Security. I Can Haz It?
There were a lot of comments about security in last week’s post, so I thought this week I would talk about computer security issues. I’ll hit just a few subjects, since this is a big and complicated one. And, of course, I’m trying to keep things simple, brief, and accurate, and those things are, in some cases, incompatible.
Bad Security. Whose Fault is it?
There’s a lot of blaming of users who get hit by malware or who lose control of their email accounts or logins to websites. And yes, some people are very careless, inattentive, or unaware. This fact should come as no surprise to anyone. That some people click on spam emails, however, should not absolve others of the duty to provide a secure application or computing environment. I put most of the blame where the money is, and it’s not with the end-user. It’s with computer hardware manufacturers, with Operating Systems, and application developers.
It used to be you had to know how your car ran in order to safely drive it and fix it when it broke down. And for people whose brains work that way, yay!! More power to ’em. But not everyone can, wants to, or has the time to understand their car at that depth. And these days? Not so feasible. We shouldn’t have to be engineers of any kind in order to safely use our cars. Or our computing devices.
In a perfect world, security would be “out of the box” and ongoing. AND that state of affairs would not make the product unusable. Microsoft has gotten a lot better at this, no question, but they have not made a good marriage of flexibility and simplicity. Both those things are hard, and MS has not updated and streamlined its dialogue box system in decades. (This is why decades after Windows 3.5, there are dialog boxes where you can only see the beginning of the path, and not the end of the path, which is often the only part you care about.) #stillbroken
Choices are buried in multiple hierarchies that don’t make sense to anyone but an engineer. My brain hurts just thinking about it. On the other hand, for the technically inclined, the Windows OS is pretty dang powerful. Like I said, it’s better than it used to be.
Wireless Heck
Here is an example of what I mean:
Anyone who has ever set up a wireless network—which someone in any household with internet access must do—knows that this can be a confusing, multi-step process that can leave you unable to access the internet.
One of the first questions you encounter is whether you want to use WEP or WPA. The normal user’s answer to this is “whichever one works” where “works” is defined as “when I’m done with a 30-second set up, I can surf the web and no one can steal my banking information.”
Acronym Hell
That is not what technology asks of users. What users get, instead, is Acronym Hell. What we get is calls to tech support where we’re supposed to change router channels (11? 8? 2?) None of the parts that should talk to each other natively do so. Is the problem with your router? Your computer? Your wireless device settings? Your firewall? What do you mean what’s my MAC address? And then you find out you have to pick up a component, turn it over, or upside down, or, worse, open a panel, and find a very tiny, long, series of characters.
If it Ain’t Broke, Don’t Fix It
Is it any wonder that once you get this Rube Goldberg device of concatenations working, you never EVER touch it again? Because if you do, it will break. If you later hear that you should not be using WEP (whatever that means)* because it’s insecure, you know you face the horror of figuring out how to switch to something else and that the process is likely to fail at some point, and there goes your evening of following dirty Tumblr posts. Right now, you can do everything you need to do. And so you do. And you continue to do so until it doesn’t work for some reason.
X
If you’re a Windows user, raise your hand if you have set up your wireless network and seen nothing but a red x between your network and the Internet. When you ask for more information, you are helpfully told you have no Internet access, would you like to set up your network or have MS troubleshoot the error? If you say yes to either, you are told that red X means you have no access to the Internet and that all devices are working properly.
Three hours later, you can finally check your email.
If you’re on a Mac, this is unlikely to happen. Which is not to say there are no issues, but there are fewer of them. Most of the time, it just works, once you’ve picked no security, WEP, WEP2, WPA or something else who the hell knows what.
And then, after all that. Passwords happen
As a database administrator I can tell you that most user passwords are terrible, horrible, profane, and crackable instantly. Don’t read this list if you’re easily offended.
- 12345
- abcdefg
- password
- password123
- fuckyou
- ilovepussy
- jesussaves
NB: Not from that password He doesn’t.
These are not just passwords I have encountered. They are among the most common passwords stored in databases. It’s easy to write a query that sorts passwords by most frequently appearing. This list is from such a query.
The Problem with Passwords
- People have to remember them;
- In order to be hard to crack, they should be long and random (it’s more complicated than this);
- Reusing passwords across sites is not a good idea;
- People cannot remember a different password for every site that requires a password;
- A given site may not allow sufficient complexity of passwords;
- Any password based on information personal to you is vulnerable to guessing;
- Any password based on a pattern is vulnerable to cracking;
- People can be tricked into revealing their passwords;
- Malware or other vulnerabilities can intercept or reveal passwords;
- The systems that store your passwords can be hacked.
Fun Facts About Passwords
From http://www.lockdown.co.uk/?pg=combi
If your password contains only numbers, it will be cracked instantly. (Obviously, length matters. The number of digits that are secure against cracking is unlikely to intersect with your ability to remember them AND your willingness to type them all—without error. Assuming the database can store a password of that length.)
If your password contains only letters and is 8 characters or less, it will be cracked instantly.
At 10 characters, expect it to fall in 40 hours.
Mixed case alphanumeric: 7.2 Quadrillion possible combinations, falls in 83.5 days.
(At 1,000,000,000 Passwords/sec.)
Those figures are from 2009. It’s faster now; the processing power has moved down the food chain, as it were. Based on experience, I can say with a high degree of certainty, dear reader, your password sucks. Yes. I’m looking at YOU. OK, almost all of you. You don’t want to be the low hanging fruit, do you?
What’s a good password?
Good question! I went here:
https://passfault.appspot.com/password_strength.html#menu
and here
How Secure is My Password returns time to crack on a regular PC, so it shows as longer.
And entered these potential passwords:
ElephantPandaSteak45Lemon
Time to crack:
890 Centuries
5 Octillion years
Even though each portion is insecure.
L3mynMedi^valuePackBlech
Time to crack:
103,845,989 centuries
14 octillion years
Ef%ekH8^fgj
Time to crack:
4 years 9 months
4,000 years
Consider this: There are relatively few sites that allow passwords as long as any of these. You’d have more luck with the last one because it’s shorter, but it’s common to encounter sites where you are limited to 6-8 characters and depressingly common to find sites that can’t accept special characters.
And this: Even if your password is L3mynMedi^valuePackBlech, if it’s stored on an insecure server or in an insecure database it could end up in PasteBin along with passwords like 12345.
What is the likelihood that you can remember passwords similar to L3mynMedi^valuePackBlech but that are different across all the sites that ask you to have a password?
Pretty low, I’d say. I know it is for me.
So what do you do?
There are a couple of solutions. Password managers are one. There are several very good ones out there that will sync across devices and browsers. These vastly reduce (but not eliminate) the headache of managing passwords.
I use a password manager. I also have a separate password management database (encrypted) where I keep a backup of passwords I really really really cannot lose. I also document serial numbers and certain answers to those stupid security questions which are a total waste of time social engineering people.
There is always the specter of malware or some other vulnerability that could compromise a password manager, but it’s less vulnerable than most people’s current method, which tends to be simple passwords used across sites. The downside is if such a system IS compromised, everything is there.
Another is two-factor authentication. You should enable two-factor authentication wherever you can. And you should complain to your bank and other financial organizations for not using this method.
Two-factor authentication requires:
- A normal website login and password
- Your ability to input a code generated by the website and sent to a different destination only you are likely to control.
One example would be this:
You login to a site. Before you are authenticated, you get a text on your cell phone with a code in it. You input that code at the website within a fairly short time frame and are logged in.
Two-factor authentication prevents someone from remotely hacking into, say, an email account and then resetting your password, resetting all your personal details, and locking you out of your account. Because they won’t have access to the second thing required – which is the destination you set up (eg: a text message to your phone).
Two-factor Authentication Information
Apple: http://support.apple.com/kb/ht5570
Google: https://support.google.com/accounts/answer/180744?hl=en
Dropbox: https://www.dropbox.com/help/363/en
For a far, far more comprehensive list:
So, there you go. Some highlights of a complicated subject.
