Passwords are a necessary evil for system security, but they need not be as evil as some organizations require them to be. Even “trivial” passwords can be secure, if their system-wide use is policed.

That’s the conclusion of a pair of Microsoft researchers and a Harvard computer science professor reached in a paper expected to to be presented at the Hot Topics in Security workshop to be held in Washington, D.C. next month. The trio–Stuart Schechter, Cormac Herley and Prof. Michael Mitzenmacher–maintain that users can be allowed to adopt simple passwords as long as too many of them aren’t allowed to adopt the same password.

“We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want–so long as it’s not already too popular with other users,” they write in Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks.

One reason organizations impose password creation rules is to protect their users from brute force “dictionary” attacks. If a password can be found in a dictionary, then sooner or later a hacker will crack it. Passwords made up of non-words can foil such attacks. Passwords made up of hellacious combinations of upper- and lowercase letters, numbers and symbols are better yet. The problem for users, though, is that, for most of them, the most secure passwords are the hardest to remember.

Rather than modify user behavior–which is to damn security and choose as simple a password as possible–security pros often deploy a “three strikes and you’re out” lockout system to foil password horde attacks by hackers. With that system, if a password is entered incorrectly three times, the person attempting to log in to the account is locked out of it for a brief period of time. Crackers, who are great students of human behavior, quickly figured out a workaround to lockout schemes. The workaround has to do with how users choose passwords.

Continue reading How to choose a password according to Microsoft

Does the security of your company’s WiFi networks keep you awake at night? Would you like to test the strength of the passwords to that network but can’t afford to tie up a computer for days or weeks to do it? Then a new service called WPA Cracker might be for you.

The recently launched pay-as-you-go service is aimed at “penetration testers.” It links some 400 computers in “the cloud” to accomplish in minutes what would take days or weeks for a single desktop or laptop.

Designed to crack WPA or WPA2 passwords when PSK is used, the service uses massive compilations of words to mount dictionary attacks on a wireless network. It will also crack passwords to zip archives.

The main dictionary used by the service contains 135 million English password possibilities tailored to networks protected by WPA or WPA2. In addition, there’s a 284 million word extended dictionary and 100 million digit dictionary. The extended dictionary is not a superset of the standard dictionary. That is, words in the extended dictionary are not found in the standard one. The digit dictionary contains permutations of passwords composed eight-character-long numbers. Each dictionary can be run against a network separately or in aggregate as a mammoth 520 million password resource. A German dictionary is also offered by the service.

Continue reading Act like a hacker with WPA Cracker

IT departments often take the time to be proactive (at least if they’re doing their jobs), and educate staff about using complex passwords, changing passwords frequently, avoiding phishing by not clicking on unknown email links and attachments, and all the other standard protections we know to take. But we sometimes forget that amidst all the technical precautions, we must also take physical precautions.

Passwords, PINs, and other sensitive information often comes in printed form before we commit them to memory. It may be in the form of a letter from a bank or a memo from the IT department, or it may even be a password that we wrote down on a piece of paper and stuck in a drawer. What happens to this paper? More often than not, it gets tossed into the waste bin, where it can be easily picked through by an opportunistic identity thief.

Continue reading Physical protection of passwords and sensitive information

If you still think your web-based email account is safe enough to use for business (or anything else for that matter), take a look at an article in last week’s Washington Post. The story details an account of the “other woman” who engaged the services of a cracker web site called YourHackerz.com to break into her boyfriend’s email and her boyfriend’s wife’s email.

The service is able to quickly deliver a password to a customer, for a surprisingly small fee. And YourHackerz.com isn’t the only one of its kind; there are dozens of similar services on the Internet that advertise their dark services freely. For a hundred bucks, they promise to “crack all major web based emails”, including Yahoo!, Hotmail, AOL and Gmail. The service even provides proof cracking before payment. How’s that for good marketing?

Although the cracker service bureau doesn’t specify their techniques, the Washington Post article speculates that they use a Trojan horse technique, which sends the victim an email with a link to a greeting card or some other innocuous-looking item, which when downloaded, launches a keystroke grabber that captures passwords and then sends them back to the host. It’s quite likely that these types of services use a combination of techniques.

The first thing to do to protect yourself is to realize that yes, there are people who want to read your email. Probably more than you think. And it’s very easy for those people to get access, for a small fee, from one of these cracker services within just two or three days. We all tend to think we’re immune. We think nobody can break in, and what’s worse, we think nobody wants to. Unfortunately, it happens all the time, and when we least expect it. Spying, espionage, and just plain snooping happens every day, both in business and in social life. It may be to steal our bank accounts, or it may just be to gather corporate secrets or personal information. If you think your spouse is cheating on you, how far would you go to confirm it?

Regardless of what motivations people may have to crack your email password, there are things that you can do to protect yourself. First and foremost, don’t use free webmail accounts. These are the easiest to crack by far (as Sarah Palin found out). Next, use complex passwords. This can actually only go so far as a means of protection though—if the cracker has a keystroke grabber, no matter how complex your password is, it can be stolen. Use encrypted email for sensitive messages, and connect to your login screen using a secure session.

There’s been some debate in the blogosphere this past week about password masking, ever since blogger and web usability guru Jakob Nielsen suggested that passwords be shown in clear text as opposed to just a series of bullets as they are typed in by the user. Nielsen, the leading expert in web site usability, claims that password masking violates the basic principle of usability.

And Dr. Nielsen has a point. It’s often happened to me–I’m typing in a password. I get interrupted for a moment, and wonder whether I typed in the right character. I look at the screen, but since there is nothing there but a row of bullets, I can’t tell. Typing in passwords into smartphones and other mobile devices is especially vexing, since most people’s fingers just aren’t meant for typing on tiny keyboards, and typos are common. And if your admin has done his/her job right, if you make three typos in a row, you’ll get locked out. Having clear-text feedback in the password box would eliminate a lot of these problems and make for easier login.

