Just when you think you are done talking about information security for awhile, the bad actors come along and prove you wrong. The latest is that black hats are targeting users of valuable sites with phishing ad and search engine results on Google and other search engines. The scam is that you search for your favorite website’s login, and the first hit is a phishing site that grabs your login information before forwarding you to the legit site.
What’s interesting to me is that Google, YouTube, and other sites are busy clamping down on reports of the 2020 election, COVID vaccines, and everything else under the sun, but are actively allowing ads on their sites that are actual theft.
The best defense to this is the use of MFA that uses FIDO 2.0 or higher. The article that I linked to above says that hardware keys are cumbersome, but I have thus far found them easy to use, and certainly no more difficult than the authenticator apps that are out there. Another thing the article gets wrong is that all MFA is subject to “man in the middle” attacks. That may be true of authenticator and SMS versions of MFA, but the YubiKey system is not subject to man in the middle attacks, because the system uses the two keys of public key encryption to ensure that both parties are legitimate. I am sure that other hardware keys are available that do the same thing, I just have no experience with them.
In the latest of the data breaches, T Mobile reports that 37 million customers had their names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier stolen in a data breach. T-Mobile claims that no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed.
PayPal also had a data breach of 35,000 customer files. Names, dates of birth, addresses, Social Security numbers, tax IDs and phone numbers were all exposed. The accounts were breached using a credential stuffing attack, likely using one of these cracking tools. Now I doubt many of my readers use PayPal, considering their antigun stance, but it still illustrates how active hacking is.
Still, I recommend that you change your password if you are a customer of one of these services. Please make sure it’s a secure one.
You have locked your credit reports, haven’t you? Even if you aren’t a T Mobile customer, please do so. I would also recommend that you pull each of your credit reports every year. The law says you can do so, free of charge, every year.
Your phone rings. The caller ID is one you recognize as being from Chase bank. The call sounds legit:
A few seconds later the phone buzzes and it’s a text message from 227895 number which is the same number you always receive the verification code from.
You quickly type it in to confirm that it is in fact you. You sure are glad that the Chase Fraud department is working overtime, you think to yourself….
Your bank account has just been cleaned out because the hackers that spoofed you just transferred all of the money in it to an offshore account.
These bots can target Banks, Credit cards, Apple Pay, PayPal, GoDaddy, Amazon, Coinbase, and virtually any platform that is “secured” with the SMS version of 2FA or MFA. The process for these bots is so streamlined that just about anyone with virtually no IT knowledge (script kiddies) can quickly get this bot up and running. The hackers no longer have to even be fluent in English or converse with their victims on the phone to con their way in.
At this point, we are all used to recorded voice calls, SMS authentications, etc., and we don’t think twice about it. Some of these bots are open source, with instructions on how to run them, but a black hat can pay a few hundred bucks to get a good one that is pre-configured and comes with tech support. With these SMS Bypass Bot calls as a service, any wannabe hacker can pull it off fairly easily with very little tech background or hacking skills needed.
So a hacker gets himself a computer system with a high end graphics card and installs one of these password cracking programs, and armed with the information from a data breach, soon has your login credentials. So for less than $1,000 and about 2 hours’ work and a few hours of letting the cracking tool find valid credentials, he now has your username/password pair.
Now he initiates the MFA calling bot, and soon has your one time pin. Call it a $1500 investment, a day’s labor, and a week of elapsed time, and he just made off with the contents of your bank account. How much was in there? Twenty thousand? Forty? Or only a couple of thousand bucks?
Since many countries have an average annual income that is far less than $10,000 a year, even $850 is a month’s pay and is certainly worth a criminal’s time. Now imagine that he is likely doing this a hundred times a week.
Credential stuffing is the automated use of stolen username and password pairs purchased online. Since many users will re-use the same password and username/email, this sort of thing is frequently successful.
Since these people reused passwords, they exposed their accounts. It didn’t have to happen, but they weren’t using secure password practices.
