Posts Tagged ‘passwords’

You’ve just checked into your hotel and gotten situated in your room. All that time on the plane has left you feeling a bit out of touch so you head down to the business center to do a quick check of your email. You’re in luck — there’s a free workstation just waiting there for you. You log in to your account, read a few, respond to some, delete some spam, log off and head for the gym feeling that everything is now in order. But is it?

Turns out that the person using that same PC a few hours ago opened an attachment that contained malware that installed itself on the system and has been recording every keystroke entered ever since. Making matters worse, all those email responses, web site addresses, credit card numbers and logins have also been surreptitiously forwarded to someone on the other side the world who now has everything they need to take over your email, raid your bank account and run up charges on your credit card.

Krebs on Security has a good post on this threat along with a discussion of  some preventative measures your hotel could have taken to protect you. The problem is, as the author points out, all of them can potentially be circumvented.

Of course, you could enable all your accounts to use 2-factor (a.k.a. two step) authentication where a seemingly random set of numbers are texted to your phone that you then have to enter after entering your account name and password (and you should!), but most people don’t want to be bothered with this extra step and they are precisely the ones that the bad guys are counting on.

The bottom line is, if you don’t control the system you’re using (and you never do with a public terminal), you really have no idea who else might be listening in so you should consider that anything you type (including your password) is now public information.

The best thing you can do to avoid this scenario is simply to not use public workstations. It may be a pain to lug along your own laptop but it beats the alternative.

Recycling great, except for when it isn’t. To see what I mean, take a look at my post on

By now one would hope that the worst of the Heartbleed crisis is behind us. All the servers should be patched, new certificates generated and passwords changed, right? The answers are: probably, hopefully and unlikely, respectively. Compromised passwords are still floating around in the ether so if you haven’t fixed them, do so.

But what about the next Heartbleed? One thing that is about as sure as death and taxes is that there will be another massive vulnerability that will, no doubt, expose millions of user accounts. So, do we just sit tight and wait for the oncoming storm or is there a preemptive strike you can make now to less the likelihood it will impact you in a big way?

I think there is and it’s the subject of my recent post to the IBM Security Intelligence blog. Take a read through it and stay safe.

From an IT context, Authentication is the process by which you prove that you are you when trying to login to a system. It can be accomplished by providing something you:

  • know (a password or PIN)
  • have (smart card or security token)
  • are (a biometric reading such as a fingerprint or iris image)

The vast majority of systems rely on the first option — knowledge-based authentication (KBA) — because it’s easier to implement and is presumed to be cheaper. The ease of implementation is pretty obvious since it only takes a few lines of code to ask someone for a password and compare it to what you already have registered for that user in the data base. The assumption on the cost part is more dubious when you take into account the often hidden cost of having to support users with help desk agents to reset passwords at roughly $25 a pop, not to mention the cost of trying to recover from a breach when passwords have been harvested through an attack on the infrastructure or simply guessed by an attacker due to trivial choices by the user.

In an effort to avoid the cost of acquiring and rolling out hardware readers that are typically needed for the other two options, many organizations have taken to doubling down on KBA approaches by asking users to answer additional questions that, presumably, only they would know the answer to. The problem is that most of these questions are poorly chosen and are often not very private in nature (e.g. mother’s maiden name, high school mascot, etc.).

Systems that do a better job by actually digging into your past and asking you to, for instance, identify which of the following addresses are ones that you have lived at and who were the co-signers on the mortgages are a little harder for the bad guys but not impossible since much of that information exists in online public records.

Worse still is news this week that some of these data bases containing this sort of “private” information about you that can be used by credit bureaus and others to establish your identity has been breached.  A reports that:

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.

The article goes on to say that compromised data came from systems at Lexis-Nexis, Dun & Bradstreet and Kroll Background America. Assuming this information really is circulating on the Internet it becomes clear that it can’t be relied upon for authentication because it’s no longer something that only the user in question would know — yet another nail in the coffin of KBA systems for anything other than low security applications.

Never mind what the NSA may or may not know about you or Google or Facebook or Apple or any of the other thousands of companies that track us and leverage the power of “Big Data” to try to know us even better than we know ourselves in order to sell us things we didn’t even know we wanted. The real risk of having all your secrets no longer be yours or secret is that now a bad guy can convince your bank, your mortgage company, your stock broker, etc., that he is you because he knows the info that supposedly only you know. Only it just isn’t so…

I got a question recently from Tyler Dukes at the Raleigh News & Observer related to work on the “Stump the Geeks” column. A reader had developed his own, rather elaborate scheme for assigning unique passwords for each web site (a laudable goal). Here’s what he wrote:

Q. I’ve developed a method for creating IDs and passwords so I can store them without any encryption or hacking worries. I do the following:

1. I always use a base user ID such as MYUSERIDn and password as MYPASSWORDnn.

2. I simply change the “n” to any number for the ID and the “nn” to any number for the password.

3. Now I can store a Web site ID and password as, for example, “Macy’s 522.”

Say Macy’s wants me to set up a user ID and password. I would create my ID as MYUSERID5 and my password as MYPASSWORD22. Now I can bookmark the Macy’s Web site described as “Macy’s 522.” If you don’t know my basic structure, the “522” means nothing. My actual IDs and passwords are more complex than this example, but the concept is the same.

