Wednesday, January 23, 2013

Data Privacy Day Prep Part 1: Passwords

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 1, it's about Passwords. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

 Important definitions for this section:

  • Two-factor/multi-factor authentication: The use of two (or more) forms of authentication. They must be different forms, using two items of the same form does not qualify (so two passwords is still considered single-factor authentication). There are three forms of authentication:

    1. Something you know (Password is most common, followed by a PIN, and in smartphones: a swipe pattern)
    2. Something you have: A keyfile, ID card, or a token
    3. Something you are: Anything biometric such as a fingerprint or iris scanner

  • Brute-force attack: A hacking attack where the hacker systematically tries every possible combination to gain access to your account
  • Dictionary Attack: A hacking attack where the hacker systematically goes through every word in the dictionary, followed by every name, followed by any personal information they know about you


Passwords are the most common form of security online, and they aren't going anywhere any time soon. Unfortunately, passwords probably aren't the best form of security for numerous reasons: people can only remember so many good passwords (without using a manager or system, which I will talk about shortly) causing password reuse to be rampant, people can easily fall victim of social engineering (either in the form of spearheaded attacks or phishing), the rules for what you can include in a password are not universal (which causes problems for password creation systems), and they can be captured in transmission. Still, as I mentioned, they aren't going away any time soon and making your passwords good is a very simple thing to do.

 Let's start with some questions about your current passwords:
  1. Do you use the same password everywhere or almost everywhere?
  2. Are your passwords less than 12 characters in length?
  3. Do your passwords contain a word from the dictionary or a name properly spelled?
  4. Is one (or more) of the following missing from your passwords: a lower-case letter, an upper-case letter, a number, or a special character?
If you answered "Yes" to the above questions, there's a good chance your passwords are weak. If you see your passwords on this list of the 25 worst passwords of 2012, then even more-so are your passwords weak as they are on every password list out there. Some other lists are: 20 most common pins, Top 20 worst Passwords, Top 500 Worst Passwords, and Password analysis of 3 hacked password databases (I quite enjoyed the character frequency analysis, might give you some ideas for characters to use)

 So what is wrong with those 4 things?
  1. When you use the same password everywhere or almost everywhere, if any site gets hacked or you slip up and give out the password just once, all or almost all your accounts are compromised. -- XKCD on using the same password everywhere
  2. The shorter the password, the easier it is to crack. In some instances, short passwords use weaker hashing algorithms in general than longer ones (for example, Windows XP passwords under 15 characters use LM Hash, which is extremely weak, passwords with 15+ characters use NTLM)
  3. Words and names are extremely easy to crack with a modern PC by just doing a dictionary attack. It's all the easier if you have a botnet or supercomputer trying all the possibilities.
  4. The more variance in your password, the better. Having at least one of each character type significantly boosts your password strength compared to not. Once you leave alphanumeric passwords, the chances of your password being in a dictionary list, once you get past simple substitution and just appending special characters at the end or beginning, you can even beat many pinpointed attacks such as those that can be created by the Common User Password Profiler
So, just how secure is your current password? Test it out here. If you are paranoid (which in this case is NOT a bad thing), you can view the source. It all runs locally and sends nothing back, it even works fine in offline mode. Still a little anxious about entering your password? Just type in something that is similar to your password. So long as you use the same number of each characters it'll return a similar value. Note that the time that how secure is my password tells you is a best-case scenario, so if you have something like 3.2 years, it can probably be done in a few weeks using CUDA and good NVidia GPU.

Further reading: How I'd Hack Your Weak Passwords -- a bit on the old side, but still a great read.

Keeping Track of your Strong Passwords

The problem with creating a bunch of strong passwords is that it's hard to keep track of them. As I mentioned, this is one of the problems with the password system. Thankfully, there are things you can do about it. I personally have over 100 passwords and have no issue entering them in when needed. The trick is to not memorize all your individual passwords (I personally only have maybe 10 passwords committed to memory).

 One of the more simple ways to do this is, rather than memorizing your passwords, you memorize an algorithm, or system, to creating them. That way, even if you forget the password, you can easily reverse engineer what the password would be. The password remains strong and only those that know the algorithm can come up with the password. The Mozilla Team created an excellent video on this that you can watch here.

