Archive for November 29, 2014

Good Passwords and Bad: Should it Matter?

Posted: November 29, 2014 by uszik11 in Financial vulnerabilities, First Steps, Password need-to-knows, Security Breach, Tips
Tags: , , , , ,

You might know and follow the general rules for creating a good password. Apparently, no one else does.

The “25 Worst Passwords” is an annual press release from SplashData, which sells password management tools. They also tap into the resources provided by similar security reporting firms. Those reports from recent news stories illustrate that most people seem to be really bad at inventing new passwords. Writing about the Adobe website breach of 2013 PC World revealed that ‘adobe123’ and ‘photoshop’ were very common choices. An article from the BBC cited security researcher Per Thorsheim. He pointed out that the color schemes of Twitter, Facebook, and Google, all lead people to include the word “blue” in their passwords.

As a result, more websites require you to use a Mix of Upper and Lower Case, and also to include $pecial C#aracters and Numb3rs. The password photoshop becames !Ph0t0$hop* and that should be more secure.

However, what really makes that more secure is not the mix of characters but the two additional symbols. The ! and * at the beginning and end turn a string of 9 characters into a string of 11. The basic arithmetic of computing says that the longer something is, the harder it is to guess. Your bank transfers money with cipher strings of 200 digits. We call them “computationally difficult” to crack.

“Black hat hackers” build special computers to attack passwords. One of those homebrew boxes broke every Windows-standard 8-character password in under 6 hours. A lesser machine revealed 90% of the passwords on LinkedIn. However, if you have an 11-character password those powerful crackers would need 515 years to work through all the possible combinations. And yet, long as they are “AmericanTheBeautiful” and “ToBeOrNotToBe” are known phrases.

Those networks of multiple game processors also grind through huge databases of words and proper names in English and their many variations. . Passages from the Bible, quotations from Shakespeare, and other cultural artifacts add to the databases.  Black hat hackers have mammoth dictionaries of known passwords. Those are compiled from the revelations of each successful attack.

Password Cracking Machine

Jeremi Gosney’s High Performance Computer. The rapidly-moving graphics of games are computationally intensive. So, the central processor and parallel processors of the Xbox, PlayStation, and others rely on co-processors designed for rapid arithmetic. That makes them perfect for running billions of guesses per second.

It is also true that some websites prevent you from using special characters. You might be instructed to keep your passwords to Upper and Lower Case Letters and the numerals 0 through 9. Restricted like that, all of the possible 11-character passwords can be broken in just 4 years. Turn the computer on; let it run day and night; it churns out passwords.

The reason why you sometimes are restricted from special characters is that the Dollar $ign and <Greater-than Less-than> and @some others# are common to programming systems and languages such as SQL (pronounced “sequel”) and Java. So, in place of the password, a hacker inserts a line of computer code to open up the website to their commands. Such SQL attacks are common.

BBC Cat 2

“If you have a cat, or any other type of pet, do not use its name as part of a password.” – BBC

That brings us to the corporations and organizations that allow your data to be stolen. SQL attacks are an old, known problem. But everyone is busy. And businesses cut costs by releasing employees. So, successful attacks are inevitable. The key to security is not just to put up barriers. Victims must act quickly, decisively, and effectively when those firewalls are breached. And they will be breached. It is not a matter of “if” but of “when.” For over 20 years, even the FBI has suffered periodic intrusions.   Rather than requiring you to have a ridiculously difficult password, the system administrators should just do their jobs.

But this is the Information Age. We all have computers, phones, pads, notebooks, and networks. That puts the burden back on you.

We give out our usernames and passwords all too easily. Spam Nation is new book by Brian Krebs. Formerly a technology writer for the Washington Post, Krebs more recently investigated two Russian “businessmen” who apparently controlled the world’s largest floods of spam email. They sold fake Viagra and fake vicodin, fake Gucci and fake Rolex. Millions of people bought them. From all indications, the crooks really did deliver the goods. In doing that, they acquired millions of usernames and passwords. And people are lazy.

If you have the same log-in credentials for illegal drugs that you do for your bank account, you have only yourself to blame when a drug dealer steals your money.

Brian Krebs writes a very readable blog.

Brian Krebs writes a very readable blog.

But the same breach could come through the garden club, the library charity, your school, or work. How many log-in accounts have you had since the Worldwide Web was launched in 1991? According to Brian Krebs, it is your responsibility to keep yourself safe by keeping your identities separate.

Even Wonder Woman, Superman, Batman, and Batgirl manage only two lives each, not twenty. You may need a password manager. PC Magazine, PC World, MacWorld, and InfoWorld all review and evaluate password managers. It is a start. Of course, if your home Wi-Fi network is open to the public, then you have a different problem, entirely.

RESOURCES