Account and INFO Security

To continue my examination of passwords, we have already seen how to generate them. Now that we have spent all of that time coming up with a password that is hard for someone to guess, we need to be able to use it while keeping secure. How do we make them user friendly and accessible while at the same time ensuring that they are secure from prying eyes?

Once you have generated your password, you need to remember it. Anyone can remember a few secure passwords, but remembering a bunch of them becomes problematic, especially when they are secure and change every few months, as they should.

The use of password memory devices like license plate numbers, or children’s birthdates, or whatever other memory devices you may use has two different drawbacks- the number of passwords that you can remember like that will be limited, and will also be difficult to keep straight across a large number of accounts. I tried that method, and it fails when you begin getting a large number of them.

My password wallet has over 300 unique passwords stored in it. Some of them, like for bank and email accounts, are 20 characters long and change twice a year. Others, like for commenting on Disqus, are 12 characters long and may change every two or three years. That’s a lot of remembering. I simply can’t do it.

So how do we store our passwords? I used to use one common password for bank accounts, another for email accounts, yet another for blogs, etc. What this means is that you are running the risk of a data breach at one company exposing your passwords for others. Not ideal.

You can keep them off of all computers and just do what my mother in law does. She keeps a notebook with all of her passwords written down in it. Then what? Do you carry it around with you? What if you lose it? How do you constantly update it? Not convenient, not secure.

How about letting the browser on your computer store it? Then it isn’t portable across platforms. Many browsers store passwords in an unsecure format that is there for some hacker to steal. Not secure. That’s because desktop web browsers do a lousy job of safeguarding your information.

One big security hole for passwords is your spellchecker. Your spellchecker has a list of words that are spelled correctly, and compares that list to the words that you are typing. If there is not a match, it marks a ward as misspelled and may even suggest the correct spelling. Some systems will even automatically insert the word that is a likely match. Users add new words to the spellcheck dictionary by telling the system that the word is correctly spelled, then the software adds the new word to the dictionary.

What if that new word isn’t a word at all, but is instead the password to your bank account? Spellcheck dictionaries aren’t secure at all. The spellchecker simply marks the passwords as being correctly spelled by saving them to the dictionary. The two Internet browsers that are most notorious for this are the “enhanced spell check” feature found in Chrome’s settings or the browser extension “Spelling & Grammar Checker” for Microsoft Edge. Huge security problem there.

You can let Google store them for you, but that isn’t a great idea. Do I really need to explain why?

So we are left with password storage companies. If we want our passwords to work across multiple platforms- at home, on our cell phones, at work, and everywhere else where we use it, there are only a couple of ways to do that. We can transfer it from platform to platform manually, or we can allow the password wallet to be stored on another person’s system.

These systems have advantages- we can store a large number of complex passwords in a format that makes them readily available. The password list is more secure than writing them down, and since the password storage company stores the password file in an encrypted format with the decryption key being your master password, you now only have to remember the master password. For those of you who have a trick for memorizing a password, here is where you shine. You can use the license plate numbers of your last three cars, your kids’ birthdates, and other mnemonics to come up with a secure passphrase that is easy for you to remember, but hard for a black hat to guess, and use that to secure your password wallet.

The risk here was displayed by LastPass recently. A password companies files can be compromised, and the black hats are now in possession of your encrypted passwords. They can now brute force your master passphrase at their leisure and get your passwords.

This post is already long, so we can discuss this in a later post.

COMSEC is a type of INFOSEC. Your information needs to be secure from disclosure, and I have been doing quite a bit of research on that over the past few days.

A few days ago, I posted about INFOSEC and using a password wallet. Some interesting ideas were shared, good questions asked, and so I thought I would share some thoughts on the concept of passwords and password managers.

The basic theory behind passwords is simple: a password is two people attempting to ensure that one of them is the person that is authorized to access the files or other electronic resources that the second person is the custodian of. The process is called authentication, and the use of a user name/password combination is the first, simplest, and most common method of user authentication. It’s also one of the most insecure, for reasons we will explore.