 There are problems with algorithmic passwords, though, one of them going back to a flaw with the password system as it exists: the rules for what you can have in your password are not uniformly followed by all sites, so your password algorithm may not work for all your sites. In general, I'd say you need at least 4 or 5 algorithms to cover all your sites, assuming all of them allow all characters: a sub-8 character algorithm, a sub-15 character algorithm, a sub-20 character algorithm, and a 20+ character algorithm. This is due to various sites putting limits on password length, a very unwelcome problem in my book that I wish would go away. The fifth algorithm you may want to implement is a separate algorithm for the most important of sites, such as your bank and email. Even so, remembering 5 algorithms is relatively simple to do, especially compared to remembering 30 different passwords (much less, 100 different passwords).

 The other option (and it's not an exclusive other option, you can more than easily implement both) is to use a password manager of some kind. There are many out there, but the good ones in my book are: KeePass, Password Safe, LastPass, DashLane a physical password list you always keep on you, and an encrypted digital password list. The first two are real password managers, the other two are merely a secured list of passwords. The difference is that a password manager helps simplify entering in your passwords (and that may be an issue with long, complex passwords).

 You may be thinking "What's wrong with my browser's password manager?" and the truth is: many things. Firstly the encryption on the password database isn't very strong. It is extremely easy to brute-force the encryption and many tools do it. Or even more simply, just copy those files over to another computer and place them in the application directory for the same web browser, and the browser will be able to use them (unless you enable a master password) and if these are password databases for Google Chrome or Firefox, they are viewable as well (once again, unless a master password is set). Opera is a step up in that it will never show you the passwords, just the username, but the encryption is still weak and plenty of tools will crack it to display all your passwords. I really cannot recommend Chrome's password manager at all as there is NOTHING you can do at the current time to secure it on Windows. If using Chrome, you really do need to use a third-party password manager. Both Firefox and Opera aren't much better off, but if you are going to use them, you do have some options. You may scoff that no one will get physical access to your computer, but they don't need to on Windows machines. A broswer's password database is stored in %AppData% which is easily accessible remotely thanks to it being included in Window's default share for user profiles. Even if you disable that, the admin share of C$ will include it (of course now I'm starting to delve into network security, which isn't supposed to be in this topic much).

Firefox's built-in password manager:

 First download the Master Password+ add-on and set a master password. A quality meter will tell you how strong it is. Set up an auto-logout time. You will never be prompted for your master password so long as you don't time out, but if you do you'll need to re-enter it again. Either leave it on a short time but only when inactive or set it to a long time (an hour or so) but always times out. Which to choose depends on your browsing habits and how easily you are annoyed.

Opera's built-in password manager:

 Opera's password manager is a bit more feature-rich than Firefox's and so is it's master password, which is good since there is no extension for it. Tools -> Preferences -> Advanced -> Security -> Set Master Password... and set your password. Set your timeout interval (right underneath it called "Ask for password") as you feel appropriate. Setting it to "Every time needed", the default setting, will probably drive you mad, an hour is good. Finally make sure to check the box for "Use master password to protect saved passwords". If you don't, the master password only applies to client certificates.

 As I said, Firefox and Opera's password manager are only marginally better than Chrome's even with the master password, so a third-party password manager is still best as the encryption is many times better. If you do use them, at least think twice about giving them important passwords for things like your bank account. Please consider one of these good password managers instead.

The Good Password Managers

KeePass 2: KeePass 2 is a Password manager for Windows. That said, it is becoming easier and easier to install on Linux and Mac OS X so long as you don't mind Mono being installed as well to the point it is pretty much cross-platform (just no official releases for Mac OS X or Linux are made). Mac OS X users can head here for an installer and Debian/Ubuntu users have it in the software repos or via PPA. Alternatively there is KeePassX which is fully cross-platform, but it only works with 1.0 databases and doesn't work with browser extensions such as KeeFox, ChromeIPass, or PassIFox. You give it a master password, and, optionally, you can create a keyfile (this is known as two-factor authentication. See "Important Definitions" at beginning of post). Now you only need to remember one password and all your passwords are secure.