Am I lulling myself into a false sense of security, or is this scheme a viable solution?

The short answer is “yes.” Nice try but there are some problems with this approach. 

The article in the paper summarized some of the issues but I thought I would go ahead and put out my full answer here…

The password scheme described is certainly better than using the same password for every system but not really something I would feel comfortable hanging my hat on. First of all, since only alphabetic and numeric characters are used, the number of possibilities an attacker would have to try in a brute force attack (i.e. trying all possible password combinations) is not nearly as large it would be if special characters like (e.g. *, &, !, %, $) and mixed case alphas were used. Also, the length of the password is not so long that an attack couldn’t be successfully completed in a reasonable amount of time. The key to better security with passwords is complexity. Ideally, you want randomness created by a mixture of cases, alphas, numerics and special characters. These should also change every few months and not be reused on other system. Any scheme that you reuse also runs the risk that if someone discovers your password on one system that they might be able to infer what it would be on others.

Of course, the problem with doing what I just recommended above in terms of password complexity is that, in general, making a password hard to guess, also makes it hard to remember. Rather than writing passwords down, which introduces yet further risks, it’s best to either use a password storage “vault” or, better still, a single sign-on tool that combines the vault with a capability to automatically enter the password for you. With this sort of software all you need to do is keep up with one complex password (rather than many) and then the program does the heavy lifting of generating strong, unique, random passwords that you never even have to know.

Finally, for even better security, a second mechanism can be added to the password (“something you know”). In this case you would also be challenged to prove that you have some unique device in your possession (“something you have”) or some physical characteristic unique to you (“something you are”). The latter involves biometrics such as fingerprints, retinal scans, voice recognition and the like. The former is perhaps more practical in many cases if the thing you “have” is something you are likely to keep with you most of the time anyway, such as a cell phone. This sort of two-factor authentication would involve logging in with your userid and password as always and then you might face a second challenge such as entering a one time PIN that has been sent as a text message to your phone or entering a temporary password that his been generated by an app on the phone. Google, Facebook and others offer this sort of scheme. Twitter, at this point, does not, although there are reports that this capability will be coming in the not too distant future. When it does, I would recommend that this option be considered since it could have prevented the sort of situation that has been see with a number of high profile Twitter feeds.

Since the time I wrote that Twitter has, indeed, come out with a two-factor authentication scheme — a welcome and long overdue enhancement. It’s not perfect but it is an improvement. If you use Twitter, you might want to take a look.

Here’s the video stream (with slides) of the keynote address I gave at last month’s OOP 2013 conference in Munich on the subject of Social Media threats and how they relate to key Identity Management issues involving authentication.

OOP 2013 Keynote - Munich, 22 Jan 2013

OOP 2013 Keynote – Munich, 22 Jan 2013

In perhaps the least shocking news you will hear all day, “password” is really not a great authentication secret for online accounts. Unfortunately, not enough people seem to realize this as, yet again, it topped the list of most popular passwords according to Splashdata, which analyzed results from some of the highest profile security breaches of 2012. Here’s the top 5:

1) password (#1 in 2011 as well)
2) 123456
3) 12345678
4) abc123
5) qwerty

No real surprises there. The next 5 are a bit more curious:

6) monkey
7) letmein
8) dragon
9) 111111
10) baseball

OK, so “111111” is easy to type and “baseball” is the national past time and “letmein”, well, that’s what you’re trying to do when you enter a password so I get all of that but “monkey”? Really? Maybe it’s best I don’t know…

Another interesting one came in at #12 and it was “trustno1”, which sounds like pretty good advice on one level but apparently the paranoia has reached such a level that it now causes a significant number of people to choose it as their authenticator.

Once again, I think this makes the case for single sign-on tools which can automatically generate strong, random passwords that they manage so you don’t have to break out the yellow sticky pads and post your secrets around the edge of your monitor…

So you thought you had locked down your Windows laptop/ desktop/ server by choosing a strong password that only you would know, right? Nice try but not quite…

What you might not have realized is that if an attacker can get physical access to your PC (either through theft or just using it while you’re away), they can reset that password to one of their own choosing, log on and have their way with your system. In fact, it’s quite easy to do if you have the right tools and said tools are readily available in both free and fee formats.

There are a number of variations on this theme but a common scenario involves booting from a Linux CD, mounting the Windows boot drive and then running a tool which overwrites the Windows Registry with the new password. The next time the system is booted, the new password is in effect. The whole process can be done with scary efficiency in about 2 minutes (give or take).

This technique works for accounts with administrator rights just as well as non-admin accounts, which means that the attacker can take complete control of the system at that point.

There are legitimate reasons to do all of this if you’re in Tech Support and a user has forgotten their Windows password (or you just happen to be the unpaid tech support for a friend or relative who has found themself in the same predicament) and there are commercial tools that simplify the process described previously (if you don’t enjoy fiddling with other OSs). So, in other words, like many things in IT Security, it can be used for good or bad.