The things that make username/password authentication insecure are rooted in a couple of things, one of them being the users themselves. All of them. A user can be phished, hacked, or otherwise compromised. There are ways to mitigate most of the risks. What are the risks?

The simple brute force attack is the most basic of all brute force attacks. The bad actor tries to guess the user’s password without the employment of software tools. The attacker relies on trying out commonly used, weak passwords such as 123456, qwerty, password, and password123. Unfortunately, the simple brute force attack can be pretty effective, because many people continue to use weak and otherwise poor passwords to secure their online accounts.

Computer programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. If your password is random, it will take an average of 8,000 years to guess a 12 character password with even the fastest computers. One type of computerized brute force attack relies on words found in the dictionary. This sort of brute force attack is called a dictionary attack and uses a vast number of common words and their variations. To do that, hackers use software that can make thousands of guesses every second using dictionary databases.

Then there is a hybrid attack. A hybrid attack combines a dictionary attack with a simple brute force attack for a better chance of success. Often a hybrid attack is utilized once the attacker already knows the username of its victim. You see this one when a data breach has released user names and email addresses of a company.

• Choose a complex password. It should be made of upper and lower case letters, numbers, and symbols. Doing that means you start with a base of 52 letters, 10 numbers, and up to 33 symbols, for a total base of 95.
• Choose a password of at least 12 characters. Doing it this way means you are raising the base (95) to the power of the number of characters. So a 12 character password means that there are 540,360,090,000,000,000,000,000 possible combinations of passwords- that’s 540 sextillion possible combinations (5.4×10^23).
• You should avoid the use of common words and common passwords. This will mitigate the risk of dictionary, hybrid, and simple brute force attacks.

The suggestion was made of using a 6 word password generated using diceware. The thing that I laughed at from the diceware website was “Do not use a computer program or electronic dice generator. There is no easy way to be sure they are random enough.” That one statement was enough to tell me that the website’s author doesn’t know what they are talking about. They are worried that a random number generator isn’t random enough, while at the same time ignoring the fact that their word list is public and uses words from the dictionary. This means it will not be as secure as using random characters, no matter how random your word selection is, the use of dictionary words compromises the randomness of the password. If they know you made your password from this word list, you are screwed. If they don’t, then the randomness with which you picked the words from the list doesn’t matter.

The last type of attack is called a rainbow table attack. Websites or apps don’t store passwords in plaintext. What they do is encrypt user passwords with hashes. Once the password is used for logging in, it is immediately converted to a hash. The next time the user logs in using their passwords, the server checks whether the password matches the previously created hash. If the two hashes match, the user is then authenticated. The tables used to store password hashes are known as rainbow tables.

In most instances, the hacker launching a rainbow table attack would need to have the rainbow table at their disposal. Often these can be bought on the dark web or stolen in a data breach. During the attack, bad actors use the table to decrypt the password hashes and so gain access to a plaintext password. The big risk here is not only the access to that account, but the other accounts of those who reuse passwords from one site to another are now at risk.

The security of the password is restricted to the security of the custodian of the information that the password is securing. If you have an account with Home Depot, then they get hacked because they have shitty security, the bad guys now have your credentials. Having a secure password means nothing if the company you are doing business with doesn’t take security seriously.

Choosing a good password is just the first step in securing your online data. Now you have to store that password in a format that makes it easy to retrieve your password, while simultaneously making it secure from disclosure to unauthorized parties. That will be a future post.

Passwords. I understand that many web admins want to ensure the security of their systems. I recently had to change my password for a site, and here are the requirements:
1 Password must be changed every 90 days.
2 Password cannot be a repeat of any of your last ten passwords.
3 Password must contain three of the following: Capital letter, number, punctuation mark, lower case letter
4 Password cannot be a variation of your name

Seriously, most of my online accounts are not that important. Places like pizza delivery, sandwich shops, online forums, and the like don’t need that sort of security. I have to try to remember 100s of passwords. Sure, I can use a password wallet, but that is kind of a weak point, isn’t it? After all, if a hacker wants to get my accounts, he can hit paydirt from getting the password from my wallet…