Here is a continuation of my research on gun safes. I finally heard back from another company, Steelwater Gun Safes. This is what they had to say in response to my question about backdoor passwords:
Steelwater Gun Safes digital locks do not have a bypass code due to the bypass key lock. There is no need for a bypass code as the bypass key will allow access if the keypad fails or if the codes have been lost or forgotten. If a key is needed, the original purchaser on file must send us proper identification before a key can be purchased from us.
Their safes are much cheaper than the Champion that I was looking at in my earlier post, but since they are claiming that there is no back door, I will recommend them as a cheaper alternative for those who are looking for a new safe. From their literature, it looks to be a better product than the other safes in the midlevel price range ($2k-5k). The 42 inch safe costs around $3700. I will stress that I don’t have one, but it does look promising and the company says the right things.
I talked to a safe guy today. He suggested an even cheaper alternative: you can change the lock. Your choices are to buy a new lock, or you can simply swap locks with another person who has a safe with a compatible lock. As long as the backdoor that your safe company may have installed is particular to YOUR safe, and not every similar lock, it’s a cheap alternative. Or you can purchase a mechanical lock and do it that way. A new mechanical lock costs in the neighborhood of $140.
Disclaimer: I don’t advertise, and receive nothing for my reviews or articles. I have no relationship with any products, companies, or vendors that I review here, other than being a customer. If I ever *DO* have a financial interest, I will disclose it. Otherwise, I pay what you would pay. No discounts or other incentives here. I only post these things because I think that my readers would be interested.
Francis Porretto over there at Liberty’s Torch (I read them every day, don’t you?) asks a great question about the security of checks versus the security of credit cards. Since I do stories on information security, I thought it would make a good topic for a post here. Let me start by saying that I ran this by my wife, who actually teaches banking and finance, which was the topic of her Masters degree. She’s way smarter than I am on this topic. Here is our take:
Check Security
Those numbers that are on the bottom of your check are the routing and account numbers that tell the check processing companies (called the automated clearing house, or ACH) where to go in order to get paid. When a scammer has your bank account and routing numbers, they could set up bill payments for services you’re not using or transfer money out of your bank account. Getting those numbers is easy, because they are printed right there on your check, and most companies store that information on their computers, you know- the same computers that keep having data breaches. Scammers can create fake checks using your numbers and then use those fake checks to pay for purchases — or simply cash them. Know, too, that with technology scammers could digitally scan the check (called a “demand draft”) and deposit the amount into their bank account. Many banks now allow you to deposit a picture of a check. How and why does this happen?
It used to be that physical, paper checks had to be exchanged in order for banks to get paid. Shipping paper checks all over the country was costing them quite a bit of money, so they lobbied the government for a solution. Enter the Check Clearing for the 21st Century Act (Check 21 Act), which became effective on October 28, 2004. The Check 21 Act authorizes a new negotiable instrument called a “substitute check,” which is a reproduction of an original check, is the legal equivalent of an original check. In other words, all someone must do is have those numbers on the bottom of your check, and they now have access to your money. There is no way to password protect your account from this sort of scam, because Check 21 doesn’t mandate that the banks secure you from this sort of scam. Some banks will for PR reasons, but they mostly do not. It’s expensive to monitor fraud, and there is no real financial incentive for banks to do so with this sort of scam.
So a thief gets ahold of your checking and routing numbers, what next? The only defense is closing your bank account and getting another one. That’s a inconvenience, for sure. The bank may or may not be able to reverse the fraudulent transactions, but don’t count on it. Check 21 doesn’t say that they have to. While it doesn’t happen often, when scammers get those numbers, you frequently lose everything, and there is nothing that the bank can do. One charity I found fell victim to this and lost over $10,000.
Credit Card Security
Credit cards have a bit more legal protection. The law here is called the Fair Credit Billing Act, which requires creditors to give consumers 60 days to challenge certain disputed charges over $50 such as wrong amounts, inaccurate statements, undelivered or unacceptable goods, and transactions by unauthorized users. Also, the Act limits liability of consumers for transactions by unauthorized users to $50. Since this law forces banks to absorb losses for fraudulent charges over $50, banks have a financial incentive to monitor for fraud, and they do. In fact, if you report fraud, most banks don’t even worry about the $50.
Note that this law only applies to credit cards, not debit cards. Debit cards are treated the same as checks from the perspective of the law. I don’t EVER use my debit cards to pay for anything. I use them at bank owned ATMs only, and I keep my debit cards locked in the safe most of the time.
I myself have had my credit card numbers compromised on a few occasions. The last time was over two years ago, when someone was using my Barclay’s card to make unauthorized charges. The bank was telling me that the charges were legit because IMO, they didn’t want to eat the cost. The $845 that was stolen from me wasn’t worth the cost to hire a lawyer, but luckily the bank finally saw it my way and reversed the charges. I no longer use that card because Barclays was too difficult to deal with in the matter. I shouldn’t have to fight that hard to get a bank to follow the law.
Still, it was easier to switch credit cards than it would be to get a new checking account.