How should you protect yourself from having this happen without your permission? One option would be to never stray more than about 18 inches from your laptop and guard it unceasingly.

That might work if you have no life, no friends and no significant other but a better option would be to opt for whole disk encryption. That way the hard drive can only be read (or booted) if you know the proper password. The techniques for overwriting the Windows Registry won’t work since even that is scrambled beyond recognition without the drive encryption password.

Of course, if you do this, then you’d better make sure you don’t lose the encryption password (or have a secure means of recovering it) or your could end up with an expensive paperweight…

What do LinkedIn, eHarmony and Yahoo all have in common? Other than the fact that all three are popular web sites with millions of users, they also share the ignominious distinction of having recent security breaches where massive numbers of passwords have been compromised.

As I wrote here recently, LinkedIn, a professional networking site, had an exposure of about 6 million passwords. The good news was that the passwords were hashed, which means they were obscured using a special, 1-way encryption technique which can’t be easily reversed/decrypted, if done correctly. The problem is that the hashes weren’t salted, which makes them less delicious — I mean, less secure.

Salting involves adding a random number to the password so that when it is hashed the results will be more unpredictable. This makes life harder for crackers (no, not the edible kind but the ones who break encryption schemes), who then must try far more combinations in a brute force attack in order to find what they are looking for.

So, all that stuff you’ve been hearing about cutting back on salt may or may not be great advice from a medical standpoint (that’s a debate for another blog) but scrimping on the salt when it comes to password hashing is definitely bad for your online identity’s health.

Then along comes eHarmony who not only skipped the salt, they also chose a relatively weak hashing algorithm (MD5) and, if that weren’t enough, they converted all passwords to upper case before processing them, thereby reducing the duration of a brute force attack dramatically.

Not to be outdone, Yahoo Voices, which currently holds the lead in this race to the bottom, not only did away with the salt, they didn’t bother with hashing either. That’s right — the passwords were actually stored in the clear and, ultimately revealed to all.

Yahoo’s position that this really isn’t that big of a deal since most of the accounts were dormant misses the larger issue and that is that, human nature being what it is, people tend to opt for the path of least resistance and use the same password for many (if not all) of their online accounts. This means that if I know what your Yahoo, eHarmony or LinkedIn password is, I’ve got a pretty good idea what the password is to your Gmail account, your bank account and so on.

The lesson here is that everyone should be using some sort of single sign-on or password storage manager so that they can maintain a unique set of randomly chosen, hard to guess, passwords for every site they visit and if you are on the IT side of things maintaining a store of user passwords, by all means, don’t skip the salt…

As I’m sure many of you have heard, the popular, business-oriented social networking site,, had a security breach recently that resulted in exposing about 6 million of its users’ passwords. You might be thinking, what’s the big deal?

  1. I don’t store anything all that sensitive on my LinkedIn account and
  2. even if I did, why would anyone want to target me?

The first issue that many fail to appreciate is that most people use the same password for more than one site. In fact, many use the same password for every site. This is a problem since it means that if I know your LinkedIn password, I probably also have a pretty good idea what your email password is. And if I can get into your Gmail account, for instance, then I can also go to your banking site and request a new password be emailed to your account, which I now control.

Furthermore, I can change all these passwords to one of my choosing and then you can’t get in to fix the problem either. Then it’s game over and you are forced to deal with a sea of faceless support centers for each site trying to gain back control of your digital persona. Since many of these services are free, the support your get is worth about as much as you paid for it, if you know what I mean.

As to why you would be targeted for such an attack? Because you exist. Hackers don’t only go after famous people just as identity thieves don’t restrict themselves to only millionaires.

So, what can you do?

  • First of all, you should probably change your LinkedIn password today. Even if you weren’t one of the 6 million compromised accounts, why wait for the next breach?
  • Second, change other passwords to key accounts like your email, bank, credit card and merchant sites that might have payment details stored for you.
  • Third, choose good passwords that can’t be easily guessed or cracked through dictionary or brute force attacks, which leads to …
  • Fourth, use a password storage vault or single sign-on software to keep track of all your passwords. These tools allow you to generate strong, hard to guess passwords that are unique for every site and only require you to remember one strong master password to unlock the vault.

If you are trying to do this for an entire organization, consider a centrally managed, enterprise class tool like IBM Security Access Manager for Enterprise Single Sign-On, which automatically enters userids and passwords when logon fields pop up, allows you to set policies for all your users and supports resetting lost passwords and shared workstation support with fast user switching.

If you want a simple, free tool to keep track of passwords on a single system that requires you to copy and paste stored passwords manually from the vault, Password Safe, from the open source SourceForge project is one of many options.

Also, there are other options that range somewhere in between for a range of prices supporting a variety of platforms. Whatever you choose, just try to make sure it comes from a legitimate source. The worst case scenario would be to store all your passwords in one tool that sends all your info to an attacker.

OK, so now you just think I’m being paranoid, right?