Dear Author

Security. I Can Haz It?

There were a lot of comments about security in last week’s post, so I thought this week I would talk about computer security issues. I’ll hit just a few subjects, since this is a big and complicated one. And, of course, I’m trying to keep things simple, brief, and accurate, and those things are, in some cases, incompatible.

Bad Security. Whose Fault is it?

There’s a lot of blaming of users who get hit by malware or who lose control of their email accounts or logins to websites. And yes, some people are very careless, inattentive, or unaware. This fact should come as no surprise to anyone. That some people click on spam emails, however, should not absolve others of the duty to provide a secure application or computing environment. I put most of the blame where the money is, and it’s not with the end-user. It’s with computer hardware manufacturers, with Operating Systems, and application developers.

It used to be you had to know how your car ran in order to safely drive it and fix it when it broke down. And for people whose brains work that way, yay!! More power to ‘em. But not everyone can, wants to, or has the time to understand their car at that depth. And these days? Not so feasible. We shouldn’t have to be engineers of any kind in order to safely use our cars. Or our computing devices.

In a perfect world, security would be “out of the box” and ongoing. AND that state of affairs would not make the product unusable. Microsoft has gotten a lot better at this, no question, but they have not made a good marriage of flexibility and simplicity. Both those things are hard, and MS has not updated and streamlined its dialogue box system in decades. (This is why decades after Windows 3.5, there are dialog boxes where you can only see the beginning of the path, and not the end of the path, which is often the only part you care about.) #stillbroken

Choices are buried in multiple hierarchies that don’t make sense to anyone but an engineer. My brain hurts just thinking about it. On the other hand, for the technically inclined, the Windows OS is pretty dang powerful. Like I said, it’s better than it used to be.

Wireless Heck

Here is an example of what I mean:

Anyone who has ever set up a wireless network—which someone in any household with internet access must do—knows that this can be a confusing, multi-step process that can leave you unable to access the internet.

One of the first questions you encounter is whether you want to use WEP or WPA. The normal user’s answer to this is “whichever one works” where “works” is defined as “when I’m done with a 30-second set up, I can surf the web and no one can steal my banking information.”

Acronym Hell

That is not what technology asks of users. What users get, instead, is Acronym Hell. What we get is calls to tech support where we’re supposed to change router channels (11? 8? 2?) None of the parts that should talk to each other natively do so. Is the problem with your router? Your computer? Your wireless device settings? Your firewall? What do you mean what’s my MAC address? And then you find out you have to pick up a component, turn it over, or upside down, or, worse, open a panel, and find a very tiny, long, series of characters.

If it Ain’t Broke, Don’t Fix It

Is it any wonder that once you get this Rube Goldberg device of concatenations working, you never EVER touch it again? Because if you do, it will break. If you later hear that you should not be using WEP (whatever that means)* because it’s insecure, you know you face the horror of figuring out how to switch to something else and that the process is likely to fail at some point, and there goes your evening of following dirty Tumblr posts. Right now, you can do everything you need to do. And so you do. And you continue to do so until it doesn’t work for some reason.

X

If you’re a Windows user, raise your hand if you have set up your wireless network and seen nothing but a red x between your network and the Internet. When you ask for more information, you are helpfully told you have no Internet access, would you like to set up your network or have MS troubleshoot the error? If you say yes to either, you are told that red X means you have no access to the Internet and that all devices are working properly.

Three hours later, you can finally check your email.

If you’re on a Mac, this is unlikely to happen. Which is not to say there are no issues, but there are fewer of them. Most of the time, it just works, once you’ve picked no security, WEP, WEP2, WPA or something else who the hell knows what.

And then, after all that. Passwords happen

As a database administrator I can tell you that most user passwords are terrible, horrible, profane, and crackable instantly. Don’t read this list if you’re easily offended.

  • 12345
  • abcdefg
  • password
  • password123
  • fuckyou
  • ilovepussy
  • jesussaves

NB: Not from that password He doesn’t.

These are not just passwords I have encountered. They are among the most common passwords stored in databases. It’s easy to write a query that sorts passwords by most frequently appearing. This list is from such a query.