Conclusion
All forms of payment are vulnerable to electronic fraud, even though it’s relatively rare. You have more legal protections, and banks have a more robust fraud detection plan, when you use credit cards than when you use checks. Whenever possible, use credit cards to do business online. In fact, I have a couple of cashback cards that give me great benefits. One that I have gives me 5% cashback on all Amazon purchases, and another gives me 2% cashback on all purchases. I pay for everything with them, and pay them off at the end of each month. Stay disciplined and don’t spend more in a month than you can pay, and it’s a great way to give yourself a 2% raise and keep your money secure.
Update: Intel’s security issue was also found on AMD’s Inception, where a newfound security hole affects all Ryzen and Epyc processors. See the linked article for the most up to date details. This looks huge. It’s a guarantee that every person reading this is somehow affected. It’s a hardware level problem, so there is no real fix.
There are many people who say that they don’t trust some version of online business, whether it be passwords, password wallets, or some other version of encryption security. They claim that by keeping their passwords on paper, that this is a higher level of security than storing it on their computer. They are right, and they are wrong. The answer to this lies in the way that encryption works. I am greatly simplifying this, so it will be a bit easier to understand.
All digital encryption works using the same basic principles. Digital encryption is simply a very complex math problem where there is a formula that permits only one answer to a problem posed by the number that is put into it, the password. The output that results from the password being run through the algorithm is called the hash. There can only be one hash for each password. Password hashing is typical on the server side when the server operators don’t need to know the plaintext password, they just need to demonstrate that the user knows the plaintext.
A common hash function is Message-digest algorithm 5 (MD5), which takes a message of any length as input and converts it to an output of a fixed 128-bit hash value length to be used for authenticating the original message. Here are a few examples of what a hash looks like:
When you enter your password into a website, it is converted into a hash. If the hash matches the one that is on file, the website grants you access.
Small changes matter a lot – Take a look at examples 1 and 2. Just one digit has been shifted, from an “o” to a “0.” This is a very small change, and yet the second output is unrecognizable from the first.
The output length never changes – The input in example 3 is considerably longer than the other examples, yet it produces an output of the same length (32 characters). You could input an entire book into the md5() hash function and you would still get a 32-character string as the output.
Repeatable – An input will always give the same output when hashed using the same function. If this weren’t the case, they would just be generating a random output, which would be useless for passwords. (I included the same function in example 1 as example 4 just to see if you were paying attention.)
Knowing that hashes are the same length regardless of the password you choose, you might be tempted to pick a short, memorable password. In fact, you should do the opposite. The password you choose is critical for keeping your data secure. Why is that?
MD5 isn’t the only hashing algorithm. There are others, like the SHA-2 hash code family, one widely used today, with algorithms that are longer and harder to break. The names of SHA-2 algorithms are connected to length, so SHA-224 represents 224 bits in length. The same format works for SHA-256, SHA-384 and SHA-512. The more bits in the hash, the more complex and difficult it is to break, and the longer an input password that can be used.
If a website is hacked, cybercriminals don’t get access to your password. Instead, they just get access to the encrypted hash created by your password. It’s impossible to reverse a hash function, so trying millions of combinations to try and produce the same hash (a brute-force attack) is the way that hackers have been attacking passwords.
So that’s what they do. They breach a website because they want the hashes. Banks, Home Depot, Amazon, all of the breaches that you hear of where passwords are compromised, that’s what they are after. That’s what happened to LastPass, as well. They got the password wallets, which included the hashes for the master passwords.
Once a cybercriminal obtains password hashes from a website, the real process of password hacking begins. This process happens offline, on the cybercriminal’s computer. Cybercriminals put combinations of characters into a hashing function until a hash that matches yours is created.
Because the functions themselves are well known, password cybercriminals can easily calculate hashes for known words and other commonly chosen combinations. Then they scan for known hashes using commercially available cracking tools. These dictionaries go far beyond simple words. They include prefixes, suffixes, the practice of changing letters for numbers (e.g. 1 instead of l), and much more. This means weak passwords can be broken very quickly. Humans suck at random. That’s why human created passwords are garbage.
A long password is better, because it takes more to guess a long password than a short one. A random one is better, because this foils dictionary attacks. Not reusing passwords is a way to keep a hash found on one website from being matched with others.
69% of people admit to sharing some passwords with others
71% of people admit to using common passwords like p@ssw0rd, their pets’ names, or children’s birthdays
72% of people admit to reusing the same password on 4 or more accounts
56% of people claim that they would not use passwords at all if they could
The average user has 25 online accounts but uses just 6.5 passwords to protect them
So why does all of this matter? If you write your passwords on a piece of paper and then burn the paper, no one will ever get the passwords, but the hackers don’t care. They want the hash so they can brute force your passwords. It doesn’t matter if YOU use electronic password storage, because any company that you do business with does, but in the form of hashes. Using a password notebook like this one keeps the password out of electronics, but that doesn’t secure the hash.
They are so fast, that number-only passwords are useless. Even if you choose a good combination of letters, numbers, and special characters, passwords of eleven characters or less will be brute forced before a company even notifies the public of the breach. A series of leaks over the past few years containing 100 million passwords have given hackers dictionaries of passwords from people in different walks of life. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.