 As mentioned there are various plugins for browser integration with KeePass to make entering passwords even simpler than it already is. This includes KeeFox (probably the best integration, but Mac OS X and Linux installs are tricky/beta-ish), PassIFox (not as good as KeeFox in my opinion, but works on Mac OS X and Linux as well as Windows), and ChromeIPass (which is the Google Chrome/Chromium option and also works on Mac OS X and Linux as well as Windows). Of course KeePass works with all browsers and pretty much all applications through an auto-type feature + a keyboard shortcut (default: Left-Ctrl+Alt+A but easily changeable to your preference) so you don't have to worry about a plugin if you don't want to. There is also a portable version available, so you can run it on the go from any Windows computer.

 Finally, in the modern world where smart phones are of great importance, there are programs compatible with KeePass available on all major smartphone platforms: KeePassDroid for Android, 7Pass for Windows Phone, and either MiniKeePass (free) or one of a few paid versions that exist on iOS.

 Pros: Open Source, you control it, portable, highly secure, will tell you the strength of your passwords, can generate random passwords, works with pretty much any program. Works on Android/Windows Phone/iPhone too.
 Cons: The auto-type feature takes a little getting used to, while it works with any pretty much program the overall integration suffers to allow this (Except in Firefox/Chrome where KeeFox/PassIFox/ChromeIPass creates seamless integration).

Password Safe: Password Safe is a password manager created by crypto legend Bruce Schneier. It's a simple program with a single goal: creating a digital safe for your passwords. It was later open sourced and has a derivative project Password Gorilla. Password Safe is Windows-only whereas Password Gorilla is fully cross-platform and that's basically the only difference between the two. Many other derivative projects have been done as well, including many command-line tools. There exists both an iOS app and an Android app, but I don't know of a Windows Phone app.

 Pros: Open source, you control it, highly secure, does one thing and it does it well. command-line versions for command-line junkies.
 Cons: Not as feature-rich, extensible, or simple as KeePass, lacks Windows Phone support.

LastPass: LastPass is a cloud-based password manager that works in all major browsers and the browser version is cross-platform. There is a desktop version for application passwords and whatnot, but it currently only works on Windows and requires a Premium (paid) account. It also does not appear to have a keyboard shortcut auto-type feature like KeePass. You can find more information about the Desktop version for applications on their website helpdesk. Likewise for smartphone use, you need a Premium (paid) account; apps for all major smartphone platforms exist. Offline access to your passwords is possible through a cross-platform program called LastPass Pocket and is available with a free account. They also offer One-time Passwords for use on untrusted computers that instantly expire (which reduces the risk of your master password being compromised). There are also many options you can enable to make LastPass even more helpful and secure, and it'll even alert you when it detects an account tied to your email address has been leaked.

 Pros: always with you so long as you have Internet Access, instantly syncs, highly integrated, audits your passwords, can generate random passwords, one-time passwords, very secure (before you ask: It's been verified that LastPass NEVER gets your encryption key -- see here)
 Cons: You must trust that they will stay around, have to pay for use on your phone, if your Master LastPass password is compromised, all your passwords are compromised*

 *Note: LastPass Premium offers USB-based two-factor authentication (see here). More recently, LastPass added Google Authenticator two-factor authentication for free. The Free version also has grid authentication, which I don't quite consider unique enough of "something you have" to be two-factor authentication, as if someone knows what your card looks like, they can access your account without actually having your card, but still a significant security boost. One-time Passwords also lower the risk of your master password being compromised.

DashLane: DashLane is a newcomer and competitor to LastPass. It offered some features before LastPass like and securly sharing notes and passwords with friends and securly sharing notes and passwords with friends. It specializes in autofill, and does a very good job at form detection (hence the name: it dashes you through the checkout lane for online orders) and doesn't seem to miss a beat security-wise, keeping up with LastPass. As an added bonus, basic smartphone support is included for free (though you don't get all the benefits on the phone or note sharing unless you go premium). It also enforces a basic two-factor authentication before allowing you to install it on new devices.

 Pros: Always with you any where you have Internet access, instantly syncs, highly integrated, very secure, free basic phone support.
 Cons: You must trust that they stay around, gotta pay for the premium and full features, if your master DashLane password is stolen, all your accounts are compromised.

Keeping a list always on you: Obviously no software is involved, you just simply keep a list on you at all times, say in your wallet (or anywhere else, so long as you always remember to keep it on you). This method, while once frowned upon, has been gaining popularity in recent years among security experts*. Why? Because it is always on you, so you know it is safe. If it isn't on you, then you know it is time to change all your passwords. For extra security you can do a trick to the list that only you know. For example: inject a random number in every password at a specific spot (or in a pattern that you know). If the list falls into the wrong hands, they can't tell those numbers aren't part of the actual password and as such cannot use your passwords right away or at all. This gives you more than enough time to verify you didn't just leave the list at home and to change your passwords to something secure again.

 Pros: Pretty secure, you are instantly aware if your password database is compromised since it is always on your persons. Always with you in all circumstances
 Cons: You must diligently keep it always on you for the security aspect, obviously if you do no trick and lose the list, all your passwords are potentially compromised, likewise it is obviously 100% manual. Just don't leave them in the usual spots.

 *Bruce Schneier on writing down your passwords(Source under "Safe Personal Computing"):
Passwords. You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash. Don't let Web browsers store passwords for you. Don't transmit passwords (or PINs) in unencrypted e-mail and Web forms. Assume that all PINs can be easily broken, and plan accordingly.
Encrypted Digital Password List: To some, a digital password list would be preferred to a normal one. There are risks to leaving your passwords just in plain text on your computer through (some malware looks for things like passwords.txt and whatnot and uploads them to some far-off place), so encryption is a must. The advantage of a digital list is it's easy to back up, lowering the risk of you losing it as well as allow you to synchronize the file onto multiple computers (though it begs the question: why not just use a password manager?). A simple and effective cross-platform encryption program is TrueCrypt. TrueCrypt is an on-the-fly encryption tool and allows you to create encrypted file containers in which you can store your password list.

 Pros: Extremely secure. Truecrypt in particular offers many options for creating your encrypted file container (including a hidden volume).
 Cons: Obviously not integrated at all with any application, so you must do everything manually. Must use a third-party program to synchronize the file across computers.

 Some Mac OS X-specific Password Managers:

 1Password -- It's also available on Windows, iOS, and Android, but I'd only recommend it if you don't want to deal with KeePass 2 with Mono and Mac OS X is your primary OS. It's free only for 20 or fewer passwords, otherwise you have to pay, and it's on the expensive side ($50 for one license for one desktop platform, $70 for a license for both desktop platforms, $100 for 5 licenses for both desktop platforms). Still, it's very user-friendly on Mac OS X.

 Keychain -- Keychain is the default password manager for Mac OS X, but it's not without flaws that have come up over the years (usually patched though). It can be integrated with both Safari, Google Chrome (uses it by default), and Firefox, but it's not easily synchronized across your computers and definitely not cross-platform or portable.

 And of course the 4 password managers listed above all work on Mac OS X.

 Two-Factor Authentication

 The need for two-factor authentication is becoming more and more prevalent every day. Luckily, it is also becoming more and more widespread every day and easier to implement. Two-factor authentication can make it so even if your password is compromised, your account isn't. It would have stopped Mat Honan (see below) from having his life destroyed by a hacker. By far the easiest to achieve implementation of two-factor authentication is through the Google Authenticator platform, which is open source and has derivative implementations. What makes it great is that you don't need to buy an expensive security token like RSA SecureID, just need a supported device. This is most commonly done through a smartphone using the Google Authenticator app, but as the Wikipedia Article shows, there are other implementations of Google Authenticator you could use. Many services that support Google Authenticator will also allow you to sign up for two-factor authentication through SMS messages, so you can even use it with a regular phone.

 Debunking Myths of two-factor authentication | List of places you can enable two-factor authentication

 Pros: VASTLY increases your security.
 Cons: does make logging in sometimes a bit harder, but with Google Authenticator, it's pretty easy. I would suggest printing out the offline one-time use codes through, just to be safe.