In our discussions of securing our information, we have discussed that there are multiple ways to authenticate a user. There are actually three main ways to authenticate someone:
Things in your possession, such as a badge or smartphone
Things you know, such as a password or PIN
Things you are (inherence), such as fingerprints, facial or voice recognition
Where you are. Some forms of MFA use your location. If your IP address isn’t correct, the system will reject you.
What you are doing. This is called Risk based authentication. The system looks at a host of attributes about the login attempt (time of day, IP address, device identification, etc.) and assigns a risk score. If the score is too high, the login attempt is denied unless it can be authenticated using one of the other methods above. A day shift employee logging in from Starbucks at 2am on a Sunday and attempting to access files he normally wouldn’t would trigger an MFA request from the system.
Multifactor authentication is simply a method of using more than one of the above methods to secure your stuff. In order to gain access to your information, a black hat would need to possess or have knowledge of more than one of them. A couple of examples:
At the hospital, to gain access to patient medical records, I need to know my password and swipe my identification badge and the RFID tag inside of it. A thief would have to get an authorized employee’s password and my ID badge in order to gain access to medical records. Even then, only the patients who are assigned to me (or my department) are visible to me, and even then only if I am on an IP that belongs to my hospital or a partner organization.
What many companies do: you need the password, and the company sends a text to your cell phone containing a 6 digit PIN that expires relatively quickly, say 2 minutes or so. This is to verify that the person logging in not only knows the password, but is in possession of the legitimate user’s cell phone.
There are weaknesses to all of the above methods. The employee’s badge RFID code be read or intercepted and spoofed, and since it doesn’t change unless a new badge is issued, is not as secure as we would like.
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
Biometric MFA data has one large weakness- your retina, voice, and finger prints never change. If the hash of the image can be spoofed or copied, the black hat has your data forever. That isn’t secure.
The most secure MFA is a hardware key. There are many out there, and the way that they work is both simple and complex. Currently, the most secure method of hardware key MFA is carried out with a protocol called Universal 2nd Factor, or U2F. The method used here is something very familiar to old school Internet fans who remember the PGP encryption software: public-key cryptography.
In public-key cryptography, instead of using just one key, we use a pair of keys — one key is used to lock something away digitally and only the second key in the pair can unlock it. I can keep one key — my private key — and put the public key out there for you to use. Since only my private key can unlock anything locked up by the public one, once you lock it, no one else can use the key I left out there but the person in possession of the private key.
These keys are called a key pair and are mathematically linked. I can create as many public keys from a private key as I want, but you no one can recreate my private key from a public key. Genius, right? So how does this apply to MFA?
Key pairs can be created using software, but in the case of U2F, the private key is generated using a unique secret that is embedded during the manufacturing process and is hardwired into the circuitry of the hardware key, which is what makes it so secure.
So how it works is that you register for an account using the system that we are all familiar with- a user ID and password. Don’t forget to use a strong password. Then you register your hardware key. The server then sends a challenge consisting of a random number and an AppID to the user’s device. The hardware key then generates a nonce and hashes it together with the AppID and the secret key that is hidden in its electronic brain using HMAC-SHA256 to create a private key that is specific to that AppID. From this private key, a public key is derived, along with a checksum. This is returned to the server, who stores it for later. The next time you go to that website, the server will verify that the hardware key is the same one that it has dealt with before by sending you the public key, thus making sure that the server is valid and securing you from a man in the middle attack. Why? Because the domain is hashed together with the device secret password, so if you’re on a phishing website, the token will generate a different key, and the checksum will fail.
If the information was sent from a legitimate server, it should result in the same public key since the secret inside the device didn’t change. The device will then encrypt the challenge sent by the server with the private key and send it back to the server. Now both parties have verified that they are indeed talking to the people they think they are.
Since each nonce and checksum is unique to that login request, they change every time. This makes sure that your key cannot be spoofed. It’s like using a one time pad for MFA. All cryptographic operations happen inside the token. By the time the private key leaves the token, it already has been hashed using SHA-256, so even if the user doesn’t know that the client is compromised, it’s still safe to use the token.