That’s why I was so pissed at LastPass for not disclosing the breach for months. How long is your password, what does it consist of, and how would it fare if the black hats had the hash to play with for 3 or 4 months? What if the black hat uses more than one computer?
That’s why, for now, I recommend that you use a randomly generated password comprised of numerals, special characters, uppercase, and lowercase letters, and your password should be no fewer than 17 characters long. Do not use words, even with common misspellings. Dictionary attacks live on words like p@ssw0rD123.
Diceware has a flaw in that it is susceptible to dictionary attacks. There are only 7,776 words in the diceware word list. Using that list to generate 4 words results in 3.6 quadrillion possible word combinations. That’s a lot for a human to guess, but a trivial exercise for a computer making a few billion guesses per second. If no other randomness is inserted, a 4 word password generated by diceware would be cracked in less than 3 hours. There was a time when diceware was a good idea, but increases in computing technology have made it useless.
That same technology makes other schemes just as useless: fingerprints, facial recognition, and others. A strong, random password and a hardware key are currently the only secure methods for identifying valid, authorized users.
There are new hashing algorithms that complicate the process of cracking, like SHA512, Bcrypt, or PBKDF2. The complexity of the math involved limits the speed of those cracking computers to less than a 10,000 guesses per second, which greatly increases security. However, it costs money for a business to stay current with this kind of technology, and many companies just aren’t willing to spend the cash. That means it is up to YOU to keep your password long and complicated.
Don’t be complacent. There was a time when an 8 character password was nearly impervious to attack.
Earlier in the year, I was talking about using a password manager to secure your passwords. I have been using LastPass for the past 8 years. As I discussed previously, LastPass had a security breach last summer. That breach involved the exposure and loss of their customer database. This handed the black hats all of the encrypted data of their customers. It was simply a matter of time before the bad guys used password cracking tools to decrypt customer password files.
So I did the sensible thing and changed all of my passwords, beginning with the most sensitive ones: email passwords, passwords to financial websites, and on down the list to the least important. It took several weeks to change hundreds of unique passwords. I also changed the master password. The next step that I took was to add MFA by using Yubikey. All of my data is now secure, and anything they have is no longer relevant.
I don’t blame LastPass for the fact that they had a breach. Everyone is a target, and a company like LastPass is a bigger target than most. No, what made me upset was that the breach happened in August, but they didn’t disclose it until November. They denied that the bad guys had gotten encrypted password wallets at first, then finally admitted in December that the password wallets had been lost. So the bad guys had our vaults for months before LastPass bothered to tell anyone. Months to brute force passwords, time to steal, and time is all they need.
They still are slowly releasing information in dribs and drabs. It comes out that the database was stolen because one of their engineers was permitted to have access to the servers from his home computer. That computer was compromised, which allowed the hackers to access corporate information. Now, password vaults are all encrypted and no one but the user has access, but still. Who does this? Home access to sensitive information? There is also the fact that they hid this information for over 9 months. That’s just too shady for me.
I didn’t want to change from LastPass, but this is the last straw. They just are not trustworthy. This isn’t the time to be cute and try to spin this from a PR perspective. This is a much bigger deal than just bad publicity. People’s information that YOU are supposed to safeguard is at stake. I no longer recommend LastPass as a viable password vault application.
LastPass is no longer for me, and it shouldn’t be for you, either. I want cloud storage of my passwords, because it allows portability between laptop, cell phone, etc. So I switched my password wallet over to 1password. The cost is $60 a year for the family plan, which allows up to 5 people to use the account. 1password is also compatible with Yubikey.
Your master password in a password wallet is the one that is used to encrypt the digital vault that stores your passwords. It may be your PGP passphrase, if you are old school enough to be using that software. Whatever your reason, a strong password is important. My master password is not actually a word. I use pass phrases. Let me explain: Suppose that I pick a mashup of the opening to the Gettysburg address and a nursery rhyme:
Four score and seven years ago, our fathers brought forth on this continent a new nation, Mary had a little lamb, its fleece was white as snow
The master password is made by mashing it into numbers, letters, and symbols. Words that are numbers become numbers, that are symbols become symbols, the remaining words, I just use the first letter, like this:
4 s & 7 y a, o f b f o t c a n n, M h a l l, i f w w a s
Now take out the spaces, and your new master password is: “4s&7ya,ofbfotcann,Mhallifwwas” It’s easy to remember, nearly impossible to guess, and at 29 characters is very difficult to brute force. This password is also guaranteed not to be on a list of common passwords that many black hats use to guess passwords. A long, difficult to crack master password buys you time to make the data it is protecting obsolete. That’s what I did. All of my master passwords are AT LEAST 25 characters long.
The black hats are large in number, and stealing personal data is the new currency. Make yourself as difficult a target as possible.
The gun sales site Gunauction.com has had its database breached. The data exposed belonged to 550,000 users, including customers’ full names, home addresses, email addresses, plaintext passwords, and telephone numbers.
