Friday, February 11, 2011

Passwords - Public Service Announcement

Ah passwords... Everyone hates them. They are a necessary evil in the world of computing and these days the world of computing is the world at large.

Mobile devices have made the Internet accessible from everywhere. Mark Zuckerberg says privacy is dead, but we still don't want other accessing our digital identities. After all, as I just mentioned, the digital/computing world is our world now. Stealing access to someones email or Facebook or Twitter is identity theft. It's not just about stealing credit card or social security numbers.

Stealing someones online identity may not have the same long term effects as stealing someones bank account info but the mental/emotional effects can be just as damaging, especially for the younger generations who live on the Internet. That is their way of life.

So strong passwords are a big deal. Yet they still suck. No one likes to use them. They don't want to have to remember them. So the passwords end up weak; too short, easy to crack. They don't change them often enough. They use the same password over and over again.

I'm not a hacker but what would I do to crack your password? First I'd try simple brute force. Many password cracking tools can break a weak password in seconds. Did you simply take a common word, found in any dictionary, and put a number on the end? Cracking programs can find that password very quickly.

Second thing I'd try is social engineering. I would email/call/txt you and try to convince you I'm a legitimate person from whatever service I'm trying to break into (Email, Facebook, Bank, etc.). Some of you might be smart enough to avoid this, but there are a lot who are not. This is a pretty effective way to steal a password and many hackers do this all the time. It's also called Phishing.

Oh and if you write down your passwords and keep them by your monitor I might call your coworker and try to social engineer them to find your password for me. Or if it's worth enough to me, pay off the cleaning person in your building to be looking/collecting passwords for me.

These first two give me your current password. If I'm lucky you use that same password on a lot of other sites too. That grants me greater access. I can collect data on you quickly, before you figure out what is going on and reset things. Really by the time you have figured it out, it'll be too late.

Third I'd try to break the password reset system on one of the sites you use. If I know your email address, I can try to break into your email. Most email systems now have a series of questions that you answer to authenticate you when you tell it you forgot your password. I can use Facebook and many other public data sources to figure out what your Elementary school was or your mom's maiden name.

This isn't as useful as having your password because I may not be able to get into your other systems, but if I can retain access to your email or maybe add a mail forwarder (when you get mail I can get a copy in my mailbox too) then I can use your account to collect additional info about you or use it to access other sites. Your email address is often used as your username in many systems.

So you are sitting there thinking one of three things:
  1. OMG! What do I do!?
  2. Yea right. You are just being paranoid.
  3. Yea, I know all this already and take steps to be careful.
Those of you in the #3 camp. If you have suggestions/corrections please add them to the comments.

Those in the #2 camp. Perhaps I am being a bit paranoid, but your are a perfect target. You don't think it'll happen to you so your guard is down.

Ah my scared little bunnies in camp #1. Don't worry all is not lost. You don't have to cut yourself off from the Internet. There are a number of things you can do to protect yourself.

  1. Never ever give your password to anyone over the phone (or in person). The only person I give my passwords to is my wife and she only gets a couple weak ones. You've probably been told this many times but it still rings true. It's also applicable to other info that you should keep secure, especially if it has anything to do with your bank or credit cards. Those are prime targets of organized crime these days.
  2. Change all your passwords. Don't use the same password every where. If one of your passwords is compromised, the damage is isolated. The online media-blog site Gawker had many of their users passwords compromised not long ago. Would you want to be one of the many who had to scramble and quickly change all the passwords of all the other sites where you might have used that same password.
  3. Use large complicated passwords. While some sites still have short maximum password lengths, take advantage of those who allow more characters. The more characters the longer it takes to brute force an attack. After while the hackers will move on to a different, easier target.
  4. Get a password manager. There are a number of good password managers out on the market now that can help you create and store all these complex passwords. The downside is that if it's compromised all your passwords are compromised. So make sure you have at least one really strong password that you can use for it. Many can be installed on your mobile device or are online, making them usable when not at your primary computer. A couple good ones are: LastPass and KeePass
  5. If you don't want to use a password manager use pass phrases instead of passwords. Use the spaces and punctuation. That'll make the password strong but easier for you to remember.
  6. Use a password card. These are a matrix of random characters that create passwords for you. The basic concept is rather than remembering the actual password you remember a simple one or two character/color combo. It can go in your wallet too so you always have your passwords available.
  7. Change your passwords often. Why you might ask? I change mine on a regular basis because if my password was compromised and I didn't know it, the hacker could be in my system for weeks/months and I'd have no idea.
  8. When setting up your password reset questions put in fake information. If your first car was a Chevy Camaro, put in Ford Mustang. Something you can easily remember but someone with information about your past would not figure out. As long as it's clearly not BS the password reset tools won't care. This works for credit cards and the like when you have to call in and give a passkey too.
A few don'ts, just to re-stress:
  • DON'T use passwords with words that can be found in the dictionary. They can be cracked quickly, even if you have a number at the end. Most cracking tools have that factored in and it won't slow them down.
  • DON'T write down your passwords and especially don't leave them taped or Post-it noted to your monitor or leave them under your keyboard.
  • DON'T give your password(s) out to anyone but your most trusted.
  • DON'T think you are immune.
I added that last don't because it's easy to believe, "Why would anyone want to hack my accounts?" Well they may not be targeting you directly. You may be right that you aren't really a prime target, but one on one attacks are probably unlikely unless you are a specific target. With the Gawker leak that I mentioned above, the site's username/password database was broken into. They didn't target you specifically but if you are on that list then you'd be a target.

So go update your passwords! It's more important than ever that you have good strong passwords. Your whole life, not just your digital one, could depend on it.

Related articles: Passwords Revisited

No comments: