Archive for the ‘Passwords’ Category

During a recent password audit by a company, they found that one employee was using the following password:


When asked why she had such a long password, she rolled her eyes and said: “Hello! It has to be at least 8 characters long and include at least one capital.”

Sounds like a pretty good password to me.

How many different passwords do you have? Add up all the ones on your work computer, your bank account, 401(k), personal email account, amazon, google, ebay, twitter, facebook, linkedin, wikipedia, professional organizations, other shopping sites… The list goes on and on.

Each password has to be strong enough to protect the information behind it. Of course, knowing that we are all basically lazy (and that they will be held responsible if the account is hacked), the companies hosting these services require “strong” passwords – numbers, punctuation, no duplication, etc. And without universal standards, we end up with a hodge-podge of passwords that are impossible to keep straight.

One answer is a “password management” program, often built right into your web browser. These programs remember your logins and passwords for you and automatically fill them in as soon as you go to the page. There are several problems with them, though.

  1. When your computer gets stolen, you lose all your passwords.
  2. If the password manager gets hacked, you again lose everything all at once.
  3. The passwords are only available while you’re working on that one computer. You’re out of luck if you need to check your account from your mother-in-law’s.
  4. And, of course, these don’t do anything for the passwords you need to track that aren’t associated with web pages.

A perhaps-better answer is a single-signon service. In this model, you create one account with a widely accepted and trusted service who then authenticates you to the merchants. The Open ID Foundation is probably the best known, accepted by about 9 million websites including Google and Yahoo. This still leaves all your eggs in one basket but at least the basket is not in your easily-stealable laptop. On the other hand, if any one of those 9 million websites gets hacked, the thief might then be able to forge your credentials on the other sites. I’d trust their service for accounts I don’t care much about (google, email, shopping sites, etc) but not yet for my bank account.

Several academics are experimenting with using your cell phone as your password manager. It’s an interesting idea since we are so very attached to them. But we also lose them at an incredible rate. And if you think you get resistence about your computer passwords, try requiring a strong password on a phone.

Biometrics? There are some interesting new ideas about facial recognition using the builtin webcam of many modern laptops and others that track things like your typing patterns. None are ready for prime time yet.

All told, I think we’re still in a bad place. Passwords are the least unworkable answer we have today. Try to pick strong passwords, use a pattern that lets you modify a core password according to the site you’re visiting, change the important ones regularly and never, never, never share your password. If you must write them down, keep them in a dedicated and highly secure application like the old Blackberry password vault.

Happy New Year, all. I hope you had a wonderful and safe holiday. It’s a brand new year – time to make resolutions to do better and be better people.

One resolution that we’ve talked about before is the need to make better, stronger passwords to keep your identity and your customers’ informations secure. Americans still have a nasty habit of picking passwords from the dictionary. When the system requires numbers or extra characters, we tend to add them to the end. Hackers know this and exploit the pattern when they build programs to break your password. Here are a few suggestions to make their lives harder (without making your passwords so impossible to remember that you write them down). None of these suggestions are new but hopefully this is a useful reminder.

  1. Pick a pass phrase, not a password. A good hacker can test your password against every word in the dictionary in something under 30 sec. Testing every possible combination of 7 random characters takes not that much longer. A five word passphrase, on the other hand, can not be brute-forced using current computers in the time remaining in the life of the universe. And because of how our brains are wired, phrases are much easier to remember than strings of characters.
  2. Make each password a unique variant using some personal rule about the site that you’re logging into. That way, you won’t lose everything just because the hacker cracks one site but you can still keep the number of things you must memorize to a minimum. Here is a link to one technique.
  3. Never share your password. Not to your boss, your co-workers, your spouse, no one. Nobody should know your password except you. (The only exception I allow is that parents should insist on a copy of all passwords used by their underage children. Keep it safe, though.)
  4. Make sure you’ve changed the default password on accessories like your router.

Sorry I haven’t posted in a while but it’s been an interesting few weeks. If you’d looked at this site on the morning of 6 October, you would have seen a very different page – black background, yellow arabic writing and some very disturbing pictures. The vandal replaced the front page of our local beekeepers’ website with very similar content. It was a rude surprise, especially so early in the day.

Some background – I maintain the beekeepers’ website for them and host both that site and this one through a third-party provider. And while I do all of the writing for the infosec blog, I have a couple of other beekeepers who were helping to maintain the beekeepers’ site. It’s all volunteer work and I’m so glad for any help I can get that it’s hard to impose a lot of strict standards or hurdles. Besides, who cares about hacking a beekeeper club’s website?

Apparently lots of people.

It’s unlikely that we will be able to prove exactly how the hacker got in but it was almost certainly a scripted attack – a robot run by a hacker against anything he/she could find vulnerable – not a targeted attack. (For example, the hacker vandalized only pages titled index.htm, the standard name for a site’s home page, and none of the pages which had human-created names. Any targeted attack would have overwritten the other pages as well. Not only would it be more pages hacked but the vandalism might go unnoticed longer.) Our best guess is that the hacker go in because we weren’t careful enough about passwords. One of my authors had a password the same as his username. Even a kiddy-script can test for passwords that easy.

Lessons Learned:

  • Any site is vulnerable even if you don’t think that anyone would bother with little old me.
  • Passwords are important, even when you think they aren’t.
  • Volunteer time is valuable but only if it’s the right volunteer. Even if his/her heart’s in the right place, sometimes that time is more expensive than it’s worth.
  • Internal segmentation would have limited the damage. Merged accounts makes it easier to manage the domains but separate accounts would have kept the hacker from “promoting” himself across to the other accounts so easily.
  • Monitoring is a good thing. In my case, it was dumb luck. My wife has the site as one of her home pages and noticed it as soon she logged on in the morning.
  • Good backups make repairing the damage easy. My backups are automatically managed through third-party host and they do an excellent job. Once we discovered the vandalism and collected the evidence, the act of repairing the vandalism took mere minutes. I wish I could take credit for it but I got lucky and picked a good vendor.

Anyone can get hacked. Do what you can to minimize your chances, discover it quickly and plan so the costs to repair are low. I can’t say that I’m proud of this post but I do hope that you can learn from my mistakes.

There was a story last month that Adobe’s latest release (Acrobat 9) actually weakened the strength of the algorithm they use for passwords that protect PDF documents. If you’re using password-protected PDFs as a way to send confidential information to your customers or business partners, does this mean that you can no longer trust the protection?

There is a lot of confusion because at the same time, Adobe increased the encryption from 128-bit to 256-bit. More is better, right? All things being equal, that’s usually true. In this case though, they also changed the way the encryption works. The net result is that the password is now crackable about 100 times faster than with the older Adobe versions.

If you are using weak passwords, this change matters a lot. Passwords that used to take 3 months to crack will now be breakable in a little over a day. If you’re still using single english words for your password, your protection is weak at best. A brute-force attack (where the hacker tests every word in the dictionary against your document) will break a weak password in minutes. On the other hand, if you’re picking strong pass-phrases – whole sentences from a favorite book or song – and if your phrase includes upper case, lower case, numbers and special characters, your cracktime is probably still measured in millennia. I tend to like sentences from children’s counting books such as “On Monday, he ate thru 1 apple.” from The Very Hungry Caterpillar. Not only does it have all four character classes, but I’ve read that book far too many times – there’s no chance that I’ll ever forget that pass-phrase. Combine that phrase with the prefix trick for managing multiple passwords and your password will outlast a thousand hackers.

The one unambiguously good thing about this change is that Adobe got rid of the 32 character limit. You can now type as much as you want for your pass-phrase (up to 127 characters – and even I’ve never hit that limit). If you take advantage of that increase, the change to version 9 is a net security benefit even with the change to the algorithm. You can read more at or on Adobe’s own security blog.