A SANS response to Dr. Nielsen brings out a few concerns, while acknowledging the usability issue. The SANS response still brings up the objection of shoulder-surfing or even accidental observation, along with the potential problem of autocomplete web forms prefilling passwords along with other information. There may also be some compliance issues.

From a security perspective, eliminating password masking should be approached with caution, but the real security comes in increased password difficulty, and in encryption, not in the masking itself. SANS recommends going further and implementing two-factor authentication, which both increases security and improves usability. The two-factor approach eliminates the need to memorize passwords, which overcomes a lot of objections; and further serves to eliminate the scenario of shoulder-surfing. That is, even if someone looks over your shoulder and sees your password in clear text, it’s useless to them, since the two-factor system generates a new password for every use.

During the US Presidential election, when Sarah Palin’s Yahoo! email account got hacked, two things became apparent: First, don’t use free public email accounts for business, and second, be careful of the “secret question” password recovery tool. The latter allowed the hacker to gain access to Gov. Palin’s account.

Microsoft released a report this week highlighting just how vulnerable the secret question gambit really is. Sure, password resets take up time, but letting end-users retrieve them on their own this way is just a bad idea. Microsoft’s study, which was reported on in the New Scientist, showed that the secret question is often easily guessed. The study looked at webmail users’ acquaintances, and asked them to try to guess the secret question of the webmail user’s account. The acquaintances guessed right about 20 percent of the time.

But you don’t have to know the person to make a good guess. Social networking sites are typically full of personal tidbits of information. What’s your dog’s name? Chances are, if you’re a dog lover, you’ve posted a few pictures of your pooch here and there, and have mentioned the lovable mutt’s name a couple times on your blog, Twitter, or social networking page. It’s easy to find. What was the name of your high school? That’s an easy one to discover. Ever hear of Classmates.com?

The Microsoft study recommends an alternative to the secret question, which involves a user selecting multiple individuals to act as trustees; if the user gets locked out, they ask the trustees to download a recovery code. The user collects the recovery codes, and then can gain access to the account. 

No matter how email users may complain, friendly reminders regarding email security protecting company information assets are part of the ongoing education process.  Email users quickly forget that the company owns the information within each email account. The email system is owned by the company, not the email user. This also implies that it’s up to each person to ensure that their email account is always secure. People lazily create passwords that are familiar and easy to hack.

Email administrators are the gate keepers to ensure email accounts are kept secure.  Sometimes this requires setting up secure procedures, which appear to be an inconvenience to the end user community. So forcing 8 character passwords, instead 6 character passwords can make all the difference.  The inconvenience is minimal compared to thwarting password dictionary attacks or brute force attacks.

Raising the security wall also calls for insisting people use pass phrases, rather than passwords.  Choosing a simple password typically makes a dictionary attack easier for the account hacker.  People take the path of least resistance by selecting names of pets, kids, spouses, birthdays, house address or basically something that ends up being an extremely poor password choice.

Continue reading Raising the Security Wall Higher

An unrepentant, arrogant loser with too much time on his hands hacked into the Phpbb.com web site, published thousands of user passwords, and then took the time to boast about it online. The script kiddie justifies his actions by noting that he did not alter any files on the server, and that he did what he did out of boredom. His excuses are lame, but we won’t dwell on that. What’s newsworthy is that the passwords he stole and subsequently published were so simple. Loser that he may be, we still owe him a debt of gratitude for showing us this. Yes, it seems there are still people out there who use “123456″ as a password.

After the attack, security expert Robert Graham, writing on Dark Reading, took the time to look at the list of published passwords and analyze them looking for patterns, and he came up with what he calls “interesting” results. “Startling” might be a more appropriate adjective.

First of all, the passwords on the site were allowed to be very simple, not even requiring both numbers and letters. According to the writer’s analysis, there was a 65 percent match running the passwords through a standard dictionary file, and a 94 percent match for hacker dictionaries. According to Robert’s results, 16 percent of the passwords matched a person’s first name, 14 percent were keyboard patterns, 4 percent were variations of the word “password”, 5 percent had pop-culture references, 4 percent referenced nearby things, 3 percent were emo words, 3 percent were “don’t care” words, 1.3 percent were passwords seen on television or in the movies, and 1 percent were sports related. The most popular password was “123456″, with 3.03 percent of users choosing this one. 2.13 percent chose the word “password” as their password.

We still wonder how people managed to hack into our email accounts–but a recent survey gives us the answer. Is your email password “Spot”? How about “Rover”? Oh, you’re a cat lover? Okay, then I guess “Fluffy.”

According to a survey on the people search website www.yasni.co.uk, 83 percent of British users responding to the survey use their dog’s name, or their own date of birth or maiden name as a password on private email accounts, or even worse, to log onto online banking.

What’s even more surprising is that only 37 percent said they were aware that disclosing this type of information online could be dangerous. Just browse through Facebook or MySpace–see how many phone numbers you find. Way too many. Some people even go so far as to put their personal street addresses. Social networking pages are a treasure trove of personal information, much of which can be used to guess passwords. And so, we add another rule to the password Bible: Never use as a password anything that can be found on your MySpace page. Sixty percent never considered the dangers of putting this information online, and so it’s time to send out the memo and let everybody in the company know.

Although social networking sites typically have the ability to let people change profiles to a “private” setting, the “public” setting is the default, and many users won’t bother changing it, or don’t realize that they can. The danger is clear: Social networking profiles may be mistakenly left public, and hackers can mine those profiles for information for password guessing.