* Wired Equivalent Privacy.
This is a great reminder for me to get off my arse and sort out my security!
In terms of solutions, I was told that a good password method is to think of a phrase that is at least 8 words long and that incorporates both numbers and a symbol (like a question/exclamation mark), and then use the first letter of each word as the password. Also to incorporate something about the particular website (eg first letter of the name) into your password. A very simple example – obviously the more complex the better:
Phrase: Dearauthor is the number 1 romance website!
Password: Ditn1rw!
The idea is that the phrase is something that you would remember and can use across all websites, and yet the password would be slightly different for each.
@CD:
Just checked on the linked website and that password would take 8 days to crack. Obviously, an encrypted password manager using some of the examples mentioned here is better, but it’s at least a better solution than “ilovepussy”…
How important do you think it is to have strong passwords on every site? I tend to try to have the strongest ones I think I can remember on sites with financial information (banks, Paypal etc) but for social media stuff (Ravelry, twitter etc) I don’t bother so much, on the basis that if they get hacked it will be irritating but not a serious problem. Likewise, I’ll quite often reuse passwords between those kinds of sites.
@Ros:
Re-using passwords is a controversial topic. There is a recent research paper that says it is a good idea to re-use weak passwords on sites that don’t store important information, because it makes it easier to remember the passwords that actually matter. It provoked much controversy
http://it.slashdot.org/story/14/07/16/1341259/selectively-reusing-bad-passwords-is-not-a-bad-idea-researchers-say
I am a computer scientist in an excellent CS department, and there isn’t even an agreement between our folks who do security.
My personal principles are
1) Don’t worry much about someone guessing it because of personal information – such attacks are rare and expensive (unless you have good reason to worry about family members, that is). Worry about it being cracked with brute force.
2) Worry about key loggers – so think many, many times before entering password to your email or anything else vulnerable on a computer which is not your own
3) Two-factor authentication is good – but it can trip you up badly if it relies on your mobile (like Google). I have been stuck in a foreign country, with no roaming, trying to desperately get into my banking site which refused to do anything without a code sent by text message.
4) Never store your credit card information on any site, unless there is no way to avoid it. The fewer places it is stored in, the less risk that it is stolen.
I personally end up reusing not-so-good passwords on unimportant sites, and having unique and difficult to crack passwords on my email and banking sites. This is a risk – too many sites want to store credit card info etc., and making a “important” vs. “unimportant” judgment can be very flawed. I decided that it works better for me than anything that requires carrying around extra stuff (password managers or 2-factor auth), but this is trading the risk against inconvenience which is probably more risky than it should be in the ideal world.
Great post, Json. What’s your opinion on devices such as YubiKey?
Thanks for the comments.
@MD makes a very good point. One of the topics I considered adding was the idea of tiered passwords. If there is a site where you NEVER give it sensitive information and you would not cry if you lost access to the site, then I, personally, would have no issue with reusing a password for such sites. But you would have to be sure that it was not related at all to the sites that require more security because you give them sensitive information or losing access would matter.
The problem with security right now is everything has its downside. Suppose you set up two-factor authentication and then you lose your phone? Or are in Europe without access? Apple recommends setting up one or two additional phones — one of them belonging to a family member (or other trusted person) whose phone can receive your text and who can contact you with the number.
Here’s an example of “downside to everything” : Suppose you make it a practice never to store your credit card at any site. The upside to that is no site has your credit card information and, presumably, your CC number would not be stored in a database that could be vulnerable. You will also soon have your CC number memorized.
The downside is that you will be constantly entering your CC info whenever you shop online, and on every occasion, your CC information is vulnerable to some sort of man-in-the middle attack, a keylogger, or an insecure wireless access point. The move of many sites to SSL is a benefit. For sites where you shop often— I can think of one starting with an A — it soon becomes a PITA to enter your CC info every. single. time.
Another problem is that the standard merchants must meet when securing CC information, PCI, is in no way secure. It’s why companies can be PCI compliant and still have credit card information stolen.
And, what do you do at sites where you have a recurring charge? You have no choice but to store some credit card at those sites.
The reality is that security that relies on end users incurring an inconvenience is likely to fail for a large portion of users. We can argue til we’re blue in the face that users should incur the inconvenience, but if there’s a way to avoid that, users will do so. Here, it is inconvenient to reenter CC information at sites where you shop frequently.
There’s also this: there are many sites that make it difficult NOT to store your information. You must be actively looking for ways not to create an account. So, it’s not always the user’s fault. They may have missed the crucial check box because it was buried, or checked by default.
There are a couple of follow up concepts, by the way.
You are more likely to be affected by a hack of a database that stored your information because those databases contain large amounts of juicy information that is useful for spending someone else’s money.
But that does not mean you should not be worried about social engineering, though I would agree that it is less common. There have been reports, though, of people receiving phone calls where the caller says they are from Microsoft, and that your computer has been identified as sending out malware, please provide some passwords, or remote access to your computer.
Also, guessing personally identifying information isn’t hard. People often use the names of their children and birth dates as passwords. It’s easy to add names and numbers or other text representing the common patterns of names + a date to your password cracking script. Such passwords will fall quickly.
Suppose someone has gained partial access to a site with your credentials — it is a banking or other financial site where the payoff for getting in is big — your money. They are then presented with challenge response questions. Getting the answers to those questions isn’t all that hard, a few minutes on Google may get them all the information they need.
That scenario may be rarer than the download of data from a compromised database, but it does happen, and those “security” questions are an extremely weak, if not fatally flawed “protection.” In fact the questions were added to sites to address a security weakness. The solution, in my opinion, is a really bad one.
@Zara Keane:
Hardware tokens, like any other security solution, have a downside. They qualify under the “Some other thing that only I have” but suppose you lose it or damage it? There’s a bit of a rigamarole. The benefit is they will talk to RADIUS systems — which matters somewhat more internally to companies. Tokens are often used in companies.
From the perspective of the typical consumer, a security system is only as good as its degree of convenience. The problem with a hardware token, purely from the user perspective is this: it’s not baked in. The user must have the token in hand.
How often do you lose your keys?
If you are someone with purse, how quickly can you find it in there? Suppose your significant other lost his or hers and took yours?
Your kids cannot be trusted with such a device. (So this might be a great way to keep your kids off your computer!)
Lastly, suppose you have mobility or dexterity issues? Suppose you are not sighted? Suppose you have memory issues? Inside a corporation, accommodations can be found and the work force is unlikely to be elderly, for example. But for the general public? A token does not strike me as a solution that solves security for everyone.
Which is easy to say. It does not mean a token isn’t a great solution for some people. But you must know yourself and your ability to comply and work around the downsides.
@CD:
The problem with pass phrases such as you suggest and with password creation systems is this: you still have the problem of remembering a different password every where. I’m not sure that using a letter to designate the site is of much use. You would have to come up with a different one for every site, and you’d have to remember that for every site. If you are a frequent visitor to Dear Author, you have a shot at remembering your base sentence. But what if it’s a site you do not visit frequently?
Here is what would happen to me: I would stare at the screen, knowing that I had made up a sentence, and have no idea what it was or what case sensitivity I might have used. Or where I would have inserted a number or special character.
I think it could work well for devising a password you use at a site(s) where you are unlikely to forget it — banking, for example.
I have been leery about the safety of using password managers. Can you recommend a few?
@IAM JSON:
Sorry – I probably hadn’t explained clearly enough.
The idea is that you use the same base phrase but with changing a certain number of letters (or numbers or symbols) based on the website you visit. So in my very simple example, I just took the first letter of dearauthor.com to get:
Phrase: Dearauthor is the number 1 romance website!
Password: Ditn1rw!
If I then visited Amazon,, it would change to:
Phrase: Amazon is the number 1 romance website!
Password: Aitn1rw!
This is a very simple example so you could get a lot more creative with whatever your base phrase was, and whatever you take from the website you are currently visiting, and the positioning of that in the base phrase.
I do agree with the tiered password system though for places where you don’t care so much if you are hacked. As for a password manager/two factor authentication – most probably best practice but I can see that a lot of people would probably be put off by the perceived inconvenience.
Thanks for the info. I am going to reread it again later when my brain will hopefully work better at absorbing it.
I would love you forever just for explaining what the WEP acronym means.
I think I finally “got” a bunch of concepts which had been swimming around. Thanks so much for such and informative, readable article.
Thx for the article JSON. I have lots of different passwords with many special characters etc all stored in my password manager account (and I turned off “remember passwords” in Firefox**) but after reading your post, easy as it was to understand I can’t help but feeling we’re all DOOOOOOOOMED!
**For those of you who don’t know, when Firefox asks if you want it to remember your password, it stores it in a VERY unsecure place. So, if you allow Firefox to remember any passwords (or if you don’t delete all the passwords from Firefox after installing a password management system) anyone who can log on to your computer can access all the passwords straight from your browser, no encryption, nothing.
I use a password manager, a good one and I like it, but I hadn’t checked my passwords for some sites in a long time.
I’ve been ordering some stuff from A-books and they have my cc info. Because they have it, I decided to check to see what my password was….. I hadn’t changed it in YEARS and it was a simple 8 character WORD from the days when I wasn’t worried about security at all!! I went into panic mode and changed the password immediately….
My suggestion, based upon experience is to check all your passwords, especially if you use a password manager and no longer see those passwords on a regular basis. Also, change your passwords on a regular basis, even if only once a year. (my a-books password was approximately 10 years old! I hadn’t used it, but still…. )
For most sites and networks, I use a variation of the key phrase method mixed with the xkcd 4 words method. I used symbols or words based upon the type of site (money, books, email, social) and work from a list of words, choosing different mixes of words for different sites. ex: giraffe%%hibachi55igloo%%jugglejuggle . There’s a pattern I can recognize, but would be long and challenging to crack (not impossible) Yes, I could add CAPS, but my rationalization is that anything can be cracked, if someone is determined enough.
Security is only as good as the trouble you are willing to take to keep yourself and your ‘stuff’ safe.
@CD:
Probably that system is better than others. However, part of my job is to make people talk about and plan for worst case scenarios.
Side Bar: I was having a conversation with some folks at the job about a relatively simple data update to a crucial table for a Very Important Client, taking place on a weekend when I am out of town, and for an application supported almost entirely by off shore folks. After a bit of me saying, “but you can’t do it that way because then there’s no possible rollback” and talking about all the worst case scenarios, the poor woman said, “You know, I was thinking we’d planned this well and it would be easy, and now I’m completely paranoid.” I told her that talking about this stuff meant that things would probably go well, but if something unexpected happened, we could recover from that. We did, in fact, change the plan, so we’d have a rollback available.
Here’s the point of that sidebar — security is also about talking through and being prepared for (and practicing for) all the things that could go wrong, even if they probably won’t.
So, here are the problems I see with this method:
1. Using only 1 letter of the alphabet means you are limited to 26 passwords before your system breaks down or you must resuse a password. And likely sooner than 26, given the distribution of letter usages in English. What happens when you have a login at Wells Fargo and another at Williams-Sonoma?
2. The system is a pattern.
3. The passwords produced are not highly selective, as we say in the database world. That is, most of your password is the same and the part that varies is not varied enough. It will almost always be a letter, with occasional numbers.
4. If one of your passwords is hacked because a third party had poor security or there was a 0-day exploit, then your password (and any associated login information) go into a password cracking script that will automate variations of passwords. And, because your password is not highly unique across sites, and will likely be repeated somewhere, then all sites where you used this particular system are vulnerable.
So, it’s not the worst system ever, but it needs to be tweaked to produce a more variable result. And, also, of course, in your example, it’s only 7 characters, so it’s also too short. ;-)
5.
@Suzy:
Very good suggestion!
I usually let my password manager select a 12 character random password with mixed case, letters, numbers, and special characters.