Passwords and Online Security Issues in Travel
I read a very sensible article by Oliver Burkeman in the Guardian today – Online passwords: Keep it complicated. Oliver voices some important issues about the passwords that we all have to set up, try and remember, and use every to secure our online activities. I won’t re-iterate all the good points he makes, other than to say that I agree that stupid rules about password formation, coupled with an inability to use long passwords, certainly makes them more crackable. Everyone would do well to review their passwords and at least make them longer.
My purpose for writing this to relate the general concerns over online security specifically to travel systems. If you hack a private consumer’s login details, then maybe you get all their personal info and credit card details – bad enough. If you hack a login into a travel system, then maybe you get access to hundreds of peoples names, addresses, credit card details and travel itineraries. The stakes are clearly much higher, and as a result the security that is in place had better be up to the job.
There is also a historical problem within the travel industry that logins, and therefore passwords, were often shared at an agency rather than individual user level, and the most obvious passwords you could possibly imagine were used. Historically, access to travel systems was in effect “locked down” by the necessity of connection to the private X.25 network infrastructure for Viewdata and GDS access, and so insecure passwords were really not a big deal. The X.25 network was also connection oriented, so a ‘call log’ was also inherently available at the network level.
Despite the move to Internet based services, I’m confident that this lax approach to security persists in travel. Users are still sharing logins, and using easy-to-guess and trivial-to-hack passwords. The problem is, they are now using web sites which can be accessed from Eastern Europe, China and who knows where.
The risk is reduced by at least having 2 security tokens, by which I mean a username that is not your email address, and a separate password. Companies like American Express mandate this as a minimum for all systems access. Its also important to force individual, as opposed to agency wide, logins and passwords should certainly be of some sensible minimum length and contain some non alpha characters. This at least stops “Wendy Smith” logging in as wsmith/wendy.
Passwords should never be stored in plain text (or in fact at all) by the web sites or systems you use. Passwords are ‘hashed’ (an algorithm that creates a new string of characters from the password), and the hash is then stored. When a user logs in, the password they give is hashed and compared with the stored hash. If it matches, you’re in. There is no algorithmic way to go back from the hash to the password itself, so stealing the hash becomes less useful. Problem solved? Well, not really. Given brute force and time, you can try every possible password combination, and see which ones create the hash you want. Say there are about 10 billion possible passwords, then that’ll take about 8 seconds using current technology. Ah, problem not so solved. But, if there are many more combinations, then it will take correspondingly longer. That’s why longer passwords are more secure, but only if the hash algorithm creates a long enough hash. The default Unix (or Linux) hash is only 8 characters, so it’s crackable by brute force in seconds.
By the way, assuming all uppercase and lowercase letters, numbers 0-9, and 31 special characters (like @^:;+!=] etc) are available, then a 5 character password has about 6.9 billion combinations, so not secure at all. Conversely, a 20 character password has about 2342 billion billion billion billion combinations (so my Excel formula tells me anyway). At a rate of 10 billion password tries in 8 seconds it would take 59421 billion billion years to try all combinations for a 20 character password. Things are not quite that great as that, as you would try all the combinations in order of likelihood, based on some other algorithms that try words or part words first, but you get the idea: A 5 character password is hopeless. A 20 character password is very robust from a brute force attack. If you want my calculations sheet, email me and I’ll send it to you. Back to the plot now …
So, there is definitely a problem with security in travel, so what can be done. Well, what we’ve been doing for years is what the banks are now increasingly doing, especially with mobile banking. The connection to your secure service is secured not only with some kind of username and password, but also by tying the connection to a specific device. In the case of banking, your mobile banking app will be registered to and be verifying the device (phone or tablet) that it’s running on. If you install the app on another phone and try your password/passcode, it wont work. In the case of our systems, we check that you have installed a ‘digital certificate’ onto your PC, and we validate this certificate as part of a secure tunnel between our systems and your desktop/laptop. You may not know if your password has been stolen, but you’ll certainly know if your mobile phone or laptop has been. Also, even if your device is stolen or lost, its vanishingly unlikely that the person who stole/found it also has your username/password combination.
So, we have now tied the connection not only to a person with knowledge of a secret (i.e. their username and password), but also to a set of pre-validated devices. The key thing here is that if either your password or your device is compromised, your security is still intact.
So, what are the key things that can be done today:
- Make sure every user has a separate login, and that none are shared in the workplace.
- Write a password policy and make sure your staff do not use work related passwords for personal use.
- If you have the option to do so, use a username rather than just your email address.
- Make all your passwords decently long (more than 8 characters), and include numbers and special characters
- For core systems, see if there is any option to tie down your access via some 2nd level security to a specific device, via a VPN or secure tunnel connection.
- If any web site emails you your current password when you forget it, then they are not storing your personal information is an appropriate way (imho), and you should not be dealing with them. Passwords should always be stored in a one-way hash, meaning that they cannot be recovered, only changed.
- Try and use different passwords for different types of things e.g. don’t use your banking password for facebook , twitter, LinkedIn etc
This is all just common sense, but maybe not so obvious to everyone. The threats of data loss, fraud, identity theft and worse are real threats, and the travel industry really needs to wake up and think carefully about these issues. Understanding how easily passwords can be hacked is a good place to start.