Seven Minute Server

Aug 12, 2009 - 5 minute read - Security Basics

On Passwords

With the number of systems and web sites you log into every day, generating and remembering unique, memorable, and unguessable passwords can be a real chore. However, a disciplined approach to password security is pivotal to thwarting password-based attacks. Who would use password attacks to break into your accounts? Thieves (your bank account and credit card sites), foreign governments and competitors (your bank and work accounts), ex-boyfriends (your Facebook account), ex-husbands (your personal email account)!

Some of the more common types of password attacks include:

  • Online attacks: An attacker attempts to physically log into a system. If the system under attack doesn’t block the attacker after a certain number of login attempts, they can infinitely attempt username and password combinations to break in.

  • Offline attacks: Exploiting vulnerabilities in the computer operating system or other running services, an attacker obtains access to encoded (hashed) password files on the victim system and then uses password cracking software to decrypt passwords.

  • Socially-engineered attacks: An attacker tricks you into revealing a password (in some experiments, people gave away their passwords for chocolate!).

  • Guess-based attacks: An attacker guesses your password. This can be kind of easy if you always use your dog’s name as your password and you constantly post funny anecdotes about your dog BarnabyJones on Facebook!

It’s important to realize, too, that it’s not just security neophytes that end up victimized by password attacks – more than a handful of security “superstars” have been hacked and hacked hard in recent weeks. Not only that, but some victims used the same password or password pattern for multiple sites and accounts, increasing their exposure to and the severity of these attacks.

How about you? Are your passwords easily crackable? Do you use the same password for Facebook and your online bank? Come on, you’re not using your cat’s name or your baby’s name and birthdate, are you? Or are you more complicated and difficult? If you are, how often do you forget your uber-tricky password and have to reset it to something easier?

One of the very first (and easiest) things you can do when securing your computer and online presence is to come up with passwords that are unique, cannot be easily brute-forced, and are easy for you to remember.

Here are a few tips and tricks to help minimize your exposure to password attacks.

  • Avoid predictable usernames. Many brute-force password attack programs use a list of usernames and passwords, with more sophisticated users employing additional rules for password generation. Although “JeannaJetsonAmex” is a better username than “JeannaJetson” for the American Express web site, both are very easy to guess.

  • Use mnemonics to generate unique but memorable passwords. Use the old “numbers for letters” trick and use special characters, but in non-obvious ways. For example, Jeanna Jetson could use a password like the following for her Amex account: ?1JjTam3x14p4in!di* (I, Jeanna Jetson, Think amex is a pain! Don’t I?) Or how about, ?MbP1tw1e5!1i*. I’ll remember this, because it stands for “My blog Password is the worst I ever saved! Isn’t it?” Choose what’s easiest for you to remember and employ tricks that a)you will remember and b)are tricky.

  • Use special characters, numbers, and mixed case - and longer is better. Most sites require this - use mnemonic tricks like the ones described above to remember your special characters (!@#\$%\^&*(<>?:”[]) and numbers.

  • Employ varying levels of trickiness based on the site. Save your good passwords for your own systems, your email accounts, bank account sites, and sites you trust. If you don’t see “https” in the URL or in your browser status bar when entering a password, it’s probable that your password is being transmitted in clear-text and can be sniffed. Don’t trust the site and don’t use the same password (or even password pattern) here that you use for more secure or critical sites! Another tip-off to a not-so-secure site is a site where special characters are not allowed. You actually do see this a lot for bank sites - they want to be sure that passwords can be entered using a keyboard or a phone keypad, and therefore don’t accept anything but numbers and letters and ignores whether the letters are lowercase or uppercase.

  • Do not use the same password across multiple sites. I break this rule when using insecure sites, but otherwise - don’t use the same password in multiple places. Think of your password as a key - why use the same key to access your home, car, office, and safe deposit box?

  • Perform password Spring Cleaning (i.e., HACK YOURSELF!). Whether you use a single computer, share a computer, or administer a server, you should periodically audit the password strength for all users of your systems (especially inactive accounts - if the accounts are inactive, disable them!). There are a few different ways you can do this. If you’re a Windows user, try Cain and Abel (Download here. YouTube Tutorial here). If using Linux, John the Ripper rocks (I don’t use anything else!). John the Ripper is also available for Windows (or you can copy the SAM files to Linux - Stay tuned for future articles on this subject).

    My basic rule of thumb is that if the password is cracked in an hour, it’s not strong enough! Heck, if it’s cracked in a week, it’s too weak! If these utilities are too heavy-duty for your purposes and you just want to verify the strength of a web site password or two, try Microsoft’s Password Strength Checker to verify specific password patterns.

  • Disable remote root or Administrator access to your systems. “root,” “admin,” and “Administrator” exist in just about every username list. Why make things easier for a brute-forcer? Disable root and Administrative remote login. If an attacker has physical access to your system, it’s game over anyway. And if a legitimate remote user (i.e., you) requires elevated access for specific reasons, as part of an Administrators group (Windows) or member of sudoers (Linux), they can elevate themselves as-needed - there’s no need for Administrator or root to log into the system remotely.

  • Ensure root or Administrator users have complex passwords. I’m sure this goes without saying, but your root or Administrator accounts should never be passwordless and their passwords should be as strong as you can make ‘em.

These tips are definitely not comprehensive, but will hopefully will give you a place to start!