Because of the nature of this system, it ensures that you are protected from:
Phishing
Spear phishing
Keyloggers
Credential stuffing
Brute force and reverse brute force attacks
Man-in-the-middle (MITM) attacks
No matter how you keep your passwords, they are vulnerable to being discovered or stolen. A hardware key that is properly setup will make the possession of the password irrelevant without possession of the key. If you lose the key, it is worthless without the password. The key also prevents you from logging into phishing sites, because it confirms for you that the site you are giving your credentials to is the legitimate one.
When you use a hardware key, always register two of them to each account, then lock one away in your safe. This insures that, should you lose the hardware key that you carry around, you aren’t permanently locked out of your accounts.
For right now, the most secure method of authentication is to use a unique user ID and password for each account you have. The password should consist of the four character types, random, and be at least 16 characters. Your passwords should change periodically. You should enable hardware key MFA for any sites and applications that support them, and use SMS MFA for any that do not. Although SMS MFA is flawed, it is better than not using MFA at all.
Internet crime is increasing, and the best defense is to harden your systems to the point where others are easier targets than you.
This is yet another installment of the passwords series that I have been working on. I recently asked some of the people in comments how they secure their passwords. I got a few variations of “I don’t use technology” as an answer. They fell into the following general categories, with most people falling into more than one of them:
I use secure passwords for important stuff, but I use one common password for everything else
I write my passwords in a notebook, using a special code that only I am privy to.
I don’t use a computer or a smartphone to do financial stuff
I am too smart and/or savvy to get sucked into a phishing/spoofing scheme. I never click on or answer anything that looks odd. Instead, I call the number on the back of my credit card.
I am a small fish. No one is going to waste time with me when there are so many businesses out there to rip off, and they are the big payday.
Let’s talk about them one at a time. The first one: “I use secure passwords for important stuff, but I use one common password for everything else.” This is a trap that I myself fell into at one point. Here is the basic pitfall: All the black hat needs is to access one of your “unimportant” accounts to access so many others. Back in 2014, Home Depot was compromised when credentials stolen from one of the retailer’s vendors were used to access their computer system. The files of their customer database were stolen. It was a gold mine, containing point of sale records, credit card numbers, names, addresses, login information, and passwords. The breach cost Home Depot nearly $180 million.
Now the black hats have your name, address, telephone number, zip code, the name of your credit card company or bank, credit card number, user name, and password. They enter your login name and password into the computer database that they are using to crack other accounts, and they can now gain access to your other accounts. In fact, stolen credentials are often the most valuable things stolen during a data breach. Do you want to see if your credentials are being distributed on the Internet? Click here. The email that I use for day to day business has been compromised in 8 different data breaches. This information is very useful in spear phishing attacks like this one.
The use of computer assistance in breaching systems makes it easier, cheaper, and faster than ever before. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. This allows your life to be attacked with easy profits. Passwords that are invented by you using some code that you think is clever is easily cracked by a black hat with a computer.
Even in the event that you don’t use a computer or a phone, you are still vulnerable to social engineering scams that use the information from large data breaches like the Home Depot breach. The attacker contacts the victim disguised as a representative of some institution, trying to get as much personal info as possible. There’s also a chance that by posing as a bank or Google agent, he or she might get the password or credit card info right away. Contrary to other techniques, social engineering can happen offline by calling or even personally meeting the victim. 22% of all cyber crime is the result of social engineering.
Think you are too small of a fish to be a target? Think again. Targeting individuals is fast becoming the trend. A black hat can set up a computer to target you, having selected you from the list obtained from a previous company data breach, and can empty your bank accounts with less than a weeks’ work. What’s in your bank account? Twenty grand? More? Would a thief find that amount to be fair in exchange for a week’s effort?
Watch the show “To catch a thief.” People on that show always think that they are clever because they hide valuables, but the thief in this show always manages to find the hiding spots because they don’t search in the same way a homeowner does. Electronic information and its security works the same way.
No matter how you decide to do it, take the time to secure your accounts and your information using the best practices we have discussed here. You make think you are clever and have invented a system that no one else has ever thought of, but you are probably wrong.
the top 6 hackers in the US made more than $6 million in 2022 by stealing from individuals
600,000 people a year report that they are the victims of cybercrime.
