Tuesday, July 8, 2008

Security Password

STRANGE BUT TRUE

Extract from Yahoo Tech

This may or may not come as a shocker, but according to a recent FTC survey on identity theft, 16 percent of the victims said their information was stolen by people they knew, which included friends, relatives, neighbors, and coworkers. This is very important because it serves as a reminder that we need to take extra precautions whether we're at home or at work. It's probably a good idea to disable cookies, so you don't save login and password information of your accounts, and you should never keep sensitive information where thieves can easily find it.

I've gotten several emails from readers asking me how they can find out if someone has accessed their personal email account, so I thought I'd point you to an excellent post written by PCWorld's Erik Larkin on how to set a hacker alarm on your web mail box. This is a good way to find out if anyone besides you is logging into your email account.

Here's the gist:

  1. Open an account with www.onestatfree.com, and use a disposable e-mail address to complete the registration process.
  2. You'll receive an email from OneStat with an attached file. Save the file, note the account number, and then delete the email.
  3. Rename the file with a name that would catch a hacker's eye like "AccountPasswords." Save the .txt file as an .htm file so it opens up in a web browser.
  4. Send an email with the .htm file to the account you want to monitor. Use a subject title that is eye catching.
  5. Wait for the hacker to take the bait. If the attachment is opened by anyone else but you, the hit counter will record their IP address.

Hackers are very clever, so you want to change your password frequently to something that's a little harder to crack.

MOST COMMON PASSWORDS

There are many articles on Yahoo! Tech regarding password security, but no matter what advice we get or receive, we're all most likely to choose a password we can remember. Unfortunately, cyberthieves know this weakness all too well, and try to hack into accounts just by using the most common passwords online first.

PCMagazine says these are the most commonly used passwords, so if yours is on the list, I recommend you change it immediately.

  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace 1
  8. password 1
  9. blink182
  10. (your first name)

I admit, I've used at least two of these passwords on my low-security accounts (newsites mainly), because as a rule of thumb, I don't ever give up important passwords even on these sites.

Becky Worley put together this password makeover post full of tips to help you choose a memorable password that will also keep the bad guys out of your accounts. She recommends sorting all your online accounts into three security levels (high, medium, low) then assigning appropriate passwords to each group. Obviously, the high-security password should be the hardest to crack since it gives you access to financial accounts. Remember to always avoid using your social security number or home address as a password. It may be easy to remember, but that also means it's easy for thieves to crack.

Chris Null gives us more good advise on how to pick a genuinely secure password on this post, and has a link to a database of more common passwords. Again, if your password is on the list, it's time for a password makeover.

TIPS TO MAKE YOUR INBOX LESS VULNERABLE TO IDENTITY THEFT

Buzz up!on Yahoo!Identity theft continues to be a big concern among Americans who engage in online transactions, and for good reason. Last year, an FTC survey found that 8.3 million American adults were victims of identity theft in 2005, and an alarming 85 percent reported that one or more of their existing accounts had been misused. Those accounts included email, credit card, banking, medical insurance, and other Internet payment accounts.

Now you may not give this much thought, but your email account is a prime target for hackers because it holds sensitive information about you that puts you at great risk of identity theft. Think about it. When you open an online account, you're likely to get an email that contains your username and password, and if you're like most Americans, then you probably keep those emails in a folder for future reference. Oftentimes, we forget to delete these emails, or get comfortable with our online filing system, so we just have to be careful with whatever method we choose.

Here are a few tips to help you keep your inbox clean, and your identity safe:

One problem many of us face is remembering multiple passwords and usernames. Instead of writing them down, or keeping those password emails in your inbox, you should create high, medium, and low security passwords you can remember. Becky Worley had some great advice on giving your accounts a password makeover in an earlier post.

Faxes, contracts, and other important documents are being sent through email as attachments. If these attachments contain sensitive information, I recommend you save them to an external hard drive or a location only you know about, and then delete them from your inbox.

Delete any sensitive email in your inbox that contain passwords or financial information, especially if you receive banking alerts with account balances.

Remember, if you lose your iPhone or Blackberry, anyone who finds it gains access to your email too. Always delete emails you don't want anyone to ever read, and put a password on your phone for extra protection.

Never forward sensitive information to anyone. Remember, they are as vulnerable as you are.

HOW DO THEY CRACK YOUR PASSWORD?

Reader Rich Brozenec writes: I read your story about passwords. I have a question. Almost all my internet accounts (banks, Amazon, credit cards, etc.) have a limit on the number of password tries they allow [before timing out additional attempts]. Your story implies an infinite number of attempts using various combinations of letters and numbers, but is that really the case, or is there a way around these limits?

A little backstory on how passwords are cracked is in order. As some emailers and commenters have noted, "brute force" password cracking is probably not the most popular method by which passwords are broken. Social engineering, phishing, and other nefarious methods are actually much easier: All of these involve you willingly giving up your password to a malicious hacker through some form of misdirection and deceit. You may get a call from "your bank" with a problem on your account. Or you may get an email from "eBay" with a question about your listing... which takes you to a phony website.

The most secure password in the world won't protect you against hacking attempts like these. If you actually tell someone your password, you're out of luck.