What you can't Protect Against

 Strong passwords won't protect you against everything: you have no control over how a website handles security. Mat Honan is all too familiar with this.. This shouldn't be discouraging, though. You just need to do the best you can do. In the event a site you use is compromised the best advice is to change the password ASAP. Changing your password will nullify any danger after a compromise. Most services are kind enough to alert you after a breach, but not all. There are some other steps you can take as well: Oftentimes when a hack is done, the hacked database is released and can be downloaded if you know where to look (sometimes it's free, other times it isn't depending on the purpose of the hack). Services like PwnedList will look for your email address in leaked databases and alert you of matches. If you use either LastPass or DashLane, you can use this feature through their services too (they partnered with PwnedList).

Passwords - the remaining stuff

 To note, there are other methods for creating secure passwords. Popular ones include using phrases from a book or song, and recently just stringing together 4 random funny words, popularized by an XKCD comic strip. If these methods work for you, that's great, but personally I see them as relying too much on human memory, which is too easily fallible. There's no way I'd be able to keep track of all 100+ of my passwords by using different strings of 4 random words or remembering which phrases from a book go with which sites. I see these methods, in the long run, as encouraging password reuse. Password reuse is the enemy to be stopped at all costs, as password databases get compromised, and once you start repeating password -- no matter how strong, you run the risk of multiple accounts being compromised from a single password leak. Still, if you only have a handful of passwords, these methods can create strong passwords provided you can remember them.

 At this point your passwords are nice and complex, secure, and easy to remember/access, but that is not all there is to say on password security. Remember those password hints and pesky security questions you set up for most services? Those can be an Achilles heel to your accounts if you are not careful.

 For password hints there are a few things you can do: You can do away with them completely, typing in gibberish when forced to have one (what I currently do), or you can use things you know you know to help you remember the pattern you use for your passwords. Along the lines of "That place where I put that thing that time" - It means absolutely nothing to anyone but you. In all cases you should be careful here and any hint you give should use word associations or have a meaning that only you would understand relying on your personality or life.

 Security questions are similarly a dangerous thing, much more dangerous than password hints as they can reset your password. Weak questions mean your strong password is worthless. If you are confident in your passwords to the point you are certain they will never be forgotten, once again you can make these complete gibberish so they are impossible to break into. Security questions have two pitfalls: 1. They are susceptible to social engineering since they are questions about you. Make sure you NEVER post your answers to your security question anywhere ESPECIALLY social network sites like Facebook and Myspace. If you do that, then all your security efforts go down the drain. 2. is security questions are often just a word or name, making them HIGHLY susceptible to dictionary attacks if the security questions don't have a lock-out. To combat this make your answers always at least two words, and maybe throw in a special character at the end or the beginning that is your "trick" for them. One thing growing in popularity that does a good job to combat both, is to create a pattern to your security questions that does not answer them and only you know -- ([url=""]see here). My advice is to do that, but also make sure to include a special character or two.

 Over the last year, I've seen comments on GPU password cracking coming up more and more frequently. I see this as missing the point. GPU cracking only applies with offline password hashes/databases. It's not something you need to worry about as a threat to your online accounts. In the event your passwords get leaked by a website getting hacked, having strong passwords is your best defense for you having time to change your password before it is cracked using GPU cracking. So my advice is: don't worry about it, and just change your password as soon as you find out a site's been hacked.

 You'll see some people recommend you change your password periodically. It's also a common enforced policy in some offices/for some services. I personally don't subscribe to this train of thought. After a password is compromised, it'll instantly be exploited. the probability of you changing a password due to some 90 day password change policy actually stopping someone from using your compromised account is slim to virtually zero. Now there's nothing wrong with occasionally changing your passwords, and it's a good way to maintain them, but something being a good idea for maintenance and something adding real security are two different things. Takeaway: Don't feel pressured to change your passwords frequently, but the occasional password change isn't a bad thing.

 If you follow through with everything, your passwords will be very secure and any backdoors effectively shut to anyone but you.


Post a Comment