The recent revelation from the website insecam has brought to the forefront the importance of password management and privacy control. For those who are not familiar with insecam and similar sites, it is essentially a database of camera feeds from around the world. These camera feeds are not public feeds such as one might find on a city or state website overlooking a freeway. Many of these are personal, cloud based surveillance systems with feeds ranging from businesses to homes.
The purpose of insecam is allegedly to shed light on the shortcomings of keeping a default password on your system. Most security cameras come pre-programmed with passwords like admin or 1234. While there are some out there who are comfortable leaving default passwords on their systems, whether for convenience or the idea that they’ve nothing to hide and don’t believe they are vulnerable, insecam is out to prove you wrong, and prove it they have.
A short perusal of their site shows that there are nearly 10,000 cameras active in the United States alone. Next up is Republic of Korea with a whopping 6248 feeds. Randomly clicking one of these feeds reveals everything from coffee shops to the interior of a child’s bedroom. Insecam also shows geotags of where these feeds are located. The fact that the location of the camera is tagged should give everyone pause, especially those with private in-home systems. Their intent may be to outline the shortcomings of laziness in network security, but they have inadvertently opened the door to plenty of nefarious characters.
The purpose of this post is not to scare people, although if you are one of the folks with an open feed to your living room or child’s play area you should be plenty concerned. The purpose is to reiterate the importance of password management in all IT functions, especially those that deal with privacy.
Basic password tips
First and foremost: change your default password. Depending on your security needs the password need not be too complicated. In general, passwords should be at least 10 characters long and include a variety of letters, numbers and symbols. Most access controlled sites recommend at least 8 characters, however the US government has been advocating for years that passwords should be at least 15 characters. Also, avoid using whole words as they are easily guessed. A good idea is to use an easy to remember phrase and use letters from that phrase as your password. For example: I like to go fishing on the third of the month can become Iltgfot3RDotm. Also, avoid easy to guess words and dates like kids’ names and birthdays.
A note about password storage and variety
Many people like to store their passwords in a digital file on another device, or in their cloud drive. This is not a good idea. If that device were lost or compromised, that password is now available to whomever hacked the system. If you must store your information electronically try to disguise it well by giving the file a subtle name that does not betray its sensitive nature and consider using basic encryption software.
Many people prefer to write their password on real media such as notebooks and sticky notes and leave them in plain sight. This is especially risky in office environments where someone may see it. Industrial espionage is a real risk and isn’t necessarily the guy in a neoprene jumpsuit rappelling down an air shaft to break into the mainframe. A seemingly benign interaction between co workers can lead to the inadvertent spread of sensitive information. Keep your passwords out of plain sight!
As for variety, do not use the same password for every application. It is tempting to streamline your passwords, especially when you’re constantly jumping between email, social media and work. The obvious risk is that once your password is compromised they will have access to all of your data.