Keep Your Private Data Private – Good Password Practices Part 2

This is the third post in a series of posts on keeping your private data private.  It was inspired by the Jennifer Lawrence (et al) nude photo scandal, and then encouraged by the “gmail hack,” which wasn’t really a gmail hack — which was published literally while i was working on this post.  Previous posts talked about two-factor authentication and preventing hackers from guessing your password.

As I said in the last post, password best practices boil down to three things: preventing hackers from guessing your password, preventing them from stealing it in plain text, and limiting the damage if they do either one.  This blog post is about protecting yourself form the second two.  To read about protecting against the first one, read my previous blog post.

Note: if at any point in this article, you find yourself saying “give me a break” or your eyes start rolling into the back of your head due to boredom, just skip to the next blog post where I talk about password managers.

Limiting the damage if hackers steal your password 

You should assume that any given password may eventually get compromised.  Therefore, you do not want to use the same password on every system. It’s one thing to have your gmail.com account password in the hands of bad guys.  But if that same username and password are used on your amazon.com site?  You’ll be buying $500 espresso machines for all your best friends in the Czech Republic before you can say Carlovy Vary.

Now I’ve gone and made it impossible, right?  I want you to use a hard-to-guess password, I don’t want you to write it down, and I want you to use a different one on every system.

One thing that people do that is to combine the password mentioned above with a 2-3 letter code for each site.  Prepend, append, or (better yet) split your password with this code.  So take the “base” password above and make it one of these for Facebook:

FbStephen12p$4#oS
FStephen12p$4#oSb
FBStephen12p$4#oS
Stephenfb12p$4#oS

Then you do the same thing for your other accounts that you have.  This has the benefit of giving you a unique password for every site that’s relatively easy to remember, and it makes it harder to guess.  Adding those two characters increases the entropy of the password as well.

Another thing that people do is to have classes of passwords.  They use really secure and separate passwords for sites where money is involved (e.g. bank, Amazon.com, any site that stores your credit card), another set of passwords for sites with sensitive personal information (e.g. facebook, gmail, dropbox), and then a “junk” password they use at places where you wouldn’t care if it got hacked (e.g. The website that stores your recipes).

Preventing them from stealing your password in plain text

This blog post says that half of all internet sites store your passwords in plain text. For example, but it was revealed only a few years ago that LinkedIn was storing passwords in plain text.  You’d think they’d know better.  There’s literally nothing you can do to protect against that.  No matter how good your password is; if they steal the password file and your password is in plain text — you’re toast.  Well, shame on them.  

What you can do, though, is to avoid installing software that would steal your passwords as you type them by watching your keystrokes. Don’t click on emails you don’t recognize.  Don’t click on emails from places you do recognize!  If Bank of America sends you an email, open BOA’s website on your own and log in.  Don’t click on the link in the email.  If you do, at the very least you’re letting a spammer know you’re a real person.  Possibly it’ll be a really normal looking website that is nothing but a dummy site made to look like BOA and designed to steal your password as you type it in.

Also, no bank should ever call you and ask you for personally identifiable information, either.  They should not be calling asking for passwords, your SSN, or anything like that.  Unfortunately, some actual banks do this.  The bank I belong to will call me about some fraud, and then ask me to verify my identity by giving them my account number or SSN or something.  I refuse to give them that information and then I call back the actual number of the bank and talk to the fraud department.  In my case, it really is the bank just doing stupid stuff.  But it could be someone just trying to steal your passwords. But I believe it’s a really bad idea for banks to teach people that someone might call them and ask them for such information.

And if you get a phone call from “computer support” claiming you’ve got a virus and they need to login to your computer to fix it, again… hang up!  Tell them they’re full of crap and they are a worthless excuse for a human being.  In fact, feel free to unload the worst things you’ve ever wanted to say to a human being to them.  It’ll be cathartic, and it’s not like they can complain to anyone.

