Friday, October 22, 2010

Fourteen Hints To Keep Your Password Safe

Diagram of the sending of spam e-mail.

Image via Wikipedia

It happened all very suddenly a couple of days ago. I was working away when my phone vibrated in my pocket; just a couple of buzzes, an incoming e-mail. It could wait until I was no longer in the middle of composing a thought; nothing is that urgent, surely. Then two more. And two more. And two more. By this time, I was distracted enough and continued to count; all in all, a dozen of so e-mails had arrived. No doubt they would all be spam, sent to me by some annoying robot out there; or newsletters, of which I've lost count to how many I've signed up for; or drops from mailing lists, same as the above; or a flurry of recently-approved comments on a blog post I've been following for months and can no longer remember. More than likely, though, it was spam. I've been getting quite a lot of that from my sister's e-mail account recently, and, joking aside from her that her concern for her older brother's health needn't extend to sending me deals on little purple pills, they've been getting annoying. I mention them, she denies all knowledge, and concludes that what I'm saying is, in fact, impossible. She doesn't even get to use her computer that much, she doesn't have a virus on it, so how could anyone be getting mails from her?

Enough was enough, I had to check the incoming mails, and discovered they were all bounces from the "Mail Delivery Subsystem", seemingly, mis-addressed mails that were sent from my account. I looked a little closer and discovered a pattern, I even recognized some of the addresses as typos I had entered at the computer several times before; accounts of friends that were no longer active. The body of the mail was, as expected, spam; some ridiculous so-called "deals" on consumer electronics. The embarrassing thing was, these mails had apparently been sent from my e-mail account. I logged on to the computer to check, and, sure enough, a copy of that mail had been sent to everyone in my address book, from my e-mail account, and was in my Sent Items folder. It was as if someone had logged right into Gmail and done it on my behalf. Sure enough, they had. At the bottom of Gmail there's a link that lets you verify details of connections. It confirmed that an address in China had logged onto my account a few minutes earlier - which meant, they knew my password. I quickly changed the password, maintaining a clear head to at least do that much. After that, I began to worry. Had I used that password anywhere else? What of my personal information was compromised? Could the attacker have done more damage during their visit than send out a few annoying e-mails - which I'm sure have impressed the heck out of my family, friends, lawyer, employer, butcher, baker and candlestick maker?

Here's the kicker. I pride myself on not being a fool. I must admit, when studies come out that say a huge percentage of people's passwords out there are vulnerable to simple guesses, I puff my chest out a bit because I'm not one of those. I do a lot of this for a living. I'm perfectly aware of the risks. And, sadly. I'm also extremely imperfectly human, and I cut a few corners here and there. Purely for convenience, you understand. For freedom's sake, for my personal enjoyment - surely, there's no need to be paranoid all the time, is there? If you live every moment in fear, that's hardly living at all! But I had to face it. A password that I thought was safe was compromised. My e-mail password, as well, which, let's face it, is pretty much the keys to the kingdom. Anyone could browse through my inbox and sent items; they could determine other places I had accounts and submit "forgotten password" requests. Perish the thought, they may already be in those places; maybe I used the password somewhere else? Maybe that's where they stole it from? And, embarrassingly, I honestly didn't know how much damage they were capable of. What I did know though is one of the addresses the spam mail was sent to was Posterous, which meant the spam mail was already posted onto my blog, and it would even be announced on Twitter.

I began to simmer down for a little bit. The address in China was probably just one of many that wasn't necessarily after my personal secrets. What they wanted was the ability to push out their spam mails, and perhaps harvest a few more candidates from my address book to continue their routines of password-guessing. They must have guessed my password, which surprised me. Or perhaps they'd seen it somewhere, which worried me. Having an account which they could robotically abuse to send mail through was the gold they were after; however, a human hacker would, most likely, have wanted to be more malicious. I could be comfortable for a moment. I'd stopped the problem, and realized that I really needed to rethink my password strategy. I thought I was secure; but I wasn't. I'm not naive; after all; but what I have been is complacent. Here's a list of hints about passwords we all ought to know, but perhaps a reminder is worth having. And, they're a reminder to myself, because I've been guilty of most of these, which meant I got caught by this latest eye-opener.
  1. Your password shouldn't be a word. Of course not, and there's a simple reason for this. Depending on how you count them, there are only about 175,000 different words in English, and it's not that hard for a computer program (or an organized cracking effort) to try them all. However, even quite recent research has shown not many people take this advice consistently. In fact, there are still accounts out there whose password is, yes you guessed it, "password".
  2. Mixed case, numbers, and "special characters". This has been common advice for a long time now, and most people think throwing a few of these into their password is enough, especially since most websites now either recommend or insist on it. Of course, it's not much of a stretch. If our happy hackers can run through all the English words, there's not much stopping them making the obvious substitutions and trying those, too. "P@55w0rd" really isn't that much more secure, after all.
  3. Why not a pass phrase? If you're partial to verse 11 of Coleridge's The Rime Of The Ancient Mariner, why not make that your password? And if the site has a maximum length of password, you may want to ask why - the most secure passwords should be irreversibly 'hashed' into a code that doesn't care how long what you originally typed was. (If your site has a small limit, you may wish to ask them why).
  4. Don't fill out those "security" questions. These are, without a doubt, the biggest sucker trap ever invented. You don't know your password? Well, that's OK, what was the color of your first car, again? Suddenly, all security disappears in favor of something that is ridiculously easy to guess. If you're a celebrity, those security questions may even be answered on Wikipedia. Type something in these fields that has nothing to do with the question, and is just as cryptic as a password; if possible, put complete junk in these fields and look for an alternate means of password recovery.
  5. Never use the same password twice. Seriously, never. It only takes one of the sites to be broken into, and you can be sure any leaked password will be tried in other places too. Perish the thought if the password you were using in that fun game in some Internet backwater is exactly the one you use for your bank account. This is the place where most people wimp out and claim that's "too much effort". It's not, providing you have a suitable "password keeper" program that stores all your passwords, securely. You just need a master password to access them. Done correctly, if you only access sites from one computer, you never even have to see or type the passwords stored. (Of course, mentioning a password keeper program reminds me, it goes without saying - don't ever write your password down anywhere!).
  6. Never "remember your password on this computer". Again, this is rank laziness so you don't have to enter it next time. The problem is, there's often multiple ways of doing this, such as a checkbox on the web page or the password store built into your web browser, and you can't possibly know how secure these methods are. Of course, if anyone gets a hold of your computer, they're not secure at all. I once bought a computer from a pawn shop and was amazed at what was still on it. This one is also particularly important if you have a smart phone that has remembered passwords. What happens if you lose it?
  7. Honor and respect corporate policies. There's a reason why your employer wants you, for instance, to change your password every 30 days, and it can't be the same as the last four you used. Nor should you abuse that and change it four times in a row to reset it back to the same as it was...
  8. Don't do obviously stupid things, particularly with your phone. "Just send a text to your bank and get your balance instantly". Right. That sounds secure... until you lose your phone...
  9. Put a password on your screensaver or phone keyboard lock, as well. It should stop people getting anywhere should you lose physical access to the device, and every little bit helps. Of course, don't rely on only this!
  10. Don't rely on the other guy. It doesn't matter who they are; even the biggest companies have made security foul-face-up-books in the past. And I really don't care what operating system or type of computer you use; that just tells me you are refusing to accept responsibility for your own security as well. I could quite easily have been upset with Google for letting someone several thousand miles away log into my e-mail account at the same time I was already logged in, but that was my fault.
  11. Check out the sites you use for possible security loopholes. For instance, if they can send you an e-mail to retrieve a lost password, then they are storing your password somewhere, which is evidently a security risk. A lot of sites - particularly message boards - got their software from precisely the same place, and any security loopholes have likely already been exploited.
  12. Don't confuse awareness with competence. A site that suggests you use "letters, numbers and special characters" on the login page might not necessarily be more competent, simply because they're iterating common advice.
  13. Password policies shouldn't be a secret. If a company won't tell you exactly what they do with your password, that's about as effective as keeping a magic trick a secret. it's only magic, while you don't know how it's done. Once you know, the illusion is shattered. And remember, the sort of attackers who are after your password are precisely the kind of guys who can get jobs working on the code for these places.
  14. Don't underestimate the bad guys. Password-stealing is big business, and the players in this arena are exceptionally, exceptionally smart. Don't get arrogant and assume you won't fall foul of them... because that's precisely how you will get caught out. Don't contradict any of these points, even if you think "Oh but number X doesn't apply because..." - are you sure?
One extra point I'd like to throw in. The security landscape is always changing. Not so long ago the computing power to try all the words in a dictionary would have been prohibitive. New attacks, new attackers, are coming up all the time. We were watching Catch Me If You Can this weekend, an excellent movie based on a true story of check fraud and confidence tricks. Yes, check technology has changed a lot since the sixties, when the movie took place, and so many of the loopholes are no longer possible - indeed, the perpetrator invented some of the security systems that banks use today. However, human nature hasn't changed at all; social engineering is still the most effective means of getting by security. The last time I needed to get through a door I didn't have access to, I told the secretary that "she looked different. Is that a new hairdo? Wow, it really suits you!" and she let me straight in. Flattery just might get you anywhere.

Related articles

Zemanta helped me add links & pictures to this email. It can do it for you too.
Posted by at
Labels: