Why Passwords Are Getting Easier to Crack

I’m going to do a security series over the next couple of weeks, inspired by last week’s post. This week I’m taking a look at an Ars Technica article I read today, called “Why passwords have never been weaker — and crackers have never been stronger.”

It’s a long article, but if you have a few minutes, I highly recommend it, especially if you’re interested in security. The most important thing to take out of it, though, is that password cracking is making extremely rapid advancements–the past couple of years have brought nearly as much new information to the field as all the rest of cracking history combined.

This is due primarily to an increase in password databases being stolen and cracked, which gives both security analysts and malicious hackers a prime opportunity to see what kinds of passwords people use in the real world. As a result of all the information, password dictionaries have gotten orders of magnitude more effective, making choosing a good password more important than ever.

And get this: what you thought was a “good password” almost certainly isn’t. Here are a few things that the bad guys are onto now (mostly sourced from the Ars article, with a bit of personal opinion and other general consensus in security fields included):

  • You know those websites that make you include a number and a capital letter (and maybe a symbol) in your password? Turns out those requirements really do essentially nothing, except perhaps annoying users and making them more likely to write down their passwords or otherwise store them insecurely. Nearly all capital letters are the first character of passwords; nearly all numbers and symbols are at the end of passwords. Most of the time, people just capitalize the first letter and stick a ‘1’ on the end. If they’re feeling more clever, they might change an ‘e’ to a ‘3’ or a ‘t’ to a ‘1’–all those substitutions are in the dictionaries too.
  • Shifting your hands sideways on the keyboard or going around keyboards in patterns are in any good dictionary now, too. The same goes for spelling words backwards or both directions. If you’re not sure whether your password trick is secure, here’s my personal rule of thumb: If you think you’re being clever, you probably aren’t.
  • A $12,000 computer called “Project Erebus” can crack the entire keyspace for an 8-character password in just 12 hours when run on a database that has been stored poorly (which is, unfortunately, most of the companies involved in data breaches lately). That means if your password is 8 characters or less, this computer will always get it in 12 hours or less, no matter what it is. 8 characters used to be a secure password (it still was when I wrote about passwords in 2009); now 8 characters is a terrible password (though still a good sight better than 7 or 6 characters, since password strength increases exponentially with each additional character). This computer is not particularly special; anyone with a few grand to spare and a bit of computer smarts can put together a few graphics cards into a solid password-cracking machine nowadays.
  • Average desktop computers equipped with good graphics cards can test about eight billion passwords every second against a file of encrypted hashes (those are what you usually get when you steal a password database from a company).
  • The average Web user has 25 accounts but only 6.5 passwords. In my opinion, reusing passwords is even worse than using bad passwords. And that’s despite the fact that just about everybody reuses their passwords at least occasionally. That’s because if somebody gets your password from one site, no matter if it’s “hu!-#723d^*&/”!q4,” they can get into your other accounts as well. If you have a bad password and it gets cracked, at least the damage is confined to that one site (unless it’s your email account, as described at the very end of last week’s post).
  • A large number of passwords consist of first names (or worse, usernames) followed by years. There are now dictionaries of names pulled from millions of Facebook accounts which can be used with programs that try appending likely numbers (such as possible years of birth) until a match is found. A good graphics card can crack your password in roughly two minutes if you use this type of password.
  • A number of attacks depend on the companies that store your data being stupid. For instance, there’s an easily implemented method called salt that makes cracking password databases far more difficult (and one method called rainbow tables completely impossible). It’s been around for years. And yet Yahoo, LinkedIn, and eHarmony, among other major companies, were caught dead without it when they lost password databases recently. The same goes for using better cryptographic hashes for encrypting password databases–using a good hash can make a database essentially uncrackable (2,000 tries per second as opposed to several  billion), but most services still choose to use a poor one. Unfortunately, there’s not really anything you can do about this, other than contact technical support and boycott them if they don’t follow best practices (and given how bad the standards are, you can expect to not be using very many websites). You can, however, mitigate the possible damage by using a different password for every site so that you will have lost less if your password is cracked.

Now is a good time to remind yourself that two-factor authentication would help prevent anybody from logging into your account even if they cracked your password, isn’t it? Next week I’ll be back with some practical tips for making and using better passwords.

Security Advisory: You Should Use Two-Factor Authentication

Passwords are rapidly becoming less and less protective of your online information. And at the same time, we’re putting more of our lives online and standing to lose more from someone breaking that security. And don’t think it can’t happen to you: you probably heard about Wired writer Mat Honan, who recently had his Amazon, Apple, Gmail, and Twitter accounts hacked and his iPhone, iPad, and MacBook all wiped with no backup—because the hacker thought his Twitter username was cool.

Two-factor authentication is an easy way to add a great deal of security to accounts that support it without really losing much. In Mat’s case, he would never have lost all his data had he had two-factor authentication enabled on his Gmail account, and he urges everyone to turn it on. Here’s why (and how do to it).

What exactly is two-factor authentication? In its most common usage, it means that logging in requires not only a password (in security speak, “something you know”), but also an item with some sort of cryptographic key or other code (“something you have”). This item can take the form of specialized hardware such as a smart card or a device that displays randomly changing numbers, a flash drive, or a decidedly low-tech sheet of paper with one-time-use numerical codes printed on it. It can also be a smartphone app or a server that distributes codes via text message or phone call, which is the simplest to implement for average users and the method I’m focusing on in this article.

Two-factor authentication works really well with very little sacrifice on the part of the user. If you’re using two-factor authentication, if somebody gets your password, you’re not screwed yet—they still have to get hold of your phone. In the case of Mat’s recent hack, the hacker never knew him personally, so he would have had no chance at his phone or list of backup codes—both physical objects—making the rest of the damage he did impossible. (Furthermore, depending on his settings, Mat might well have received a random text message with an authentication code—a dead giveaway that somebody had tried to access his email account.) And it’s not a major inconvenience to you. With many services, like Google, you don’t even have to do anything different on computers you use regularly; you just use them once and check a “remember” box. On other computers, you simply have to take fifteen seconds to pull out your phone and type a number into the computer. It’s a pretty small price to pay for making it nearly impossible for a random stranger to destroy your online life.

I was one of the first wave of people who signed up for two-factor authentication at Google when it was first released. I’ll freely admit I thought it was a gimmick and paranoia when I did, but I thought it couldn’t hurt. But with the latest batch of password database cracks and now this widely-publicized Mat Honan business, I think the world is changing. Passwords just aren’t enough anymore, even good ones—a good portion of breakins now don’t even involve cracking a password, they involve stealing passwords from somewhere, using weak password reset or security question vulnerabilities, or tricking customer service into letting you into someone else’s account. Those are all things which you can’t control, except with two-factor authentication.

Nowadays I think everyone should enable two-factor authentication right now. A few minutes now just might save you an awful lot of trouble later!

With Google accounts, you can have codes texted to you or delivered by voice call when you need to log in, or you can install a smartphone app called Google Authenticator which works even when you’re offline. In case you need to log in when you have a dead battery or no service, you can print out a list of single-use backup codes and keep it in your wallet (you could even memorize one in case you’re stuck without even your wallet). They’ve really covered just about everything at Google.

Here’s how to enable two-factor authentication on your Google account.

  1. Log into your Google account if you’re not already logged in.
  2. Visit http://accounts.google.com. If it’s been a while since you logged in, you may have to confirm your password.
  3. Click the Security link on the left.
  4. Next to “2-Step Verification,” click Edit.
  5. Click “Start setup” and give your phone number if it’s not already on file in your account. You’ll receive a text message (or call, if you’re using a landline or SMS delivery isn’t working) with a code to confirm your phone.
  6. Check the box if you want to “trust” the current computer, which means that you won’t need to enter codes on it. This way, you only have to bother with verification codes if you’re on a computer other than your own, safe computer.
  7. Click Confirm to activate two-factor authentication.

Here are a couple of things you may want to check (and things to keep in mind now):

  1. On the overview page, it is wise to provide a backup phone number and print (or write down) the list of backup codes. The codes are useful, as mentioned, if you’re without your phone or without use of it. It’s a good idea to make the backup phone a landline, as you can lose a cell phone for a while and be stuck locked out, but it’s pretty hard to lose a landline number.
  2. If you have a smartphone or iPod Touch, you can investigate the “mobile application” (Google Authenticator in your device’s app store) to make logging in even easier.
  3. If you use apps that access your email, you may need to set up “application-specific passwords,” as many apps can’t accept two-factor verification. Google simply generates a special sixteen-letter password for use with only that app; if someone gets into that account or steals that device, you can simply revoke the password from your accounts page (leaving everything else untouched and fully operational). You cannot log into the main Gmail web interface with an application-specific password.
  4. At the bottom of the page, you’ll notice that you can forget all other trusted computers, just in case you think someone managed to get a computer trusted with your verification code or you accidentally checked the “trust” box when logging in on a computer you don’t actually trust.
  5. Before you log out, it would be wise to open a new incognito window or a different browser and double-check that you can log in properly, just in case there’s somehow something wrong with your phone setup.
  6. If somebody ever gets your password or it’s somehow released onto the internet by some other database for which you used the same password being cracked, you should still change your password (it’s essentially only one-factor authentication until you do), but you’re safe for the moment.
  7. If you lose your phone, simply log into accounts.google.com and deauthorize your phone (you can use a backup code or your backup phone if you’re locked out because your phone is missing). If you get it back or you get a new one, you can just add it back in.

You can also use two-factor authentication on Facebook, LastPass, and a growing number of other popular applications—it wouldn’t hurt to investigate, especially on accounts you care about keeping secure. (UPDATE: Yahoo Mail and Dropbox have recently added two-factor authentication options as well.) It’s especially important, however, to have good security on your email account. Why? Think about what you do if you need to reset a password. On nearly all websites, you enter your email address and have a reset link sent to your email account—the one you used when you set it up. If someone gets into your email account, they essentially have a free pass to all your other online accounts.

If you have problems with or questions about two-factor authentication, I’d be happy to help you in the comments—I’m surprising myself with how strongly I’ve started to believe that this stuff is important.

How to Use BitTorrent

What Is BitTorrent?

To put it simply, it’s a way to download large files quickly. Instead of using a single server, like you do when you visit a website and click a conventional download link, BitTorrent allows you to download from many other people who have already downloaded the file simultaneously.

Why Would I Want to Use It?

If a file is popular enough (and there are therefore enough other users who have downloaded it), you can usually download files at the maximum speed allowed by your internet connection, rather than the speed the server can manage at the moment. Additionally, using BitTorrent is a great help to the owner of the server, especially with small projects with a limited budget, since the server is only required to upload the file when there are few or no other people offering it. Finally, if your download gets interrupted, you can resume right where you left off. There’s nothing more annoying than having your connection terminated with 95% of a 4GB download complete and having to start over.

Isn’t This Illegal?

No.

You’ve probably seen the huge posters that often get put up in libraries and schools talking about the evil file-sharing programs. Most of those are funded by the RIAA, which is a group that likes to sue random people for illegally sharing copyrighted content and then keeps the money for itself instead of giving it to the people whose copyright was actually infringed. Regardless of that, I’m not denying that BitTorrent can be used to download material illegally, but the act of using BT (or any other file-sharing program) is not in itself illegal, and there are plenty of legal uses, such as downloading free software or music that the authors have made public domain or available under Creative Commons licenses.

There are a number of other uses which are in a legal gray area but most people would consider ethically sound. For instance, if you have lost the installation disc for a program that you legally purchased and you still have the license key, you might find a copy of the program and download it. While the company probably didn’t intend for the software to be available that way, you aren’t avoiding paying for it by doing so.

Using BitTorrent

There are a lot of clients that connect to the BitTorrent network, but two are especially popular, uTorrent and Transmission. For the most part, it doesn’t really matter what client you use.

Once you’ve installed a client, you need to find something to download. Unlike older file-sharing networks, BitTorrent doesn’t include a search feature itself; instead, you need to use other services to locate a torrent file, which you can then download and import into your client. (This is what the notorious The Pirate Bay service does.) A torrent file does not actually contain any of the data you’re intending to download; instead, it contains information about how to find parts of it.

The Internet Archive recently announced that they were making parts of their collection available over BitTorrent, so I’m going to use something from there as an example. The Archive’s torrent search page is here:I clicked into ‘books’ and the ‘spotlight item’ on the left as an example. This file is actually fairly small, so we’re unlikely to notice any speed difference on it, but it’s just an example. We can also see to the right (“Possible copyright status”) that this book is public domain, so there are no possible legal issues here.When you find something to download (wherever it may be), download the torrent file (in this case, click the ‘torrent’ link, then open the file. Your client should come up and open the torrent (I’m using Transmission in this example). In this particular case, there are a number of files available, so we can choose which ones we want.With an uncommon file, sometimes you’ll run into a problem where you wind up stuck because no other people (“peers”) have the parts of the file you still need, and the download can stall and go idle. In some cases, like with the Archive, there are official servers that will take over if the file is not available any other way; they just might take a little while to kick in.

When the download is complete, the status display will change to “Seeding.”This means that you’re now making the file available for others to download. Depending on how popular the file is, your internet connection may slow down as you upload parts of the file; to prevent this from becoming a problem, all decent clients have a speed limit feature built in. You can set that to whatever number you need to keep your browsing and other connections working fine.

It’s good etiquette to keep seeding a download until the ratio (on the right side of the file size data in this screenshot) has reached 1.0, meaning you’ve uploaded as much data as you’ve downloaded. Although it may seem annoying and unnecessary, remember that you probably downloaded the majority of your file from other people who were seeding it (a small percentage comes from other people who are simultaneously downloading the file in a different order than you). If nobody kept seeding files, you’d never be able to download anything. Additionally, some servers will begin to throttle your download speed if you maintain a low ratio over a period of time, since you’re being a drain on the network.

I don’t use BitTorrent that often, but it really is handy for downloading large files (one of my most common uses is disc images for software and operating systems, which are usually at least 600MB and often take an eternity to download from the official server). Even if you don’t use it much, it’s not a bad idea to have a client and know how to use it for the odd case when you find a file that’s only distributed via BitTorrent or the only non-torrent servers run at an extremely slow speed (I ran into a server once that was giving me a download speed of 3 KB/s over a broadband connection).

Searching Google: Tips & Tricks

I have published a new article about all sorts of tricks for searching the web, both in forming search queries and using features of Google you probably didn’t know existed. This is an updated version of an article that’s been around in the past; if you were ever a subscriber of the original Technical Geekery Tips, you might vaguely recognize it.

You can read the article here (it will remain under the Miscellaneous tab of the website menu, if you want to look for it later).

People who know me personally might also appreciate a new item on the (also new) Miscellaneous tab, Conversations with Soren. Check it out.