This practice of trying to get you to give up your password or other personal info is referred to as social engineering.  If you want to see how it works, watch a great movie called Sneakers, or a not-as-great movie called Trackdown.  Both are available on Netflix On-Demand, and they both show you exactly the kinds of things hackers do to get people to reveal their personal information.  Sneakers is the better movie, but Trackdown is actually more technically correct.  It’s loosely based on the story of Kevin Mitnick, considered one of the greatest hackers of all time.  (In real life, Kevin Mitnick now does what Robert Redford’s character does in Sneakers.)

Use a Password Manager

This is becoming my default recommendation. Use a password manager to create random passwords for you, remember them, and enter them for you.

I’m talking about products like 1passwordlastpass, and Dashlane.  Instead of having to create and remember dozens of different passwords, you can just have them create and store your passwords for you.  I have been trying out Dashlane and like it quite a bit.  Some of them also support two-factor authentication, something I talked about in my last post.

The first thing Dashlane did was to import all of the passwords stored in my browser.  It turns out there were 150+ of them!  If I did nothing else, it would allow me to turn off the “remember password” feature on my browser.  (It’s a really bad feature because if someone gets your laptop, they have the ability to automatically login as you to your most important sites, and your browser’s history will take them right to those sites.)  

The second thing Dashlane did was to run a security audit on all my passwords.  Like many people, I failed the audit.  But then they walked me through exactly what I needed to do to make things all better.  They also synchronized my passwords to my iPad and Android phones. 

The software will remember your passwords and automatically log you in — but not before requiring you to login to the password manager (usually once per session). That way if someone stole your laptop, they wouldn’t be able to use the password manager to gain access to anything — assuming you didn’t put your master password on a sticky on your laptop, of course. 😉  They also allow you to specify that a particular site requires an entry of the master password every single time you use it, not just once per session. Pretty impressive stuff.

They unfortunately don’t yet support logging into apps on iOS/Android, but it can sync your passwords to those devices.  That way if you forget a given password, it can either display it to you or copy it into the buffer so you can paste it into the app.  I’ve been pretty impressed with Dashlane.

Summary

•    Don’t use easy to guess passwords

•    Don’t use the same password everywhere

•    Don’t open stupid stuff that’s designed to steal your data

•    Consider using a password manager

I hope this post helps and hasn’t been too overwhelming.

 

Continue reading

Keep Your Private Data Private – Good Password Practices Part 1

This is the second post in a series of posts on keeping your private data private.  The series was inspired by the Jennifer Lawrence (et al) nude photo scandal.  Then literally while I was writing this blog post, this happened.  I’m stlll not sure but what happened, but the short version is change your gmail password.

Password best practices boil down to three things: preventing hackers from guessing your password, preventing them from stealing it in plain text, and limiting the damage if they do either one.  This blog post is about protecting yourself from the first one of them.

Note: if at any point in this article, you find yourself saying “give me a break” or your eyes start rolling into the back of your head due to boredom, just skip to my next blog post where I talk about password managers.

Preventing hackers from guessing your password

Proper password systems do not store your password in plain text; they store it in encrypted format.  (Although this blog post says that half of internet sites do store them in plain text. There’s literally nothing you can do to protect against that.  No matter how good your password is; if they steal the password file and your password is in plain text — you’re toast.)  When you enter your password to login to something, they encrypt what you typed and compare the encrypted result to the stored encrypted result.  If they match, then you’re authenticated. This means that if a site is hacked and their password database is compromised, the hacker will not have direct access to your password.

They do have a couple of techniques they can use to guess your password, however.  The first is called a brute force attack against the website.  The only thing they need to do this is your user name, which they may have obtained via a variety of methods.  If they have that, they simply try to login to the system as your user name again and again, guessing at various passwords each time until they get it right.  A good website would have brute force detection and would notice this and shut down the account.  But that doesn’t stop hackers from trying this method.

If they are able to gain access to the actual password file/database, they can try a different brute force attack that would be undetectable and will always result in them guessing some password of some account, because there are always people who use really bad passwords. They can use software that uses the same one-way encryption system the website uses.  They can try millions of combinations of different passwords until they find one whose encrypted version matches your stored encrypted password, and voila!  

Like the website brute force method above, they usually start with words they store in a dictionary file, which include ridiculous passwords like Password and 12345 (which people still use, believe it or not), and include every common word in dictionaries in multiple languages.  They also know to append or prepend numbers around the word, such as Password1 or KittyCat57.  It takes them a few milliseconds to try everything from Kittycat1 to Kittycat99, experimenting with capitalizing each letter, etc.  They’ve got nothing but time and super powerful computers at their disposal.  They might not guess your account, but you can bet that they will guess a bunch of accounts.  (Which is why you should change your password as soon as you hear that a company you use has been compromised.)  And, yes, they know about all the variations of dictionary words as well. They know Password is also spelled Pa$$word, Passw0rd, P@ssword, etc.  So variations on dictionary words are also bad ideas for a password.

So the key here is to use a password that is hard to guess randomly.  Such a password is said to have good entropy.  This is a mathematical term that I won’t go into great detail here, but suffice it to say that having good entropy is a factor of two things: the number of characters you use (e.g. a 12-character password), and the number of different types of characters you use (e.g. Upper/lower case, numbers, special characters).  It’s a partnership.  Long passwords are key, but not if they’re composed of all 9s (e.g. 999999999999).  Having an upper and lower case letter, a number, and a special character is good, but 1a8# would be guessed in seconds.  If you want to learn more about entropy, here’s a great blog post. I will say that those who understand entropy seem to prefer longer passwords over more complex passwords, as you will see below.

It’s important to say that this means any of the following are out:

•    Any word in any dictionary in any language (including Klingon and LOTR Elvish.”You shall not password” is no good either.)

•    Variations on dictionary words (e.g. Pa$$word or $uperman)

•    Any phrase or number associated with you (e.g. your name, birthday, or address)  This matters more in an attack targeting you specifically.

•    Any string that is just numbers (e.g. 438939) unless it’s really long, like 40 characters

You need a long, seemingly random string of characters that is also easy to remember. If you have to look at the sticky on your monitor every time you enter it, you did it wrong.  They key is to get a really good password that is hard to guess randomly and then stick with it.  (No, I am not a fan of “change your password every month” policies. It would make much more sense for them to enforce entropy via software, and force you to make a good password and then let you keep it.)

One method is referred to in this xkcd comic and is commonly referred to as correct horse battery staple (see the comic for why).  The practice is to select four completely random words that have nothing to do with each other that you can make a story out of, and use the entire phrase as your password.  Again, the real key is to use words that have nothing to do with each other.  “Mommy of four babies” is bad, “Mommy Electric tomato coffee” is good.   Think of a story that helps you remember them in order and you’re all set.  Think of a mommy that likes electrically warmed tomatoes in her coffee.  Yuck. But you’ll never forget it.  The phrase I used above gets an entropy score of 131 and a score of Very Strong (perhaps overkill) at this password checker!  That’s what you’re looking for.  Some password systems will not allow you to use it because it’s too long, or that it doesn’t contain any capital characters, numbers or special characters.  Therefore, I’m not a big fan of this method by itself. But it definitely scores high in the entropy department because the phrases are so long.  (This is why I said entropy folks prefer longer, simple passwords over shorter, more complex passwords.)

Another method is to make up a much longer silly sentence or phrase and then make an acronym (technically an initialism) of that phrase, while turning some of the initials into numbers or special characters. The phrase should not be a common phrase like “I like walks in the park,” but “I like to pay $ for hash on Sundays” is good, and it becomes “1l2p$#oS”.  (The more random the phrase, the harder it will be to guess.  The less random the phrase, the easier it will be to remember. You need a balance.)  Now you have a nine-character password that contains upper and lower case letters, two numbers, and two special characters.  If you really have to early on, you could write down the sentence version of the password and refer to that, without writing the actual password down anywhere.  Then after you’ve committed it to muscle memory you can either discard or securely store that sentence.  This has been my personal favorite way to create passwords for years.  However, running the password above into the same password checker gives me an entropy score of only 36, saying it is a “reasonable” password, but that skilled hackers might be able to guess it. I had to add five more random characters before it would say that the password was strong.

So I’d say that combining correct horse battery staple with the initialism method would make a pretty strong, hard to guess password.  So “I like to pay $ for hash on Sundays” becomes “Stephen likes to pay $ for hash on Sundays,” which becomes  “Stephen12p$4#oS” or “Stephen12p$4#oSundays” if you want to go crazy.

Eyes rollling over yet? If so, go to my next blog post where I talk about password managers.

It should go without saying, but you should not use any of the passwords you read in this article, nor should you use any password that you run through a password checker. You never know who may be running that site; they could be using it to grab passwords.  Use those sites to enter examples of passwords like the password you will use, not the actual one you will use.)

Continue reading

Keep Your Private Data Private – Two-Factor Authentication

There are nude photos of you being posted on a website without your permission!  Well, that’s what Jennifer Lawrence (and a host of other celebs) learned yesterday.  Poor folks.  They never meant for those pictures to be public.  And you probably never mean for those personal emails you wrote, or pictures you took, or private Facebook messages you drunk-typed at two in the morning, to be made public either.  So I thought I’d write a few posts about how to prevent just that thing from happening.  And while I’m at it, I’ll talk about protecting them from failure as well. It’ll probably take me a few posts, but I needed something to blog about.

The first thing I want to talk about is how to keep someone from being able to access your account just because they got ahold of your password.  How many stories have you read of someone hacking an entire password database?  Passwords are typically sent and stored in an encrypted format, so just because someone hacked blabla.com doesn’t mean your blabla.com password is known — but it could be.  (I don’t want to go into details, but suffice it to say that there are a number of scenarios where someone could steal your password without your consent or knowledge, and yes — even if you’re using SSL.)  So let’s talk about how to protect your account from being accessed by a “black hat” even if they get access to your password.  The secret is something called two-factor authentication, or TFA for short. 

If you have an ATM card, you’ve been using TFA for years.  It involves pairing something you have (the ATM card) with something you know (your PIN).  This is different than how most people access common Internetsites; they use only something they know (e.g. their password).  If someone else gets your password, then poof — all bets are off.  However, what if your password only worked if it was used on a device that you physically own?  In other words, what if your device only worked if it was used on your laptop or mobile phone? Then the black hat would need to steal both your laptop and your mobile phone to get access to your data.  And if you were a user of a big site that got hacked, you would probably want to change your password, but at least you would know that you didn’t hacked before you changed it.

Just ask the former owners of codespaces.com if they wished they had used two-factor authentication.  If they had, the hacker would not have been able to gain access to their entire infrastructure and destroy their entire company — and the backups of said company — in a few keystrokes.  It’s not a perfect system, but it’s better than single-factor authentication.

You won’t like the limits that this places on your digital lifestyle.  If you find yourself wanting to access Facebook from a friend’s phone, for example, you won’t be able to do so without jumping through a hoop or two.  Security always makes things harder to do; it’s kind of the point.  But IMO, TFA is a very minor tradeoff to make in order to help keep your private data private.

Here is a great article on how to enable TFA on several popular Internet services.  If it doesn’t cover your favorite service, just google “servicename two-factor authentication.”  If your favorite site doesn’t support TFA, then maybe you should find a different site.

Later blog posts will talk about best practices for passwords, encrypting data at rest and in flight, and — of course — backing all this stuff up.

Continue reading