The kind of password attacks I'm talking about when I write stories about password security and strength involve brute force attacks of various sorts. These attacks typically involve the theft of password records by various means. You read about them every day: Hackers compromise networks and abscond with user data. Or, more commonly, someone steals a laptop loaded with user records for some company or another. (User IDs are usually not encrypted and are linked directly to the hashed password.)

Most of the time, though, just having this user data doesn't mean your password is now in the hands of hackers (though if you read that a company you deal with has been victimized, you should always change your password as a matter of precaution). That's because most companies store passwords in encrypted formats called hashes. A hash is created by taking your password, applying a mathematical function to it, then storing the result of that function in the database instead of the actual password. When you log in to a website, the site runs that same math function against your password, then checks the database to see if the hashes match. If they do, you're in.

The reason hashes are secure is that they are not reversible. Say your password is daisy123; its hash may be 1b3c2c45d0a977b508f637097a94cbfb. (And in fact, it really is in one of the most common hash systems.) It's easy to go from daisy123 to the hash. Not so easy to go the other way. Thus, it's much safer to store the hash. Make sense so far?

So, what happens if a hacker knows the hash of your password? He tries out likely passwords to see if he can get a match. Again, it's easy to hash several hundred passwords per second, and eventually he'll get to daisy123, since it is, as noted in a prior article, a quite insecure password. But if your password is appropriately complex, he'll probably never be able to crack it: Having the hash will be as useless as having no information about your password.

There are copious other methods for cracking passwords (and there are even online databases of hashes that make looking up common passwords child's play), but this is the most common way, especially when cracking passwords in bulk (when you have thousands or millions of hashes to look through). It shakes out pretty much the same way every time: If a thief absconds with 100,000 user records, a relatively simple brute force attack against those hashes using common cracking software will probably net 20,000 passwords he can use.

PASSWORD MAKEOVER

Passwords are a hassle to make and remember, but they keep us all safe. And it doesn't really have to be a hassle: a strategic password plan can keep the bad guys out and keep you from forgetting your passwords.

START YOUR 30 MINUTE PASSWORD MAKEOVER

Commit to writing down all the websites or networks where you use a password. Only write down the name of the site, and your user name, NOT your passwords. A master list of passwords is an open invitation for someone to access your accounts: roommate, co-worker, burglar, kids.

SECURITY LEVELS: HIGH, MEDIUM, AND LOW

Once that list is done, divide the sites into three categories: High-Security, Medium-Security & Low-Security.

High-security logons should include anything associated with money or sensitive personal information: financial brokerages, online banking, PayPal, travel sites that store your credit card numbers, any site that has your social security number (school site, medical insurance site, tax site), and your work network.

Medium-security logons should include anything of a personal nature: your email accounts, your ISP account at home, your alumni network, instant messaging logons.

Low-security logons can consist of email groups, news sites that require a logon, or random sites that require you provide a password.

ASSIGN A PASSWORD TO EACH GROUP

To cover the requirements for all logons, make your passwords eight characters long and a combination of numbers, letters (including at least one uppercase letter), and a symbol, like an *, %, or #. One tip for creating a memorable password is to script it like a vanity license plate: Pr3t3nd$ (Pretends), W8ing4U2 (waiting for you two).

CHANGE YOUR PASSWORDS

Now go through your list of high-, medium-, and low-security sites and networks and change the passwords of your accounts. On your master list of accounts and user names, instead of writing the password next to the account, just indicate which security class it's in: high, medium, or low. You know those three passwords by heart (this is the challenge here, you have to memorize those three passwords).

WHERE TO USE YOUR PASSWORDS

Access your high-security passwords only from home or on trusted computers, never on a public computer that might contain a key-logger. Key-loggers are software programs that record every stroke typed on the computer including every user name and password you enter.

Use your medium-security passwords based on your own judgment—in an Eastern European Internet CafĂ©? Not a good idea in your university's computer lab? That's a better gamble.

Low-security passwords can be used on any public account; if someone gets access to your New York Times log-in? That's not a big deal.

HOW TO PICK A GENUINELY SECURE PASSWORD

When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.

So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.

What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.

Think putting a "1" on the end of "daisy" is going to stymie crackers intent on breaking your password? Turns out that with a reasonably up-to-date computer, a dedicated hacker should be able to break it, by brute force, in about an hour and a half.

Lockdown.co.uk has a handy document that shows just how secure your password really is, based on its length and the type of characters you use in it (all numbers, letters and numbers, uppercase/lowercase, special symbols, etc.).

Think about your most common passwords, then visit the site. You'll be most interested in the results for a "Class D" attack, which represents somone with a single, very fast PC. (Class E and Class F represent multiple PC attacks and aren't as likely to be involved with someone trying to break into your eBay account.)

As an example, the site notes that a password like "darren" would take all of 30 seconds to break. "Land3rz" would take 4 days. And "B33r&Mug" would take 23 whopping years.

Key to great security isn't just length, but adding in non-traditional characters, too: A great password should be eight characters long (or more), and include at least one number, one uppercase letter, and one special character like an ampersand. To make it easy on yourself, try using the same button on the keyboard in both lower- and uppercase versions. For example: "JjKkIi*8" requires you only hit four different keys (plus Shift), and they're all clustered in a tight group.