Tag Archives: hacking

Why Passwords Are Getting Easier to Crack

I’m going to do a security series over the next couple of weeks, inspired by last week’s post. This week I’m taking a look at an Ars Technica article I read today, called “Why passwords have never been weaker — and crackers have never been stronger.”

It’s a long article, but if you have a few minutes, I highly recommend it, especially if you’re interested in security. The most important thing to take out of it, though, is that password cracking is making extremely rapid advancements–the past couple of years have brought nearly as much new information to the field as all the rest of cracking history combined.

This is due primarily to an increase in password databases being stolen and cracked, which gives both security analysts and malicious hackers a prime opportunity to see what kinds of passwords people use in the real world. As a result of all the information, password dictionaries have gotten orders of magnitude more effective, making choosing a good password more important than ever.

And get this: what you thought was a “good password” almost certainly isn’t. Here are a few things that the bad guys are onto now (mostly sourced from the Ars article, with a bit of personal opinion and other general consensus in security fields included):

  • You know those websites that make you include a number and a capital letter (and maybe a symbol) in your password? Turns out those requirements really do essentially nothing, except perhaps annoying users and making them more likely to write down their passwords or otherwise store them insecurely. Nearly all capital letters are the first character of passwords; nearly all numbers and symbols are at the end of passwords. Most of the time, people just capitalize the first letter and stick a ‘1’ on the end. If they’re feeling more clever, they might change an ‘e’ to a ‘3’ or a ‘t’ to a ‘1’–all those substitutions are in the dictionaries too.
  • Shifting your hands sideways on the keyboard or going around keyboards in patterns are in any good dictionary now, too. The same goes for spelling words backwards or both directions. If you’re not sure whether your password trick is secure, here’s my personal rule of thumb: If you think you’re being clever, you probably aren’t.
  • A $12,000 computer called “Project Erebus” can crack the entire keyspace for an 8-character password in just 12 hours when run on a database that has been stored poorly (which is, unfortunately, most of the companies involved in data breaches lately). That means if your password is 8 characters or less, this computer will always get it in 12 hours or less, no matter what it is. 8 characters used to be a secure password (it still was when I wrote about passwords in 2009); now 8 characters is a terrible password (though still a good sight better than 7 or 6 characters, since password strength increases exponentially with each additional character). This computer is not particularly special; anyone with a few grand to spare and a bit of computer smarts can put together a few graphics cards into a solid password-cracking machine nowadays.
  • Average desktop computers equipped with good graphics cards can test about eight billion passwords every second against a file of encrypted hashes (those are what you usually get when you steal a password database from a company).
  • The average Web user has 25 accounts but only 6.5 passwords. In my opinion, reusing passwords is even worse than using bad passwords. And that’s despite the fact that just about everybody reuses their passwords at least occasionally. That’s because if somebody gets your password from one site, no matter if it’s “hu!-#723d^*&/”!q4,” they can get into your other accounts as well. If you have a bad password and it gets cracked, at least the damage is confined to that one site (unless it’s your email account, as described at the very end of last week’s post).
  • A large number of passwords consist of first names (or worse, usernames) followed by years. There are now dictionaries of names pulled from millions of Facebook accounts which can be used with programs that try appending likely numbers (such as possible years of birth) until a match is found. A good graphics card can crack your password in roughly two minutes if you use this type of password.
  • A number of attacks depend on the companies that store your data being stupid. For instance, there’s an easily implemented method called salt that makes cracking password databases far more difficult (and one method called rainbow tables completely impossible). It’s been around for years. And yet Yahoo, LinkedIn, and eHarmony, among other major companies, were caught dead without it when they lost password databases recently. The same goes for using better cryptographic hashes for encrypting password databases–using a good hash can make a database essentially uncrackable (2,000 tries per second as opposed to several  billion), but most services still choose to use a poor one. Unfortunately, there’s not really anything you can do about this, other than contact technical support and boycott them if they don’t follow best practices (and given how bad the standards are, you can expect to not be using very many websites). You can, however, mitigate the possible damage by using a different password for every site so that you will have lost less if your password is cracked.

Now is a good time to remind yourself that two-factor authentication would help prevent anybody from logging into your account even if they cracked your password, isn’t it? Next week I’ll be back with some practical tips for making and using better passwords.

