Page - 253 - in The Future of Software Quality Assurance

Security: It’s Everyone’s Business! 253 doesn’tneed tobecomplex,only long.Thepassworddhr∗Qdfe ismuch less secure thandog . . ., let alonea much longer sausagedog . . .! 6 UsePassphrases Instead ofPasswords The comedian John Oliver interviewed Edward Snowden8 and the topic of pass- words came up. We should forget about passwords, and think passphrases. Rules wecan followare: 1. Still use themixofcharacters (upper/lower/numbers/specialcharacters) 2. Use a combinationofunrelatedwords 3. Use words fromdifferent languages—amix is best 4. Donot relyon leetspeak/133t5p3@kalone(where lettersare replacedbysimilar shapednumbers/specialcharacters) 5. Do not relyonone rulealone! As an example, let’s base a passphrase on that favourite fermented curd— cheese. In using a combination of the rules above, my passphrase could be Ch3ese&Kase&Farmaajo.Afterall,whocouldforgetcheese!At20characters, that wouldgive thepasswordcrackersa run for theirmoney. Or, think song lyrics. Something like 4!We!Are!Young!And!Free.9 Even harder to crack, at 23 characters. Each character exponentially increases the number of combinations,so longerisbetter.Although,MargretThatcherIs110%Sexystill takes theprize for sheercreativeness. What we need is time. If a breech is detected, we need time to ensure word gets out to those affected by the breech. So timely notification is key from the organisations who become the victims of attack. The longer the passphrase is, the longer it takes tocrack. We could go even further, and use a password manager. These tools will allow a secure container into which yourcredentialsand passphrasescan be stored.They are useful, in that they can allow secure passphrases to be auto-generated, stored, andmost importantlymadeuniqueforeveryseparatesiteorsystemaccessed.Some alsocomewithwallets to storepayment information,andcanworkboth indesktop andmobileenvironments.Bothcommercialandopensourcetools areavailable. Thedownsidesof these toolscanbe: • What password/phrase do you have to access this tool? If it’s weak, it would reduce the usefulnessof the tool. • What security is built into this tool itself? Could the encryption it uses be an older, compromisedversion? 8https://www.youtube.com/watch?v=yzGzB-yYKcc—please watch thisvideo—in 3 min you will know how simple passphrase security can be. 9The second lineof the Australian national anthem.