Generating Passwords

Hacking Password

Image used under Creative Commons license from https://www.cafecredit.com/

Your password is a vital piece of defence in the digital age. Or, more likely, passwords, since you probably have several. And choosing a strong password for every login you have is therefore very important.

The Problem

But often password generators give you a long and hard-to-type (not to mention impossible to remember!) string of characters. And the conventional advice of picking a word and then swapping out random characters for similar-looking numbers or symbols isn’t much better.

And then you’re told you’re meant to change your passwords regularly, so just as you’ve gotten one string of gobbledegook down it’s no longer valid!

To make it worse, these passwords aren’t actually that strong against a dedicated attempt to crack your password. Thankfully, there is an easier and simpler system you can use to have fairly easy to remember and easy to type, yet strong passwords.

The System:

Pick four random words which are 5-7 letters long. From a book, from this blog post, from your favourite quote of QF&P, it really doesn’t matter!

Make any two of them ALL CAPS.

Choose a random symbol from the following: -, +, :, or /, and put one between each word.

Pick four random numbers, and put two on each end.

Pick a random symbol from the following: !, ?, @, & and put it on each end.

You’re done! That’s your password. To demonstrate, I’ll make one right now.

An Example

My favourite Advices and Queries is 17. So, if I pick four random words, I might end up with “discern”, “listen”, “untrue”, and “hurtful”.

I’ll make the first and third caps. So, now I have “DISCERN listen UNTRUE hurtful”.

From the separators listed above, I’ll go with +. Now I have “DISCERN+listen+UNTRUE+hurtful”.

This is a quote from A&Q 17, which in my copy of QF&P is on page 19, so I’ll use 17 and 19 (these aren’t quite random numbers, but it’s weird enough that some mindless bot trying to guess your password are never going to think of them. Just don’t use something like your birthday or address). Now we have “17DISCERN+listen+UNTRUE+hurtful19”.

Finally, from the padding symbols listed above, I’ll go with !. That means my finished password is

!17DISCERN+listen+UNTRUE+hurtful19!

Sure, that’s a weird sentence, but it’s much easier to remember than something like “wK5Jj3$6”, and far, far stronger.

Have A Personal System

Here’s another tip – you can use the same caps pattern, separator and padding symbol for all your passwords. Just make sure you use different words and numbers for each one. Since everyone will (hopefully) pick a different combination, anyone who’s trying to crack your password won’t know what you went with.

So, having generated that password, it would then be even easier to make my next one. Let’s say I ended up with something like

!38INVOLVE+resist+DESIRE+seeming22!

See how, since I now have a system, I only have to remember which numbers and words are in my password? I know that the first and third words are the ones in caps, that the words are separated by +, and that the password is padded with !.

So, the only thing I have to remember is “involve resist desire seeming, from Advices and Queries 38, on page 22.” To make it even better, if I then wrote the above down and someone else found it – it wouldn’t tell them my password! They don’t know my system for padding out the password, only the unique parts of this one.

And because my system is consistent across my passwords, and is simple (“first and third, +, !.”) it’s very unlikely that I’ll forget it.

But the examples I gave above won’t show up in any list of the most common passwords (like “123456”, or “password”) and if you check the strength, you’ll find they are extremely strong against brute force attacks.

Online Resources

If you don’t want to generate your passwords manually, you can use this online tool:

https://xkpasswd.net/s/

And if you want to check how strong a password is against brute force attacks, as well as read a more in-depth explanation of why this type of password is stronger than the ones that are normally recommended, check here:

https://www.grc.com/haystack.htm

Using this calculator, I can see that to be sure of guessing “wK5Jj3$6” someone would have to check 6,704,780,954,517,120 potential passwords, while to be sure of guessing “!17DISCERN+listen+UNTRUE+hurtful19!” they would have to check a whopping 1,678,502,284,981,138,890,416,014,999,354,759,820,605,904,877,122,660,028,807,660,366,626,495 potential passwords!

Which, even with a ridiculously fast system, would take 5.34 billion trillion trillion trillion centuries! Somehow, I don’t see anyone spending that long trying to get into my email account. (If you’re curious, cracking “wK5Jj3$6” with the same system would take only 1.12 minutes – that’s how much difference having a longer password makes!)

General Data Protection Regulations or GDPR

Europe GDPR PD

Image from Flickr, used under Creative Commons license

GDPR – what is it?

The General Data Protection Regulations or GDPR, as it is commonly known, is an EU wide directive that came into law in 2016. You have until May 25th 2018 to be compliant.

It is a complete overhaul of the data protection regulations – and applies to charities as well as businesses.

From https://www.eugdpr.org/

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.

For Quakers, Friends House staff have just produced some Data Safety guidance: http://quaker.org.uk/our-organisation/support-for-meetings/data-safety

The ICO has also produced a helpful introductory overview, and self assessment documentation.

I’m certain this is the beginning of a learning curve! I’ve booked several training sessions and webinars. Including one run by ACAT who are planning to run several across the UK, find out more at: https://www.acat.uk.com/gdpr.html

  • Did you know about GDPR?
  • Have you done any preparations?

Setting Up Your Organisation’s Email Part II

Knowledge Sharing by Ewa Rozkosz

Okay, in Part I we covered the concepts behind email, now it’s time for the…

Actions

Create an account for the organisation

This ensures that all the data that belongs to your organisation is under your control.

With the majority of communication taking place via email, the temptation will be to use the email addresses that the individuals involved already have.

Don’t do it!

It may be easier now, but when the role is handed over to someone else the data will almost certainly be lost. In addition, if the data is attached to an individual’s private account it legally belongs to them, not the organisation.

And if the relationship between the organisation and individual in question breaks down, you may as well kiss your data goodbye. Getting it back will almost certainly be very painful, and take more time, money, and lawyers than you have access to.

Services such as Google allow small organisations and charities to do this for free, (Google for Non-Profits) so make use of them. We do not advocate for Google, and other services exist. The choice of which suits you best will be dependent on your organisation & circumstances, but theirs is a good offering.

One reason for this is because they have a suite of integrated services included with the email, notably Google Drive, which lets you store all your data in an easier to use format than just having it in emails. This is something you should consider, and that I will be detailing in a later post.

Whether you use Google or not, sticking to a big-name provider reduces the risk of your service being lost without notice.

  • The administrator user name and password for the account should be available only to recognised office holders. An admin account lets you make whatever changes you want, so if someone who doesn’t know what they’re doing uses it they could do a lot of damage.
  • User names and passwords should be stored in such a way that they can be accessed by other office holders should the nominated person suddenly become unavailable. Shared cloud based password systems are useful for this and other reasons. A personal emergency should never leave your organisation unable to access its own account!
  • Name the account unambiguously. At this point you should seriously consider registering a domain name for your organisation, for the following reasons:
  1. It only costs a few pounds per year.
  2. Your email addresses are those of your organisation and not your service provider (yourorganisation.org.uk rather than yourorganisation.google.co.uk for example).
  3. If you choose to move your service provider you won’t have to change all your email addresses, avoiding the disruption that would entail.
  4. If you don’t do it people will assume that you’re too cheap, technically inept, or simply couldn’t be bothered, and that’s not a good look.
  • You can do this within Google as part of the sign-up process or with a separate domain registrar. Your preferred domain may already be taken so be prepared to try a few variations until you get one that’s available. Your will probably want a .org.uk domain as this signifies that you are a non-commercial organisation in the United Kingdom.

Create mailboxes for roles not individuals

  • For each role, create a mailbox and give the user name and password to the individual performing that role. For example, ‘Treasurer@domainname’ rather than ‘Bob_Example@domainname’. This means that when Bob moves on, you don’t have to create a whole new account or have their replacement constantly explain that they aren’t Bob.
  • Ensure that all electronic communication for a role is performed with that mailbox. Do not use personal accounts, and do not cross-contaminate roles (e.g., dealing with Clerk matters in the Treasurer account). This is especially important if you have someone with access to multiple accounts.
  • The first action performed by anyone taking over a mailbox should be to change the password, to ensure that only they can access it.
  • When setting up a mailbox for the first time, if individuals already have correspondence in their personal mailboxes (and you’re still on good terms) get them to forward the relevant email to the new mailbox.
  • If it becomes necessary to have an individual’s access removed from a mailbox, the account administrator can force a password reset. This should be done as soon as an individual ceases performing a role, as a routine matter of security.
  • On a regular basis (semi-annually or annually) who has access to each mailbox should be reviewed to ensure that it’s correct and up to date.

 

Setting Up Your Organisation’s Email Part I

Knowledge Sharing by Ewa Rozkosz

Introduction

So, you need to hand off some of the jobs within your organisation to others, potentially to volunteers within it or people who are paid to perform those tasks. It looks rather complicated, but is realistically a couple of hours work to set up for any small to medium sized organisation.

If your organisation lacks the skills to set these systems up then you should engage the services of a third party to do it for you. A fairly small outlay here can save you a lot of time, stress, and expense later.

Here are some concepts to get comfortable with before you begin, and definitions for the Actions suggestions I’ll be making in Part II.

Roles vs Individuals

The role is the task to be performed on behalf of the organisation (treasurer, clerk, etc), while the individual is the actual human being(s) performing that task.

Account vs Mailbox

The account is the container in which all the mailboxes are created. One account will have multiple mailboxes in it. Both the account and its contents belong to the organisation rather than to any individual.

The account also has technical roles associated with it. At a basic level those are mailbox administrators and mailbox users; the administrator (or ‘admin’) role creates and manages the mailboxes on behalf of the organisation, whereas mailbox users only have access to their own mailbox. Due to the security implications, only the most trusted individuals should be granted the administrator role.

It should be made clear to the role holders when they are appointed that the organisation owns the mailbox and all its contents, can and must be able to access it at any time, and that they cannot (and indeed should not) expect privacy. That’s what personal email accounts are for.

Domain vs Account

The domain is the label that is used for the account. Essentially it is the name that the internet uses to get your email to you – it’s the bit after the @ symbol for email and the www. for a website. So, our domain is mindfulbusinessservices.com. It can’t contain spaces or underscores. It’s common for the account and domain to have the same name, as this keeps things simpler, but they can be named differently.

You can choose to not have a domain but all your email addresses will end with the domain of your service provide (@gmail.com for instance). If you’re okay with that then you can skip setting up a domain. However it’s generally worth doing as it’s not a lot of hassle, makes your organisation look more professional, and if you choose to move to another service provider later your email addresses won’t change.

That’s the concepts covered, the nitty gritty is in Part II.

Providing Guest WiFi At Your Premises

Knowledge Sharing by Ewa Rozkosz

So you need to provide guest WiFi at your premises and don’t where to start? Then you’re in the right place! I can’t give you chapter and verse, but there are the things that you’ll need to consider:

The Legalise

Your organisation is legally liable for the traffic that originates from your WiFi network – the good and the bad. To protect yourself from the bad you’ll need to have your users sign an Acceptable Use Policy (AUP). The AUP is your organisation’s way of absolving itself from any blame for bad traffic that users of your premises may generate and the easiest way to get them to sign it is to include it in the terms of the contract you have with them.

There are many use policy templates around the internet for you to copy (like here) but I’m no lawyer so I can’t tell you how watertight they are. If you’ve got one in place you’ve at least shown willing and in any legal proceeding that will probably go a long way to protecting your organisation.

If you charge for WiFi access you’re obliged to provide it, while if it’s complimentary a best endeavours approach will be acceptable (in other words, if it’s down you can get away with it for longer).

The Money

This will cost you to provide, it doesn’t come free. There will an initial set-up cost for the provision of your line and the purchase of any necessary network equipment (and additional installation) and then a monthly running cost. Research the packages available to you, and decide how much you’re willing to pay and which extras you want enough to pay extra for (we give some suggestions of what to keep in mind further down the post).

The concept to keep in mind is Total Cost of Ownership (TCO). This is a standard business idea along the lines of ‘buying cheap three times costs more than buying expensive once, so lower cost is rarely better value’.