Security Advisory: You Should Use Two-Factor Authentication

Passwords are rapidly becoming less and less protective of your online information. And at the same time, we’re putting more of our lives online and standing to lose more from someone breaking that security. And don’t think it can’t happen to you: you probably heard about Wired writer Mat Honan, who recently had his Amazon, Apple, Gmail, and Twitter accounts hacked and his iPhone, iPad, and MacBook all wiped with no backup—because the hacker thought his Twitter username was cool.

Two-factor authentication is an easy way to add a great deal of security to accounts that support it without really losing much. In Mat’s case, he would never have lost all his data had he had two-factor authentication enabled on his Gmail account, and he urges everyone to turn it on. Here’s why (and how do to it).

What exactly is two-factor authentication? In its most common usage, it means that logging in requires not only a password (in security speak, “something you know”), but also an item with some sort of cryptographic key or other code (“something you have”). This item can take the form of specialized hardware such as a smart card or a device that displays randomly changing numbers, a flash drive, or a decidedly low-tech sheet of paper with one-time-use numerical codes printed on it. It can also be a smartphone app or a server that distributes codes via text message or phone call, which is the simplest to implement for average users and the method I’m focusing on in this article.

Two-factor authentication works really well with very little sacrifice on the part of the user. If you’re using two-factor authentication, if somebody gets your password, you’re not screwed yet—they still have to get hold of your phone. In the case of Mat’s recent hack, the hacker never knew him personally, so he would have had no chance at his phone or list of backup codes—both physical objects—making the rest of the damage he did impossible. (Furthermore, depending on his settings, Mat might well have received a random text message with an authentication code—a dead giveaway that somebody had tried to access his email account.) And it’s not a major inconvenience to you. With many services, like Google, you don’t even have to do anything different on computers you use regularly; you just use them once and check a “remember” box. On other computers, you simply have to take fifteen seconds to pull out your phone and type a number into the computer. It’s a pretty small price to pay for making it nearly impossible for a random stranger to destroy your online life.

I was one of the first wave of people who signed up for two-factor authentication at Google when it was first released. I’ll freely admit I thought it was a gimmick and paranoia when I did, but I thought it couldn’t hurt. But with the latest batch of password database cracks and now this widely-publicized Mat Honan business, I think the world is changing. Passwords just aren’t enough anymore, even good ones—a good portion of breakins now don’t even involve cracking a password, they involve stealing passwords from somewhere, using weak password reset or security question vulnerabilities, or tricking customer service into letting you into someone else’s account. Those are all things which you can’t control, except with two-factor authentication.

Nowadays I think everyone should enable two-factor authentication right now. A few minutes now just might save you an awful lot of trouble later!

With Google accounts, you can have codes texted to you or delivered by voice call when you need to log in, or you can install a smartphone app called Google Authenticator which works even when you’re offline. In case you need to log in when you have a dead battery or no service, you can print out a list of single-use backup codes and keep it in your wallet (you could even memorize one in case you’re stuck without even your wallet). They’ve really covered just about everything at Google.

Here’s how to enable two-factor authentication on your Google account.

  1. Log into your Google account if you’re not already logged in.
  2. Visit http://accounts.google.com. If it’s been a while since you logged in, you may have to confirm your password.
  3. Click the Security link on the left.
  4. Next to “2-Step Verification,” click Edit.
  5. Click “Start setup” and give your phone number if it’s not already on file in your account. You’ll receive a text message (or call, if you’re using a landline or SMS delivery isn’t working) with a code to confirm your phone.
  6. Check the box if you want to “trust” the current computer, which means that you won’t need to enter codes on it. This way, you only have to bother with verification codes if you’re on a computer other than your own, safe computer.
  7. Click Confirm to activate two-factor authentication.

Here are a couple of things you may want to check (and things to keep in mind now):

  1. On the overview page, it is wise to provide a backup phone number and print (or write down) the list of backup codes. The codes are useful, as mentioned, if you’re without your phone or without use of it. It’s a good idea to make the backup phone a landline, as you can lose a cell phone for a while and be stuck locked out, but it’s pretty hard to lose a landline number.
  2. If you have a smartphone or iPod Touch, you can investigate the “mobile application” (Google Authenticator in your device’s app store) to make logging in even easier.
  3. If you use apps that access your email, you may need to set up “application-specific passwords,” as many apps can’t accept two-factor verification. Google simply generates a special sixteen-letter password for use with only that app; if someone gets into that account or steals that device, you can simply revoke the password from your accounts page (leaving everything else untouched and fully operational). You cannot log into the main Gmail web interface with an application-specific password.
  4. At the bottom of the page, you’ll notice that you can forget all other trusted computers, just in case you think someone managed to get a computer trusted with your verification code or you accidentally checked the “trust” box when logging in on a computer you don’t actually trust.
  5. Before you log out, it would be wise to open a new incognito window or a different browser and double-check that you can log in properly, just in case there’s somehow something wrong with your phone setup.
  6. If somebody ever gets your password or it’s somehow released onto the internet by some other database for which you used the same password being cracked, you should still change your password (it’s essentially only one-factor authentication until you do), but you’re safe for the moment.
  7. If you lose your phone, simply log into accounts.google.com and deauthorize your phone (you can use a backup code or your backup phone if you’re locked out because your phone is missing). If you get it back or you get a new one, you can just add it back in.

You can also use two-factor authentication on Facebook, LastPass, and a growing number of other popular applications—it wouldn’t hurt to investigate, especially on accounts you care about keeping secure. (UPDATE: Yahoo Mail and Dropbox have recently added two-factor authentication options as well.) It’s especially important, however, to have good security on your email account. Why? Think about what you do if you need to reset a password. On nearly all websites, you enter your email address and have a reset link sent to your email account—the one you used when you set it up. If someone gets into your email account, they essentially have a free pass to all your other online accounts.

If you have problems with or questions about two-factor authentication, I’d be happy to help you in the comments—I’m surprising myself with how strongly I’ve started to believe that this stuff is important.

Six Things Not To Do When Asking for Computer Help

I often work as an unofficial technical support representative—it’s pretty much an unavoidable result of learning something about computers. Tech support is just inherently frustrating, but the way people act when they ask me for help, more than anything else, can make the difference between whether I’m happy or annoyed at the end of a call or work session. Here are six things that people ask me or do that get me frustrated really fast. Some of them are things that just plain tick me off; others are things that not everybody would necessarily know but that still get annoying when people don’t know them.

This is drawn mostly from personal experience, but most if not all of these things annoy almost everybody.

I’m not intending to offend, make fun of, or complain about anyone with this post. If you’ve done anything on this list, it’s not your fault! You almost certainly just didn’t know it was liable to annoy somebody. My purpose here is to help people know some of the things that tend to annoy their more technical friends so as to help them avoid doing it in the future.

My intent is also not to sound like I’m being constantly wronged; reading my whole article through, I realize it might sound a bit like that’s what I think. I don’t; in fact, my main purpose in writing this article was not hoping that I’ll get these questions less often as a result (I know better than to expect that) but helping people avoid annoying the people they ask for help.

6: “Is this going to harm my computer?”

Do you think that I would tell you to do it if I knew that it would? Because that’s basically what you’re asking me here.

How to Avoid It: If you want to ask clarification questions about what effect an action is going to have or why I want to do it, I’m perfectly fine with that. I always explain what I’m doing before I start actually making any changes to a computer. But I’m aware that sometimes my investigation, which does not change the computer at all, appears to be messing everything up from the eyes of a less technically proficient user. So by all means, don’t have any qualms about asking what’s going on or what I’m planning to change, just don’t ask me if it’s “going to harm the computer.”

5: “Are you sure you know what you’re doing?”
Probably.

How to Avoid It: Do you really have to ask this? This question makes me doubt whether you’ve made a good move in picking me to work on your computer. If you don’t trust me, then that’s fine, but please ask someone else to fix your computer in that case.
If you just don’t understand what’s going on, feel free to ask questions about that; see #6. But asking if I’m sure I know what I’m doing isn’t a good way to ask—it’s not specific, does not express what you’re actually feeling, and comes off to me as rude.

4: “I have a problem. My computer doesn’t work.”
I have a problem as well. My problem is that I don’t know what your problem is, but I know you want help from me. This doesn’t seem that bad on the surface, but once people start asking you for help on a regular basis, this starts to get old really fast.

How to Avoid It: If you have a problem that you want me to help you with, please start by telling me what the problem is—not saying “I have a problem” and waiting for me to say, “Okay, what is it?” A sample question would be, “Hey Soren, I’ve been having trouble printing lately. Could you help me figure it out?” (If you’re writing an email, it would be nice to include any other information you know as well, like “it started happening right after I updated Microsoft Office.” If I have the chance to respond right back to you in person or over the phone, that’s not important.)

3: “What was the error?” / “I forget.”
Hey, guess what I forgot? The solution to your problem.

How to Avoid It: If there’s ever an error on your computer, the message you get is where you want to start solving the problem. A well-written error message can make the difference between having the problem fixed in a minute and searching and fiddling around for several hours. (Oh boy, have I been there: I once even got an error message that said Error: No Error.) If you don’t have the error message, I’m going to have a really hard time figuring out what the problem is. This isn’t a problem if you can make the error happen again, but frequently people can’t reproduce the problem, and they’re wasting both their time and mine.

The simplest way to avoid this problem is to write down the error message and include it in an email or have it ready if I need it. Or just know what steps you need to take to make the error come up again. If you have to say, “Hold on, let me bring it up,” that makes me feel like you’ve been doing your homework; if you say, “I forget,” that makes me think, “Now I have to spend an extra five minutes on this.”

2: “Okay, now what happened?” / “Nothing.”
This scene, or something like it, happens to me on a regular basis:
Me: “Type ‘nohup anki’ and press Enter.”
User: “Okay.”
Me: “What happened?”
User: “Nothing.”
Me: “Hmm, that’s odd.”
(I ponder for a couple of minutes and run another Google search.)
Me: “What happens if you run ‘anki’?”
User: “The same thing that happened before.”
Me: “Which was?”
User: [what I was hoping for in the first place when I asked what happened]

How to Avoid It: If anything happened when you clicked the mouse button or pressed Enter, that qualifies as “something.” The response “nothing happened” does not mean “I don’t understand the message I got” or even “I ended up back where I was before.” To me, anyway, it means that you pushed the button and no pixel on the screen changed (which could happen, but typically doesn’t).

I can do my part for this, too—I try to avoid asking “What happened?”, instead saying, “Did [x] happen?” But sometimes I’m don’t know exactly what’s going to happen, and sometimes I just forget.

1: “What program are you using?” / “Microsoft.” (or even worse, “Adobe”)
Microsoft is not a piece of software, or even a piece of hardware (nor is Adobe). It is a company. (It may be a software company, but that doesn’t help much; being a logical person, I would not need to ask to conclude that the software you’re using was made by a company that makes software.)

For the purposes of solving a problem, “Microsoft” is a word almost completely devoid of useful information. It could refer to one of probably over a hundred products. And plenty of those are liable to be used: Windows, Word, Excel, PowerPoint, Outlook, the Windows Live apps…the list goes on. And that’s not including the hardware: the Xbox, mice, Kinect…

Referring to your software as “Microsoft” is something like calling an auto supply store to request a part for your car and describing your car as a “Ford”.

How to Avoid It: “Microsoft” is never an acceptable name to refer to anything except the company itself. There is no piece of software called Microsoft, nor can I usually assume which Microsoft software you’re using. If you’re not sure what the software is actually called, please describe it (“I can type documents with it”) instead of calling it “Microsoft.”
And “Adobe” is even worse: we have Adobe Flash Player, Adobe Reader, Photoshop, InDesign…the same goes here.

0: “Are you hacking?”
This isn’t really about technical support, and it’s also number 7, but I get this question a lot. My typical internal response is, “Well, I will be hacking your head off if you keep asking me that.” (Of course, I never actually say that.)

The answer really depends on your definition of “hacking.” If you mean the typical popular culture definition of “breaking into computer systems,” then (generally ;-)) the answer is no. But in geek culture, hacking means a whole lot more: coming up with creative solutions to problems and the like. See here for the view of much of this community. * If you mean that, then frequently I am.

But nobody who asked me this question ever meant that, did they?

How to Avoid It: Suppose I came up to you and accused you of breaking the law because you were using a Mac instead of a PC. That’s roughly what it’s like to me when you ask me, “Are you hacking?” So please don’t do it. I’m just trying to work on my computer, and I happen to use different tools than most people do.


* If you notice, in order to avoid this ambiguity, I typically try to use the term “cracking” instead of “hacking” to mean attempts at defeating security systems.


Soren “scorchgeek” Bjornstad

http://www.thetechnicalgeekery.com

If you have found an error or notable omission in this tip, please leave a comment or email me: webmaster@thetechnicalgeekery.com.

Copyright 2012 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this article
is permitted, provided this notice is preserved.