70% of data breaches are on site breaches, not breaches of cloud assets
The top internet crime reported to the FBI in 2022 was phishing.
More than 80% of breaches that used hacking involved brute force or the use of lost or stolen credentials.
The most impersonated brand in phishing attacks is Outlook at 19%. In second place is Facebook at 17% while Office365 ranked third at 10%.
In 2020, the state with the most number of internet crime victims was California, with 69,541 victims and $621.5 million in losses as a result of internet crimes. Next is Florida with 53,793 victims, followed by Texas with 38,640 victims.
Here are some password security statistics:
Only 24% of US adults aged 16 to 50+ use a password manager.
53% of users around the globe have not changed their password in the last 12 months despite hearing about data breaches
42% consider an easy-to-remember password as more important than a very secure password.
In the same survey, 80% of people said that they will be concerned when their password is compromised. Yet, 48% said that they will not change their password if it’s not required.
42% of people think that their accounts aren’t worth a hacker’s time.
You carry a gun to secure yourself from armed robbers, yet you are 200 times more likely to be the victim of internet crime. Think about that for a minute.
When I was younger, I was told that locks are there to keep honest people honest. I look at passwords the same way. Make your passwords as secure as they can be, but know that a thief can target you and take your stuff with enough effort. Just try to make your stuff harder to steal than other people’s stuff. They will move on to more easily stolen loot.
Hackers have advanced to using computers to crack passwords. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. When you have to guess from billions of combinations, computer assistance is required, and they are very good at it. These tools are easily downloaded from the Internet, and each tool has its pros and cons.
Here is a list of the most popular password cracking tools.
1. John the Ripper
Featured in many popular password cracking tools lists, John the Ripper is a free, open-source, command-based application. It’s available for Linux and macOS while Windows and Android users use a version of the software called Hash Suite.
John the Ripper supports a massive list of different cipher and hash types. Some of those are:
Unix, macOS, and Windows user passwords
Web applications
Database servers
Network traffic captures
Encrypted private keys
Disks and filesystems
Archives
Documents
There’s also a Pro version with extra features and native packages for supported OS. Word lists used in password cracking are on sale, but free options are available as well.
2. Ophcrack
Ophcrack is a free and open-source password cracking tool that specializes in rainbow table attacks. To be more precise, it cracks LM and NTLM hashes where the former addresses Windows XP and earlier OSs and the latter associates with Windows Vista and 7. NTLM is also available, to a certain degree, on Linux and freeBSD. Both of these hash types are insecure – it’s possible to crack a NTLM hash in less than 3 hours with a fast computer, but there are still companies out there that use this hash, simply because they are too cheap to upgrade to newer, more secure software.
As you can see in the screenshot above, it took Ophcrack merely six seconds to crack an 8-symbol password while using a rainbow table that includes letters, numbers, and uppercases. An 8 symbol password using upper, lower, and numerical characters has 62^8 combinations (218.3 trillion possible combinations) doing nothing more than adding in symbols and increasing the number of characters to 10 would make the password 500 million times more difficult to crack. That six seconds becomes 5,700 years.
The password 9136668099 is 10 characters long and only made of numerical characters, and took 4 days to crack. Imagine how much longer that would have taken, had upper, lower, and special characters been added.
This tool comes with free Windows XP/Vista/7 rainbow tables and a brute force attack feature for simple passwords. Ophcrack is available on Windows, macOS, and Linux.
3. Cain and Abel
Downloaded almost 2 million times from its official source, Cain & Abel is another popular tool for password cracking. But contrary to John the Ripper, it uses GUI, making it instantly more user-friendly. That and the fact that it’s available on Windows only makes Cain & Abel a go-to tool for amateurs, also known as script kiddies.
This is a multi-purpose tool, capable of many different functions. Cain & Abel can act as a packet analyzer, record VoIP, analyze route protocols, or scan for wireless networks and retrieve their MAC addresses. If you already have the hash, this tool will offer a dictionary or brute force attack option. Cain & Abel can also display passwords that are hiding beneath the asterisks.
4. THC Hydra
The biggest selling point of THC Hydra is the large number of protocols it supports. This is an open-source network login password cracking tool that works with Cisco AAA, FTP, HTTP-Proxy, IMAP, MySQL, Oracle SID, SMTP, SOCKS5, SSH, and Telnet, to name but a few.
The methods available with THC Hydra include brute force and dictionary attacks while also using wordlists generated by other tools. This password cracker is known for its speed. It can even run checks on different protocols simultaneously. THC Hydra is available on Windows, macOS, and Linux.
5. Hashcat
The world’s fastest password cracker, Hashcat is a free open-source tool that’s available on Windows, macOS, and Linux. It offers a number of techniques, from simple brute force attack to hybrid mask with wordlist.
Hashcat can utilize a computer’s CPU and GPU at the same time. This makes cracking multiple hashes simultaneously much faster. But what makes this tool truly universal is the number of supported hash types. Hashcat can decipher MD5, SHA3-512, ChaCha20, PBKDF2, Kerberos 5, 1Password, LastPass, KeePass, and many more. In fact, it supports over 300 hash types.
But before they can crack your passwords, black hats need to have the password hash. Here are some of the most popular tools for getting hash:
Mimikatz. Known as a password audit and recovery app, Mimikatz can also be used for malign hash retrieval. In fact, it might as well extract plaintext passwords or PIN codes.
Wireshark. Wireshark enables packet sniffing. It is an award-winning packet analyzer used not only by hackers but also by business and governmental institutions.
Metasploit. This is a popular penetration testing framework. Designed for security professionals, Metasploit can also be used by hackers to retrieve password hashes.
The best defense against password cracking is using a strong password. Using enough symbols and different types of characters ensures that even the fastest computer won’t crack your account in this century. And since remembering multiple strong passwords is unlikely, the best bet is to use a reliable password manager. Multi-factor authentication (MFA) is still a pain in the rear for any hacker, so adding that to your arsenal will go a long way to making things more secure. More on MFA later.
Here is the continuation of password security. So you have a password manager, which has some serious advantages:
You have secure passwords that are 12 to 20 characters long,
made up of upper and lower case letters, numbers, and symbols
are random(ish) by not containing dictionary words or their variants (like p@$$woRd)
You can have a different password for every online account, stored away in an easy to use and retrieve format
You can also store answers to challenge questions in your wallet. When the bank challenges you to name your third grade teacher, you can respond with “Mrs. Smith” or you can answer the challenge with a random string of characters stored in your password wallet. Look at the “notes” field (not from my real account or wallet).
This picture is from the Internet. It isn’t my account.
Down there in the “notes” section, I will put the challenge question and its answer. I always use the “generate random password” feature to generate a random password and use that as the answer to the challenge question. Good luck guessing that, hacker bitches.
All of your passwords are secure in your encrypted password wallet. Or are they?
LastPass was recently hacked, and a black hat used the credentials of an employee that was compromised in a phishing attack to gain access to and download their entire database of encrypted user files. I’m not blaming LastPass for that one- it could have happened to any company, and to their credit, at least they came clean and let everyone know.
This created two problems for LastPass users. Now that the black hats had the files, there are two ways that they can access them:
They can try to brute force the master password for the file. This is where a strong master passphrase works to your advantage. If you are smart, as soon as you learn of the breach, you change the most important of your passwords (master password, followed by bank and email accounts, then others) before they get a chance to guess the master passphrase. By the time they have your passwords, you have already changed them and it won’t matter.
Since LastPass encrypted file doesn’t encrypt the websites, only the login, password, and notes, the weakness here is that the black hat can do a targeted fishing attack similar to what was done to this Australian woman or this woman who was targeted by a man claiming to be a Chase fraud investigator. These attacks can be quite convincing.
To guard against someone compromising some or all of your passwords, you can use Multifactor Authentication (MFA). All MFA is, is a second way of ensuring that the person who is accessing an account is the authorized user. The most common of those is sending a code by SMS. You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly-switched telephone networks (PSTN), and they are the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong authentication now – the authenticator app provides an immediate and evolving option.
Alex Weinert of Microsoft
Don’t rely on just a password. Don’t rely on one password. There are tons of scammers out there who want access to your stuff. Keep it as secure as you can make it.
The authenticator app still relies on you being in possession of your cell phone, and in my opinion creates a single point of failure- the loss of your phone, that places both the password wallet and the means of MFA in someone’s possession.
I don’t worry about the three letter agencies getting my stuff. If they want it, they are going to get it. They don’t need to steal my passwords, they aren’t going to spoof my phone, and they aren’t going to use my IOT devices to spy on me. You know what they are going to do? Present a national security letter to my bank, my employer, Google, my ISP, and anyone else they feel like, and the companies involved are going to tell them anything they want to know.
The purpose of the security I am writing about is protection from scammers who aren’t the government.
Still, there will be a future post on MFA, since this one is getting a bit long. On a side note, this series of posts represents my ongoing research into ways for securing my information. I tend to research and look into things that I am adopting. I figure that you can benefit from my research efforts.
To continue my examination of passwords, we have already seen how to generate them. Now that we have spent all of that time coming up with a password that is hard for someone to guess, we need to be able to use it while keeping secure. How do we make them user friendly and accessible while at the same time ensuring that they are secure from prying eyes?
Once you have generated your password, you need to remember it. Anyone can remember a few secure passwords, but remembering a bunch of them becomes problematic, especially when they are secure and change every few months, as they should.
The use of password memory devices like license plate numbers, or children’s birthdates, or whatever other memory devices you may use has two different drawbacks- the number of passwords that you can remember like that will be limited, and will also be difficult to keep straight across a large number of accounts. I tried that method, and it fails when you begin getting a large number of them.
My password wallet has over 300 unique passwords stored in it. Some of them, like for bank and email accounts, are 20 characters long and change twice a year. Others, like for commenting on Disqus, are 12 characters long and may change every two or three years. That’s a lot of remembering. I simply can’t do it.
So how do we store our passwords? I used to use one common password for bank accounts, another for email accounts, yet another for blogs, etc. What this means is that you are running the risk of a data breach at one company exposing your passwords for others. Not ideal.
You can keep them off of all computers and just do what my mother in law does. She keeps a notebook with all of her passwords written down in it. Then what? Do you carry it around with you? What if you lose it? How do you constantly update it? Not convenient, not secure.
One big security hole for passwords is your spellchecker. Your spellchecker has a list of words that are spelled correctly, and compares that list to the words that you are typing. If there is not a match, it marks a ward as misspelled and may even suggest the correct spelling. Some systems will even automatically insert the word that is a likely match. Users add new words to the spellcheck dictionary by telling the system that the word is correctly spelled, then the software adds the new word to the dictionary.
What if that new word isn’t a word at all, but is instead the password to your bank account? Spellcheck dictionaries aren’t secure at all. The spellchecker simply marks the passwords as being correctly spelled by saving them to the dictionary. The two Internet browsers that are most notorious for this are the “enhanced spell check” feature found in Chrome’s settings or the browser extension “Spelling & Grammar Checker” for Microsoft Edge. Huge security problem there.
You can let Google store them for you, but that isn’t a great idea. Do I really need to explain why?
So we are left with password storage companies. If we want our passwords to work across multiple platforms- at home, on our cell phones, at work, and everywhere else where we use it, there are only a couple of ways to do that. We can transfer it from platform to platform manually, or we can allow the password wallet to be stored on another person’s system.
These systems have advantages- we can store a large number of complex passwords in a format that makes them readily available. The password list is more secure than writing them down, and since the password storage company stores the password file in an encrypted format with the decryption key being your master password, you now only have to remember the master password. For those of you who have a trick for memorizing a password, here is where you shine. You can use the license plate numbers of your last three cars, your kids’ birthdates, and other mnemonics to come up with a secure passphrase that is easy for you to remember, but hard for a black hat to guess, and use that to secure your password wallet.
The risk here was displayed by LastPass recently. A password companies files can be compromised, and the black hats are now in possession of your encrypted passwords. They can now brute force your master passphrase at their leisure and get your passwords.
This post is already long, so we can discuss this in a later post.
COMSEC is a type of INFOSEC. Your information needs to be secure from disclosure, and I have been doing quite a bit of research on that over the past few days.
A few days ago, I posted about INFOSEC and using a password wallet. Some interesting ideas were shared, good questions asked, and so I thought I would share some thoughts on the concept of passwords and password managers.
The basic theory behind passwords is simple: a password is two people attempting to ensure that one of them is the person that is authorized to access the files or other electronic resources that the second person is the custodian of. The process is called authentication, and the use of a user name/password combination is the first, simplest, and most common method of user authentication. It’s also one of the most insecure, for reasons we will explore.
The things that make username/password authentication insecure are rooted in a couple of things, one of them being the users themselves. All of them. A user can be phished, hacked, or otherwise compromised. There are ways to mitigate most of the risks. What are the risks?
The simple brute force attack is the most basic of all brute force attacks. The bad actor tries to guess the user’s password without the employment of software tools. The attacker relies on trying out commonly used, weak passwords such as 123456, qwerty, password, and password123. Unfortunately, the simple brute force attack can be pretty effective, because many people continue to use weak and otherwise poor passwords to secure their online accounts.
Computer programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. If your password is random, it will take an average of 8,000 years to guess a 12 character password with even the fastest computers. One type of computerized brute force attack relies on words found in the dictionary. This sort of brute force attack is called a dictionary attack and uses a vast number of common words and their variations. To do that, hackers use software that can make thousands of guesses every second using dictionary databases.
Then there is a hybrid attack. A hybrid attack combines a dictionary attack with a simple brute force attack for a better chance of success. Often a hybrid attack is utilized once the attacker already knows the username of its victim. You see this one when a data breach has released user names and email addresses of a company.
Choose a complex password. It should be made of upper and lower case letters, numbers, and symbols. Doing that means you start with a base of 52 letters, 10 numbers, and up to 33 symbols, for a total base of 95.
Choose a password of at least 12 characters. Doing it this way means you are raising the base (95) to the power of the number of characters. So a 12 character password means that there are 540,360,090,000,000,000,000,000 possible combinations of passwords- that’s 540 sextillion possible combinations (5.4×10^23).
You should avoid the use of common words and common passwords. This will mitigate the risk of dictionary, hybrid, and simple brute force attacks.
The suggestion was made of using a 6 word password generated using diceware. The thing that I laughed at from the diceware website was “Do not use a computer program or electronic dice generator. There is no easy way to be sure they are random enough.” That one statement was enough to tell me that the website’s author doesn’t know what they are talking about. They are worried that a random number generator isn’t random enough, while at the same time ignoring the fact that their word list is public and uses words from the dictionary. This means it will not be as secure as using random characters, no matter how random your word selection is, the use of dictionary words compromises the randomness of the password. If they know you made your password from this word list, you are screwed. If they don’t, then the randomness with which you picked the words from the list doesn’t matter.
The last type of attack is called a rainbow table attack. Websites or apps don’t store passwords in plaintext. What they do is encrypt user passwords with hashes. Once the password is used for logging in, it is immediately converted to a hash. The next time the user logs in using their passwords, the server checks whether the password matches the previously created hash. If the two hashes match, the user is then authenticated. The tables used to store password hashes are known as rainbow tables.
In most instances, the hacker launching a rainbow table attack would need to have the rainbow table at their disposal. Often these can be bought on the dark web or stolen in a data breach. During the attack, bad actors use the table to decrypt the password hashes and so gain access to a plaintext password. The big risk here is not only the access to that account, but the other accounts of those who reuse passwords from one site to another are now at risk.
The security of the password is restricted to the security of the custodian of the information that the password is securing. If you have an account with Home Depot, then they get hacked because they have shitty security, the bad guys now have your credentials. Having a secure password means nothing if the company you are doing business with doesn’t take security seriously.
Choosing a good password is just the first step in securing your online data. Now you have to store that password in a format that makes it easy to retrieve your password, while simultaneously making it secure from disclosure to unauthorized parties. That will be a future post.