Category: Security

I use strong passwords 1 u53 $4r0ng-p@5sw0rd$

Secure password management

What is your password? How many passwords do you have? Are you worried about password theft? Is your password safe and secure or are you at risk? Do you use different passwords for each application or the same password for everything? Can you remember your passwords or do you write them down somewhere? How complicated is your password? Could someone easily guess it or crack it. How can you improve the situation and use a better password management system to simplify your life and enhance your password security?

Most people today have a problem with passwords. Simply there are too many of them. Passwords for your computer at home, another at work. Passwords for your mobile, your email, blogs, forums, facebook. Then there are more passwords for your credit card, bank account, PayPal account and so on. We have so many that it is sometimes a wonder that we can remember them all. Or do you, like me, forget them sometimes. Do you just reuse the same password for everything so you can’t forget it? Maybe, to help your remember it, you write your password down somewhere. You might not think that this is much of a problem, but it is. If you do some of the things above, then you are prone to becoming a victim of hackers.

So what? You may be asking, who’s going to hack my email and what benefit could they possibly gain from it? Does it really matter if I get hacked? Well, it is true that hackers aren’t interested in reading your email to your aunt. However, your email is a stepping stone to allow them into other things. They could use your account to send spam. They could get your passwords into other services and websites. The hacker could also use your accounts to hack other more important people. There’s a load of bad things that these hacker guys can do with your accounts that you are not even aware of, so your shouldn’t make it easy for them. Especially when securing passwords is relatively easy to do.

What can you do to secure your passwords? Well, there are a few things that you can do and you probably already know most of them but I’m guessing you don’t bother doing these things cause you don’t understand the benefit that it brings and doing things the way you do now is easy. Well, it’s time for a change. Let us start by explaining why you have to do all this security stuff and what the benefits are. To understand it all properly, you have to know how you could be compromised. If you know the hack, you’ll get why you do what you do to prevent that hack.

So this blog post will go over some of the methods (not all the methods) that could be used to compromise your password. It will then give you some suggestions as to what you should do to prevent this attack and keep your passwords secure.

Over the shoulder attack

Problem: The simplest form of attack possible. Someone watches you as you key in your password and remembers it. We can also include here people looking at the post-it note you left on your desk that has you password written on it.

Solution: Make sure people aren’t watching you when you enter a password. Also never write down your password in plain form anywhere.

Key loggers

Problem: Some malware or rootkit that got accidentally installed on your system without you knowing logs every key that you press and thus records your passwords and reports it back to the hacker. Some people purposely install keyloggers on their computers to record other users e.g. in an internet cafe or where you have a boss that wants to snoop on your work progress.

Solution: Two part solution here. On your own computers ensure that you have up to date anti-virus and malware killers plus firewall to keep your system clean. On other people’s computers, especially public computers, refrain from entering sensitive information, like passwords. You don’t know who has installed what on that machine.

Man in the middle (MITM)

Problem: How secure is the connection between you and the server for the website or service. Is someone listening in and recording everything you send? This is a particular problem on wireless networks, especially public wireless networks such as libraries and hotels.

Solution: If you have a wireless network, secure it with a password to keep it private. If you are using a public wireless network, think twice about entering passwords and other sensitive information. When logging into a website, always try to use the secure HTTPS rather than regular HTTP. This encrypts your information in transit and can foil some Man in the Middle attacks. There are browser add-ons that assist in this such as HTTPS Everywhere and HTTPS Finder or Secure Sites for Chrome.

A man in the middle attack is still possible with https and SSL if the attacker spoofs and fakes his own secure server. Such an attack would show up as the certificate wouldn’t match the website. However, very few people check the certificate names. When using a secure server, you should check up at the top left of the screen, next to the address bar. There will be a green box if the site is secured. Clicking on that box will give you more info about the certificate.

Secure Storage

Problem: Passwords are difficult to remember so people often write them down. Bad idea. Worse people write the password in a text file on their own computer where any hacker can easily find it. At the server side of things, passwords need to be stored in order that you can validate against them. Such passwords should be encrypted but some server admins and programmers neglect this and store passwords in plain text where anyone could read them.

User Solution: If you can, try to keep passwords in your head. The problem is that people today have too many passwords to keep them all in their head. So we need a secure storage system: a Password Manager. There are many such systems on the market. Two that I have used are Keepass and Lastpass. Keepass has the advantage that it is on your desktop computer (and other devices) and is not dependent on a connection to the internet. Lastpass has the advantage of being built into your favourite web browser where you use passwords most and also being highly portable as it’s online, you can access it anywhere. When using a password manager, it is very important to set a Master Password to secure and encrypt the storage.

Why not use the password manager that is built into the web browser e.g. “Do you want Firefox to remember this password yes/no?” Well by default, these password managers do not contain a master password and so by default they are insecure. Firefox and Opera users can change this setting to use a master password and encrypt the stored password info. Chrome users cannot do this so Chrome’s password manager is not secure. In addition, web browsers own password managers lack some functions such as being able to backup the password file

Developer Solution: If you are writing an application that needs to store passwords, you should not store the password in plain text. Instead, you should store a hash of the password. Currently, the best recommendations are either to use Bcrypt which is based on Blowfish encryption. You can use scripts such as  PHPass to ingrate these hash systems into your application.

Rainbow tables

Problem: If someone gets a hold of your file/database of stored passwords either from your password manager or from your application’s database, then they can try to reverse the encryption and recover your passwords. Rather than using a Brute Force Attack and trying every possible password, hashing it, and testing – a long slow process that can take days, month or years – you can use rainbow tables. A rainbow table is a database of possible passwords and pre-computed hash values. The hacker can use these to simply search for the hash value in the rainbow table database and read out the password almost instantly.

User Solution: Use a secure password manager such as discussed above along with a master password to encrypt the password data securely. Avoid any password managers that use a simple encryption system or plain text to store your passwords.

Developer Solution: Include random “salt” in your hashing process. A salt is a string of text that is added and hashed together with the password. The intention is that two hashes of the same password should not match. Thus the rainbow table will not find any matches. The salt can be safely stored as plain text in the database alongside the hash. Even if the attacker had both the hash and the salt value he would be unable to use a rainbow table to attack and would instead have to resort to brute force.

Brute Force Attacks

Problem: This attack is what everyone thinks hackers do. Simply guess your password thousands of times until they find the one that works. Since there are allot of possible passwords, it takes a long time to work through all of them. To speed things up, attackers will use a dictionary of common passwords to try first. Did you know that about 2% of people use “password1” as their password? Many other people have an equally simple to guess, commonly used password. The attacker will try all of these first before going on to more random possibilities. If you use a simple, common, easy to guess password then you are prone to this kind of attack.

User Solution: Use longer and more complex passwords that are not based on normal words or names. The longer and more complex the better. Mix in some capital letters, numbers and some punctuation symbols like %, *, @ and & to make it even harder to crack. Of course, this has the problem of making the password harder to remember as well. To fix that you can use a password manager as discussed above but even then you need to remember a secure master password. To remember this password I and other security experts suggest using a passphrase or mnemonics. An example you could use the password “J&WgmiSJCoM24th” which secure and complex but easy to remember because it comes from the phrase “John and Wendy got married in St. James Church on May 24th.” Contracting a phrase like this is a simple way to make a memorable yet secure, long, password.

Developer Solution: There are several things a developer can do to help secure his website or application from brute force attacks. The first is to ensure that your users do not use simple passwords. Insist that they use complex and long passwords. Also keep a blacklist of common and easy to crack passwords and forbid users from selecting them.

The second thing to do is to slow down the hashing process. The longer it takes to create and check the hash from the password, the slower the attack will be. Popular, but dated hashes, such as MD5 and SHA1 are too fast. They take just milliseconds to compute. So an attacker can try many many password combinations in a very short time. Using a hash such a Bcrypt with a high work factor will be slow and thus take longer to crack. Using up as much as half a second for the hashing will cause little inconvenience to your users but greatly inconvenience the attacker.

It used to be the case that cracking an alphanumeric password with a  length of 8 characters secured as an MD5 or SHA-1 hash was difficult. It took months or even years and so could be considered secure. Today your desktop PC could probably do the 218 trillion combinations in about 5 days. If you rent some compute nodes from Amazon it could be done in just 1 hour. Using Bitcoin’s distributed computing network would be even faster, it can calculate SHA-256 at a rate of 11 * 10^12 hash/s or more. So the 8 character alphanumeric password would be cracked in just a few tens of seconds.

By switching from MD5 and SHA-1 to Bcrypt and adding a suitable work factor you would shift the balance much more in your favour, slowing down the hashing by 1000 times or more. A desktop PC might then take 12 years to crack the password. Amazon’s services would be up to 40 days and even Bitcoin would be slowed to over a day to crack. Enough to make the attacker go elsewhere. Additionally, Bcrypt allows you to increase the work factor as time goes by to make the hashing slower as computers get even faster.

The third thing a developer should do to prevent brute force attacks is to monitor password failures. If a user fails to log in a certain number of times, an alert should be sent to the admin so he can monitor the problem. After a few more failures you may opt to take one of the several measures to halt an attack. The least drastic of these is to ask for an additional step such as completing a CAPTCHA. If the problem persists further, you might consider blocking the user’s accounts or IP addresses. However, that has its own security risks such as a Denial of Service (DoS) attack where the hacker tries many accounts or IP addresses, forcing groups of users to be locked out, thus preventing legitimate people from using your site.

Conclusion

So I hope you found this article useful to help you to secure your passwords. Questions and comments can be left below. If I have missed anything, do mention and I will add to this list.

XKCD password strength

A mobile phone displaying a map with various adverts popping out of the locations.

Advertisers snooping? Stop the tracking cookies

Ever had the feeling that you are being watched. You visit Amazon and look at iPhone headphones, then jump over to YouTube and watch a video but the adverts are suddenly all for iPhone headphones. You go to check you Gmail, and more adverts for headphones. Then you pop by Facebook and more adverts for headphones. No matter where you go, those iPhone headphones just keep following you. Truly you are being watched. Many internet marketing companies are tracking every page you visit and purchase you make, using tracking cookies. They know a huge amount about you and they use that to sell you things.

Understandably, many people worry about these tracking cookies and their adverts. The EU made a law requiring websites to inform you of the cookies and seek your permission to use them. This resulted in a mass of pop-ups on telling that “this site uses cookies” which you probably just ignore – but should you? Should we just accept this snooping into our online lives and is there really anything you can do to stop them tracking you?

Well, in fact, you can opt out of these ad tracking cookie systems. You’ll still see ads and these firms will still make money, but you won’t be having the feeling that someone is watching you. It isn’t perfect. The opt-outs usually also use cookies to log that status so if you clear your cookies, use another machine, or re-install your system, then you will need to repeat the opt-out process again. Also, the companies don’t really want you to opt out, so they have gone out of their way to make you go out of your way if you want to actually opt out. There’s no single off switch and you have to run around a huge number of sites, clicking opt out on each of them.

Is it worth it? Well, I opted out about a year ago, and I like it. I still see ads, but they are different ads. The ads are often less relevant to me than they were before, but that is kind of the idea here.

Why not just use an ad blocker plugin? Well, they are far from perfect. For a start, many publishers simply block their content if they detect an add blocker. Furthermore, the ongoing tit for tat between the advertisers and the blocker means that the blocker might not always stop the tracking even if it blocks the display of the ad. Finally, this method, of opting out, is within the advertiser’s system and they are required by law in many countries to do this, so you can be moderately sure that they won’t circumvent it.

For google, go to https://www.google.com/settings/u/0/ads/authenticated
Make sure to turn off all three settings for signed in “Ads based on your interests”, and on the next page, signed out “Ads based on your interests” and “Google Search Ads based on your interests”

Google also uses the Doubleclick cookie and opting out of that requires you to download Google’s plugin from https://www.google.com/settings/u/0/ads/plugin

You might also want to review your Google search history and delete that too. Yes, they have everything searched for file and you can view it. https://myactivity.google.com/myactivity and also
https://myaccount.google.com/activitycontrols
https://plus.google.com/settings/endorsements
https://plus.google.com/settings
https://myaccount.google.com/locationsharing

For Yahoo! group adverts there are several places you need to go:
https://aim.yahoo.com/aim/us/en/optout/index.htm?b=oo
https://dev.flurry.com/secure/optOut.do
http://optout.btrll.com/opt_out_cookie
https://search.yahoo.com/history

Network Advertising has an opt out page for many smaller ad companies. Facebook is one of the firms listed so you can opt out of Facebook’s tracker here. Their site doesn’t work too well. You have to click the “choose all companies” opt out button several times as it only opted me out of 5 or 6 out of 110 each time: http://www.networkadvertising.org/choices

Digital Advertising Aliance (DAA) also has the same tool and lets you opt out of many ad providers: http://youradchoices.com/

To opt out of Amazon tracking, you can use the DAA link above or go to https://www.amazon.com/adprefs

For Microsoft (Bing) you should head over to https://choice.microsoft.com/en-GB/opt-out
Also if you have Windows 10:
– Click or tap the Start button.
– Click or tap Settings.
– Click or tap Privacy and then turn off Let apps use my advertising ID for experiences across apps.

Just like google, Bing also stores all your search history. Unlike Google, they don’t make you re-enter your password to view it. So if you boyfriend leaves his laptop open why on the toilet, you can just have a gander at how he search for “Brazilian fart porn” at 22:43 on Sept 12, 2016. https://www.bing.com/profile/history