From one ‘hack’ about another…












Watercare may care about protecting our personal information but how ready are they to be in ‘sink’ with the world’s experts on cyber security?

It takes strength to swim against the tide of expert opinion. When a world-leading cyber security authority advised how to better protect our personal information on the World Wide Web, Watercare decided not to go with the flow.

A little like those who insist the world is flat, 6000 years old, and not warming up – in opposition to those madmen Pythagoras, Darwin and Hawking – this ratepayer-funded organisation won’t be dissuaded from its ‘current’ course. Since an ‘upgrade’ of its website last year, Watercare recommends:

“Long (say 12 plus characters) passwords/phrases that also include special characters,” a spokesperson advised me.

This despite internet security expert, Bill Burr (and America’s National Institute for Science and Technology) suggestion that:

“People use long but easy-to-remember “passphrases”, a sequence of words that do not need to feature special characters or numbers. Using ‘horsecarrotsaddlestable’ would take one trillion years for a botnet cyber attack to crack, compared to one minute for ‘P@55w0rd’.”

Earlier last year, Mr Burr made waves when he announced advice he’d previously given to the US Government that people should use special characters, numbers and the like was, well, wrong! This is simply because, faced with having to remember numerous, complicated passwords, users tend to write them down or (even worse) save them to computers, making it much easier for those 21st Century boogiemen (aka hackers) to crack.

Now, I’m sure many of you (if you’ve bothered to read this far!) are wondering why this all matters. After all, who cares if some robot in cyber space knows how much water I flush down the pan? But remember that basic information can be keys to the kingdom when it comes to identity theft; a full name, phone number, email address and (obviously) a utility bill can be most useful in this respect.

World cyber security experts are now suggesting we use easy-to-remember (although long) passwords, Watercare appears (to me) to be swimming against the tide. However, said spokesperson firmly refuted my implication:

“Suggesting we are ‘going completely against the experts with regards to internet security’ is a considerable exaggeration… password complexity is only a small aspect of overall password security.”

She adds that the new requirement for special characters, numbers etcetera in its passwords is part of Watercare’s new web platform upgrade which should (in itself) be more secure.

Barry Brailey from NZITF (New Zealand Internet Task Force) confirms that Watercare is operating in line with current New Zealand Government recommendations.

“The advice [from Bill Burr] is relatively new, but rapidly gaining traction as best practice,” he says. “Conventional thinking on this only started to really shift last August. However, it should be noted that the NZ Information Security Manual (NZISM) currently recommends 10 characters with complexity or 16 characters without complexity.”

So, at least until Watercare (and the NZ Government for that matter) catch up with this shift in ‘conventional thinking’, I guess I’ll have to risk having my password saved to my hard drive. First world problems, huh? Well, either that or figure out a way to live without water, or remember the hundreds of passwords I require to live in this modern world. And, I just have to hope that no nasty robots read our magazine!

By Jon Rawlinson