Security | Teague Hopkins

For most organizations, maintaining servers is not a core competency, but there are concerns with moving hosting and other services to the cloud. One of the most common concerns we hear from small businesses is the reliability or security of cloud hosting services. Several high-profile outages have made it obvious that cloud services are not infallible.

However, it is a mistake to assess cloud services on an absolute scale. Small businesses should ask themselves whether cloud service providers can do a better job keeping the servers running than they can. Almost always, the answer is yes.

If it has ever taken you longer than 24 hours to recover from a server outage, it’s probably time to move to the cloud.

It is impossible for most small businesses to match the ability and experience in server management of providers like Amazon and Rackspace. Additionally, those providers have several advantages that come from the scale of their business. If hardware fails, they have a larger pool of backups to use as substitutes than do small businesses. They can make better use of resources by spreading the cost of features like diesel generator backup and redundant connectivity across many hosted solutions, enabling them to offer more resilient systems at a lower cost than their customers could achieve independently.

What are the telltale signs that an organization should move to the cloud?

A literal cloud Not all small organizations need to move to the cloud, and there are factors to consider other than reliability and cost. However, if it has ever taken you longer than 24 hours to recover from a server outage, it’s probably time to move to the cloud. If your server uptime is worse than 99.9%, it’s probably time to move to the cloud. If you don’t know what your uptime is, server hosting is probably not a high enough priority and should be outsourced, usually, by moving to the cloud.

In addition to increasing reliability and lowering costs, there are some operational advantages from moving to a cloud-hosted solution. The potential to scale capacity quickly is one such advantage, and is of particular value to startups and other organizations expecting rapid growth. The process of spinning up an additional cloud server is significantly faster than installing a new physical server of your own, and does not incur the fixed costs of purchasing new hardware. As a bonus, if that increase in usage turns out to be a spike instead of sustained growth, spinning down that cloud server is just as easy.

Photo by Horia Varlan

Since reading Randall Munroe’s excellent commentary on password strength in modern web applications, I’ve noticed countless online services that limit the potential strength of a user’s password by limiting the length, while simultaneously increasing the difficulty of remembering that password by requiring that it include symbols, numbers, and mixed cases. Even a number of well-known financial institutions have fallen prey to this misconception. If your organization or company is thinking about how to structure password requirements, the comic provides a perfect illustration of how to reorient your approach to increasing security for your clients.

How to Pick a Secure Password

As the comic rightly points out, the different types of characters in a password based on a root uncommon word doesn’t increase security as much as a passphrase of several common words would. Thus, a password like bananasandwichspringhula would take more than 66,000 times as long for a brute force dictionary attack to guess than the seemingly more secure f1@tw0rm{5. That passphrase of 4 common English words is not only easier to remember, but is actually more secure. Even more secure (by a factor of about 1.66) is a truly random string of 8 characters – symbols, numbers, and letters – but that’s also much harder to remember.

The Business Case

Ensuring password strength is a common business problem. As a result, there are plenty of simple JavaScript fragments that will happily compute a password’s strength or let your application force users to pick a “secure” password. The problem? They’re doing it wrong. Each of these free algorithms perpetuates the misconceptions about what makes for a secure password. They mistake “hard for humans to remember” for “hard for computers to figure out.” The ideal solution would be a script that quickly calculates the entropy of a given password, enabling the user to select an easily remembered password that is also secure.

The Challenge

Quickly determining the difference between Oo9kX9^# and f1@tw0rm{5 might be easy for the human creating the password, but the fact that one is based on a root word is not as immediately clear to a computer. The computer must try common substitutions, subtle variations, and match the word against a dictionary list. Effectively, to determine the strength of the password, the computer must attempt to crack it in a more sophisticated way that simple brute force. Calculating a simple brute-force time-to-crack would yield the same result for each of these passwords. However, in an actual attack, the latter would fall much more quickly than the former. While a purely random password is easy for a computer to assess, the lack of randomness introduced by the user in trying to make the password memorable is what introduces vulnerabilities for savvy hackers.

The Solution

To achieve a balanced compromise, service providers should educate users about how to keep their information safe by creating a strong password that is also memorable. Don’t assume that simply requiring certain character types will make your users more secure. Many users will follow the letter of the law, not the spirit, in their attempt to create an easily memorable password. And please, please don’t limit the length of user’s passwords! Munroe’s compromise of a simple string of common words isn’t a perfect solution on security or memorability, but it is a realistic improvement that will help your users do what they want: protect their data online.

Photo by Marc Falardeau