The Internet

The first step is to provide the connection from your premises to the internet. A large part of the pricing is how much data you can consume at a time – a lot of users simultaneously downloading videos will use more bandwidth than a few users browsing text, so the number of users and what they use your network for will dictate how much data you need.

The numbers to look for here are Kilobits per second (Kb/s), or Megabits per second (Mb/s), depending on how fast the available services are.

Then there is the amount of data you can download over a given time frame, usually expressed as Gigabytes per month. If you hit this limit within that time frame you either have to pay a top up charge or wait until the next charging period – neither of these are good. If you can afford to go for an unlimited plan from the get go then you avoid this hassle, so it’s generally worth a few pounds a month extra.

Next is the Service Level Agreement (SLA). This details (amongst other things) how quickly you’ll have your service back when it fails on the provider’s end, domestic connections generally having a longer time to repair than a business connection.

If your users view having internet access as being critical, you may want to go for a business rated connection. While these cost more, they also tend to have better service agreements and will get back online faster.

The WiFi

The last step is to provision the wireless network within your premises. If it’s a small area then the router that supplies your internet bandwidth may already do this and you’re all set – lucky you!

For a larger building or one with thick brick, concrete or stone walls it’s a bit more complicated. You’ll need Access Points (APs) for the users’ devices to connect to, perhaps one per room, and these will need to connect back to the internet router, usually via cables which you’ll need to have installed.

In this instance your best bet is to go to a professional outfit. It’ll likely be the most expensive part of the installation, but is a one off cost and is worth doing properly to give as long and trouble free a service life as possible. Badly installed equipment costs more to keep working over its service life than properly installed equipment, so once again, cheaper isn’t always better.

For your users to access the WiFi you’ll need to give them two details, namely the SSID and password. The SSID is the network name which will show up on the device menu when your users go to connect. You’ll want something clear, like ‘(Meeting Name) WiFi’, so they know they’re connecting to you and not someone else by mistake.

The WiFi password should be:

  • Secure. You want a phrase of at least four words, preferably random – see this post for more in-depth advice on choosing a password.
  • Changed regularly – at least monthly. Once your password leaks beyond your user base (and it will) your neighbours WILL steal your bandwidth – I’ve watched it happen. The only way to stop this is to change it often enough that they can’t keep up.
  • Distributed to your users. Ensure that you have a consistent means of informing your users what the current password is. You can do this on site, such as on a notice board (try to make sure it’s somewhere only users will see, such as the kitchen), or distribute it via a mailing list or newletter, either paper or digital.
  • Encrypted with WPA2 encryption to prevent it from being cracked; WEP and WPA are very weak and won’t offer you much protection.

The Maintenance

Provision of internet is seen more and more as an essential rather than optional feature, so it’s worth having systems in place to deal with any issues as quickly as possible. You don’t want your users to frequently struggle with the network being down – if coffee houses lose custom over it, so can you.

All the components listed above are complicated beasts and when they go wrong (note that’s when, not if) you’ll need access to someone who knows what they’re doing to get it working again.

If you engaged a company to install the network in the first place they may well offer this service, and would have the advantage of knowing your network already so they won’t have to figure it out in the middle of a fault. Otherwise, you may have to engage a seperate professional.

Either way, have things arranged ahead of time to minimise the delay between the issue being reported and resolved. You don’t want to have to be scrabbling around comparing quotes and reviews while you have an actual issue on your hands.

Consider the service level agreements here as well; shorter repair times may be worth paying extra for if you know that your users will be relying heavily on your network and it not being available for a week would cause problems.

Don’t sign up for terms longer than a year unless you’re very comfortable with the company or they offer a large discount. If they know you’ve got four years left before you can exit a contract you may not get as good a quality of service as you would with only six months left, for example.

Like all other technologies, wireless networking is continuously improving, so you can expect the access points to have a maximum service life of 3-5 years. Domestic grade access points will be cheaper to buy but not last anywhere near as long, and require more labour to manage, so will have a higher total cost.

Properly installed cabling, on the other hand, will have a life of at least 15-20 years and need very little maintenance.