encryption methods: Blowfish, data encryption standard (DES), Triple DES, MDC/SHS, RC4 (also known as ARC4) and Safer. The software is easy to install and has a very simple interface. It is not accessible via the Web.

Firefox (www.getfirefox.com) provides a reasonably secure environment for storing passwords. It uses high-level encryption, which discourages other applications from cracking and obtaining them.

If a user gains access to your user account on your computer, the user has ready access to Web sites for which you have stored passwords. It's important to keep your user account on any such computers secure and private.

Internet Explorer historically has done a poor job of storing passwords. Many applications can easily access them, which is why we recommend against using it to store any passwords via Explorer.

ISafe (www.codefuzion.com/applications1.html) is available for a free download and has an easy-to-master interface.

Obviously, it's not a good idea to store your passwords on a piece of paper near your computer. If you have to write down a password, make sure you destroy the paper shortly after or file it in a locked drawer.

Likewise, storing all your passwords in an electronic file on a computer that is not both password protected and heavily encrypted is a bad idea.

Should someone with malicious intent gain access to your computer, the person would be able to access your passwords. Using a tightly secured file can be an ideal solution.

As strong as the weakest byte

The idea of storing passwords on the Internet is attractive because it is great to be able to access your passwords anytime. But be extra careful when using browser-based password programs.

Your passwords are only as secure as the server of the service you are paying for.

Also, shared passwords introduce a lot of complexity to password management. And a number of people need to know the proper protocol.

There are a variety of ways to approach this. One is to use controlled access to a list and change the passwords frequently.

It is sometimes important that two or more managers have access to the office router password or the company checking account. Security in these cases can be achieved by using a locked file cabinet, or a locked and encrypted file.

A University of Maryland study recently found the 10 most frequently used passwords:

  1. (username)
  2. (username)123
  3. 123456
  4. password
  5. 1234
  6. 12345
  7. passwd
  8. 123
  9. test
  10. 1

If you see your password here, it's time for a change.

Coming up with good passwords can be tricky. Some applications will auto generate a random password for you. However, these can often be so cryptic that you'll struggle to remember them. For frequently used passwords, an easier to remember password is often best.

One method is to create a mnemonic, which is a word comprised of the first letter of each word in a sentence; for example: "I love fresh coffee and donuts." Take the first letter from each of the words in the sentence and you end up with "Ilfcad."

You can capitalize different letters or add a number to help make this password more secure.

Many sites and programs now rate the strength of passwords, giving you an indication of how difficult a given password would be to crack. If you feel intimidated at the thought of creating a new password each time you open a new account, try a reduced system.

Create different passwords for different categories of accounts. For example, one password for travel accommodations, one password for company finances and so on. And make sure to rotate them.

To respond to our customers' increased security needs, we recently enhanced the password features in the lead tracking and residual application we license.

Administrators can specify how often user passwords expire and require that new passwords meet specific requirements, such as a specified number of characters and capitalizations.

  • Store all passwords in a secure location.

  • Rotate passwords with some frequency, such as every 90 days.

  • Don't use whole words.

  • Don't use a string of consecutive numbers.

  • Make sure you change default passwords for your electronic equipment, as well as know what the new passwords are and where they're stored.

In short, keep your passwords memorable, and figure out a management system that works for you. end of article

Joel Rydbeck, Chief Technology Officer of Nubrek Inc., brings his strong background in e-commerce and business process automation to the merchant services industry. Rachael Rydbeck, President of the company, has a background in product management and technical writing. Nubrek offers eISO, a Web application for ISOs that tracks leads and provides automated residual and commission reports. For more information on eISO or to view a free demo, visit www.nubrek.com/eiso.html. E-mail Joel at joel@nubrek.com or Rachael at rachael@nubrek.com. You have nothing to lose but your next sale.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing