Rossander's Security Reader » Passwords

Password joke

Mike Rossander — Thu, 08 Mar 2012 14:20:23 +0000

During a recent password audit by a company, they found that one employee was using the following password:

“MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento”

When asked why she had such a long password, she rolled her eyes and said: “Hello! It has to be at least 8 characters long and include at least one capital.”

Sounds like a pretty good password to me.

Are passwords still viable?

Mike Rossander — Mon, 08 Feb 2010 14:19:40 +0000

How many different passwords do you have? Add up all the ones on your work computer, your bank account, 401(k), personal email account, amazon, google, ebay, twitter, facebook, linkedin, wikipedia, professional organizations, other shopping sites… The list goes on and on.

Each password has to be strong enough to protect the information behind it. Of course, knowing that we are all basically lazy (and that they will be held responsible if the account is hacked), the companies hosting these services require “strong” passwords – numbers, punctuation, no duplication, etc. And without universal standards, we end up with a hodge-podge of passwords that are impossible to keep straight.

One answer is a “password management” program, often built right into your web browser. These programs remember your logins and passwords for you and automatically fill them in as soon as you go to the page. There are several problems with them, though.

When your computer gets stolen, you lose all your passwords.
If the password manager gets hacked, you again lose everything all at once.
The passwords are only available while you’re working on that one computer. You’re out of luck if you need to check your account from your mother-in-law’s.
And, of course, these don’t do anything for the passwords you need to track that aren’t associated with web pages.

A perhaps-better answer is a single-signon service. In this model, you create one account with a widely accepted and trusted service who then authenticates you to the merchants. The Open ID Foundation is probably the best known, accepted by about 9 million websites including Google and Yahoo. This still leaves all your eggs in one basket but at least the basket is not in your easily-stealable laptop. On the other hand, if any one of those 9 million websites gets hacked, the thief might then be able to forge your credentials on the other sites. I’d trust their service for accounts I don’t care much about (google, email, shopping sites, etc) but not yet for my bank account.

Several academics are experimenting with using your cell phone as your password manager. It’s an interesting idea since we are so very attached to them. But we also lose them at an incredible rate. And if you think you get resistence about your computer passwords, try requiring a strong password on a phone.

Biometrics? There are some interesting new ideas about facial recognition using the builtin webcam of many modern laptops and others that track things like your typing patterns. None are ready for prime time yet.

All told, I think we’re still in a bad place. Passwords are the least unworkable answer we have today. Try to pick strong passwords, use a pattern that lets you modify a core password according to the site you’re visiting, change the important ones regularly and never, never, never share your password. If you must write them down, keep them in a dedicated and highly secure application like the old Blackberry password vault.

Resolve to make stronger passwords in 2010

Mike Rossander — Tue, 05 Jan 2010 20:59:54 +0000

Happy New Year, all. I hope you had a wonderful and safe holiday. It’s a brand new year – time to make resolutions to do better and be better people.

One resolution that we’ve talked about before is the need to make better, stronger passwords to keep your identity and your customers’ informations secure. Americans still have a nasty habit of picking passwords from the dictionary. When the system requires numbers or extra characters, we tend to add them to the end. Hackers know this and exploit the pattern when they build programs to break your password. Here are a few suggestions to make their lives harder (without making your passwords so impossible to remember that you write them down). None of these suggestions are new but hopefully this is a useful reminder.

Pick a pass phrase, not a password. A good hacker can test your password against every word in the dictionary in something under 30 sec. Testing every possible combination of 7 random characters takes not that much longer. A five word passphrase, on the other hand, can not be brute-forced using current computers in the time remaining in the life of the universe. And because of how our brains are wired, phrases are much easier to remember than strings of characters.
Make each password a unique variant using some personal rule about the site that you’re logging into. That way, you won’t lose everything just because the hacker cracks one site but you can still keep the number of things you must memorize to a minimum. Here is a link to one technique.
Never share your password. Not to your boss, your co-workers, your spouse, no one. Nobody should know your password except you. (The only exception I allow is that parents should insist on a copy of all passwords used by their underage children. Keep it safe, though.)
Make sure you’ve changed the default password on accessories like your router.

Anyone can get hacked

Mike Rossander — Tue, 10 Nov 2009 00:48:17 +0000

Sorry I haven’t posted in a while but it’s been an interesting few weeks. If you’d looked at this site on the morning of 6 October, you would have seen a very different page – black background, yellow arabic writing and some very disturbing pictures. The vandal replaced the front page of our local beekeepers’ website with very similar content. It was a rude surprise, especially so early in the day.

Some background – I maintain the beekeepers’ website for them and host both that site and this one through a third-party provider. And while I do all of the writing for the infosec blog, I have a couple of other beekeepers who were helping to maintain the beekeepers’ site. It’s all volunteer work and I’m so glad for any help I can get that it’s hard to impose a lot of strict standards or hurdles. Besides, who cares about hacking a beekeeper club’s website?

Apparently lots of people.

It’s unlikely that we will be able to prove exactly how the hacker got in but it was almost certainly a scripted attack – a robot run by a hacker against anything he/she could find vulnerable – not a targeted attack. (For example, the hacker vandalized only pages titled index.htm, the standard name for a site’s home page, and none of the pages which had human-created names. Any targeted attack would have overwritten the other pages as well. Not only would it be more pages hacked but the vandalism might go unnoticed longer.) Our best guess is that the hacker go in because we weren’t careful enough about passwords. One of my authors had a password the same as his username. Even a kiddy-script can test for passwords that easy.

Lessons Learned:

Any site is vulnerable even if you don’t think that anyone would bother with little old me.
Passwords are important, even when you think they aren’t.
Volunteer time is valuable but only if it’s the right volunteer. Even if his/her heart’s in the right place, sometimes that time is more expensive than it’s worth.
Internal segmentation would have limited the damage. Merged accounts makes it easier to manage the domains but separate accounts would have kept the hacker from “promoting” himself across to the other accounts so easily.
Monitoring is a good thing. In my case, it was dumb luck. My wife has the site as one of her home pages and noticed it as soon she logged on in the morning.
Good backups make repairing the damage easy. My backups are automatically managed through third-party host and they do an excellent job. Once we discovered the vandalism and collected the evidence, the act of repairing the vandalism took mere minutes. I wish I could take credit for it but I got lucky and picked a good vendor.

Anyone can get hacked. Do what you can to minimize your chances, discover it quickly and plan so the costs to repair are low. I can’t say that I’m proud of this post but I do hope that you can learn from my mistakes.

Adobe weakens passwords – sort of

Mike Rossander — Tue, 27 Jan 2009 03:37:46 +0000

There was a story last month that Adobe’s latest release (Acrobat 9) actually weakened the strength of the algorithm they use for passwords that protect PDF documents. If you’re using password-protected PDFs as a way to send confidential information to your customers or business partners, does this mean that you can no longer trust the protection?

There is a lot of confusion because at the same time, Adobe increased the encryption from 128-bit to 256-bit. More is better, right? All things being equal, that’s usually true. In this case though, they also changed the way the encryption works. The net result is that the password is now crackable about 100 times faster than with the older Adobe versions.

If you are using weak passwords, this change matters a lot. Passwords that used to take 3 months to crack will now be breakable in a little over a day. If you’re still using single english words for your password, your protection is weak at best. A brute-force attack (where the hacker tests every word in the dictionary against your document) will break a weak password in minutes. On the other hand, if you’re picking strong pass-phrases – whole sentences from a favorite book or song – and if your phrase includes upper case, lower case, numbers and special characters, your cracktime is probably still measured in millennia. I tend to like sentences from children’s counting books such as “On Monday, he ate thru 1 apple.” from The Very Hungry Caterpillar. Not only does it have all four character classes, but I’ve read that book far too many times – there’s no chance that I’ll ever forget that pass-phrase. Combine that phrase with the prefix trick for managing multiple passwords and your password will outlast a thousand hackers.

The one unambiguously good thing about this change is that Adobe got rid of the 32 character limit. You can now type as much as you want for your pass-phrase (up to 127 characters – and even I’ve never hit that limit). If you take advantage of that increase, the change to version 9 is a net security benefit even with the change to the algorithm. You can read more at PCWorld.com or on Adobe’s own security blog.

Stolen laptops

Mike Rossander — Mon, 03 Nov 2008 22:37:07 +0000

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It’s not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don’t think you’ve ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee’s practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don’t give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet – out of sight, out of mind. Don’t assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don’t just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You’d never be that careless at home. Don’t let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it’s time to ask for your free copy of your credit report from the next agency.

From westfieldinsurance.com

Managing multiple passwords

Mike Rossander — Mon, 18 Feb 2008 07:00:00 +0000

These days, keeping all your passwords straight can be an almost impossible task. Every website and application needs a password. Do you pick the same password and use it everywhere or do you write them down? If you use the same password, you’ll lose them all as soon as any one of those systems gets compromised. But if you write them down, you lose them all when your sticky-note gets lost or stolen.

Here’s a trick for making semi-customized passwords that will be easy to memorize but still unique to each site.

Pick a "static" password. (For this example, I’ll use "Bluebird" but a passphrase is much better.) Now look at the website or application that you’re signing onto. Make up a personal rule about the website name such as:

The first digit of my password will always be the second letter of the website’s name.
The second digit of my password will always be the number of characters in the website’s name.
The third digit will be a dash.

The password at Amazon would be "m6-Bluebird" and at eBay would be "b4-Bluebird". The password on your home Dell computer might be "e4-Bluebird". A password in this pattern is reasonably strong because it has all four character classes (uppercase, lowercase, number, punctuation) and because it doesn’t follow the predictable tendency for English speakers to capitalize the first letter and put the number(s) at the end. Best of all, every password is different but you only have the one phrase to memorize and one rule.

There are a couple of limitations to this technique.

You must be the only person who knows your exact rules. Do not use the exact rules above. Make your own choices about which letter, punctuation, etc.
Some systems won’t allow special characters (like the dash) or may have size limits on the password. Unfortunately, there’s no easy way around those problems. Make the best choice you can given the limits of the system and write down only enough to remind yourself what’s different (such as "401k – no dash"). If it’s an important system (like your online bank), lobby the company to allow stronger passphrases.

From westfieldinsurance.com

Never share your password

Mike Rossander — Mon, 28 Jan 2008 07:00:00 +0000

As a user, you should never share your password with anyone. It is used to track who had access and made changes to specific information. You are responsible for everything done on the system using your ID and password.

As a manager, you must set up the processes and procedures so that your staff and customers do not need to share their passwords. They need a simple rule that anyone asking for their password is running a con.

The user’s co-workers should never have access to each others’ passwords. If work needs to be shared, use shared folders or other collaboration tools that maintain tracabilty in the logs about who did what. If a co-worker needs temporary access to the user’s files (for example, if covering for someone on vacation or emergency medical leave), have IT use their administrative tools to grant the access rights under their own ID, not by compromising the ID of the person who is out of the office.
Not even your own IT staff should ask for a user’s password. If IT needs the password to complete a repair, the IT person should insist that the user type in the password.
You don’t need their password either. If you need to access their files, you should have IT set up your rights so that you can monitor their work under your own ID and password. No one ever wants to be in the middle of an investigation but, if you are, you really don’t want to have counter-accusations that the chain of evidence was compromised.

Too many people are running phishing and other cons that try to trick people into sharing their passwords. Make it possible to say with confidence that no one at your organization will ever ask you for your password.

From westfieldinsurance.com

Resolve to make stronger passwords in 2008

Mike Rossander — Mon, 07 Jan 2008 07:00:00 +0000

According to a non-scientific survey I just conducted, the most common question this time of year is “How were your holidays?” The second most common question is “Have you broken your New Year’s resolutions yet?”

Here’s a trick to help keep at least a few of those resolutions by choosing stronger passwords. As we’ve talked about before, passwords are fairly easy to break because most of us pick an English word, capitalize the first character and add a number at the end. That’s a statistically common trend among English-speakers. It meets the minimum complexity rules but will fail to a password cracking tool in 30 seconds or less.

If your New Year’s resolution is your passphrase, you’ll get a strong password that is hard for an outsider to break. (Microsoft’s password rules allow up to 127 characters and permit any character on the keyboard, including the spacebar. You can pick a whole sentence including spaces and punctuation for your password.) And by typing it several times a day, well, maybe repetition will help me actually live up to the resolution. For example, I need to eat less and exercise more. If my password for the month is “Take the Stairs.“, I’m reminding myself several times a day that I shouldn’t be lazy – that those extra steps are good for me.

A couple of thoughts, though. First, don’t make your password obvious to others. If your password is “Spend more time with your Kids!“, don’t make a poster with the same phrase and hang it in your office. Second, add unusual capitalization or swap a letter for a number in the middle of the phrase. For example, “Give more time 2 Charity.” Even if someone does guess your resolution, they won’t know what little change you’ve made to the way you type it. Put together, you’ll have a strong password that’s easy to remember and might actually help you keep that resolution a little longer.

From westfieldinsurance.com

Password security

Mike Rossander — Mon, 13 Aug 2007 07:00:00 +0000

Passwords are only useful if they are kept secret. That sounds obvious but we are still finding users who tape their passwords to the computer or "hide" them in an unlocked desk drawer.

Laptop and desktop computers represent the single greatest risk to the computer systems and customer private information of most organizations. A stolen or lost laptop is a gold mine for an identity thief. Laptops and desktops hold all kinds of private information (often including the access rights and certificates necessary for a hack to get onto the rest of the network).

In order to mitigate the risk, many organizations have encrypted their computers – scrambled the content so that, in theory, if a computer is stolen, the thief gets away with a $2000 doorstop. Unfortunately, that encryption is often completely dependent on the password. If the thief also gets away with the password, they have access to everything and all the organization’s defenses are for naught.

Make it very clear to your staff that leaving a password unprotected is a very serious violation of your security policies. If they see an unsecured password, have them report it immediately to their manager or supervisor.

From westfieldinsurance.com