The Problem with Passwords

  1. People have to remember them;
  2. In order to be hard to crack, they should be long and random (it’s more complicated than this);
  3. Reusing passwords across sites is not a good idea;
  4. People cannot remember a different password for every site that requires a password;
  5. A given site may not allow sufficient complexity of passwords;
  6. Any password based on information personal to you is vulnerable to guessing;
  7. Any password based on a pattern is vulnerable to cracking;
  8. People can be tricked into revealing their passwords;
  9. Malware or other vulnerabilities can intercept or reveal passwords;
  10. The systems that store your passwords can be hacked.

Fun Facts About Passwords

From http://www.lockdown.co.uk/?pg=combi

If your password contains only numbers, it will be cracked instantly. (Obviously, length matters. The number of digits that are secure against cracking is unlikely to intersect with your ability to remember them AND your willingness to type them all—without error. Assuming the database can store a password of that length.)

If your password contains only letters and is 8 characters or less, it will be cracked instantly.

At 10 characters, expect it to fall in 40 hours.

Mixed case alphanumeric: 7.2 Quadrillion possible combinations, falls in 83.5 days.
(At 1,000,000,000 Passwords/sec.)

Those figures are from 2009. It’s faster now; the processing power has moved down the food chain, as it were. Based on experience, I can say with a high degree of certainty, dear reader, your password sucks. Yes. I’m looking at YOU. OK, almost all of you. You don’t want to be the low hanging fruit, do you?

What’s a good password?

Good question! I went here:

https://passfault.appspot.com/password_strength.html#menu

and here

How Secure is My Password

How Secure is My Password returns time to crack on a regular PC, so it shows as longer.

And entered these potential passwords:

ElephantPandaSteak45Lemon

Time to crack:
890 Centuries
5 Octillion years
Even though each portion is insecure.

L3mynMedi^valuePackBlech

Time to crack:
103,845,989 centuries
14 octillion years

Ef%ekH8^fgj

Time to crack:
4 years 9 months
4,000 years

Consider this: There are relatively few sites that allow passwords as long as any of these. You’d have more luck with the last one because it’s shorter, but it’s common to encounter sites where you are limited to 6-8 characters and depressingly common to find sites that can’t accept special characters.

And this: Even if your password is L3mynMedi^valuePackBlech, if it’s stored on an insecure server or in an insecure database it could end up in PasteBin along with passwords like 12345.

What is the likelihood that you can remember passwords similar to L3mynMedi^valuePackBlech but that are different across all the sites that ask you to have a password?

Pretty low, I’d say. I know it is for me.

So what do you do?

There are a couple of solutions. Password managers are one. There are several very good ones out there that will sync across devices and browsers. These vastly reduce (but not eliminate) the headache of managing passwords.

I use a password manager. I also have a separate password management database (encrypted) where I keep a backup of passwords I really really really cannot lose. I also document serial numbers and certain answers to those stupid security questions which are a total waste of time social engineering people.

There is always the specter of malware or some other vulnerability that could compromise a password manager, but it’s less vulnerable than most people’s current method, which tends to be simple passwords used across sites. The downside is if such a system IS compromised, everything is there.

Another is two-factor authentication. You should enable two-factor authentication wherever you can. And you should complain to your bank and other financial organizations for not using this method.

Two-factor authentication requires:

  1. A normal website login and password
  2. Your ability to input a code generated by the website and sent to a different destination only you are likely to control.

One example would be this:

You login to a site. Before you are authenticated, you get a text on your cell phone with a code in it. You input that code at the website within a fairly short time frame and are logged in.

Two-factor authentication prevents someone from remotely hacking into, say, an email account and then resetting your password, resetting all your personal details, and locking you out of your account. Because they won’t have access to the second thing required – which is the destination you set up (eg: a text message to your phone).

Two-factor Authentication Information

Apple: http://support.apple.com/kb/ht5570

Google: https://support.google.com/accounts/answer/180744?hl=en

Dropbox: https://www.dropbox.com/help/363/en

For a far, far more comprehensive list:

http://twofactorauth.org/

So, there you go. Some highlights of a complicated subject.

* Wired Equivalent Privacy.