Password security wake up call!

[Omegaman]

<a href="http://www.youtube.com/v/KoPlkmYaEQs" target="_blank">http://www.youtube.com/v/KoPlkmYaEQs</a>

While the girls might drool over Brandon in this video, it's actually the creepy girl in the video I want you to remember, and her warning ... not so much in the context of this song but maybe just as important -- your password security!

I realize many of us have become complacent in our use, reuse, and updating of our passwords.  We use more passwords now for all our various accounts than we ever have before, and most likely will only get worse in the future until universal password/passcode keys for all our software and accounts becomes standardized -- which cloud computing could easily solve if implemented correctly when it becomes mainstream in this decade or the next.  Additionally, advances in bit encryption/data encryption have become much more accessible, especially to end users.  This will also help aid in keeping our data and accounts safe in the future.

In the meantime, most users still use the same old passwords or variants of the same password theme (e.g. Jackie4, JackieS, JaclynS, JackienJohn, etc.).  Here's an abstract of a study done by Princeton University in 2006 concerning users' passwords for online accounts:

"Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers."

Last decade there was a push by security experts to start adding the number of characters in your password (dog ---> doghouse) as well as mixing capital letters with lower case ones and even adding numbers and special characters to your password (DogHouse23!).  With a new decade and new technologies mainly from top chip makers, the speeds of our computers haven't gotten much faster in terms of clock cycles (we still only operate in the 2-3 Ghz range with our netbooks only operating in the 1.5-2.25 GHz range.)  The biggest increases in raw processing power is the implementation of hyperthreading and multiple processing cores in our CPUs.  The best Intel "Hexa" cores at the moment (top i7s) can effectively process 12 threads at once -- essentially having 12 little computers all working at the same time.  This is powerful for hackers writing software including password cracking programs which can use brute force to find your passwords.

With all this new technology, the "standard best practice" passwords of the '00 decade have quickly become antiquated.  Additionally, hackers/crackers are migrating to attacking Users (end users) and their behaviors vs. attempting to crack or find exploits in OS's that were prevalent in the 90's and some of the 00's (see: Article 1 Article 2).  One of the ways besides phishing and using social engineering to attempt to gain access to your private data and accounts is by using password cracking programs which use many methods including dictionary lookup and brute force.  While dictionaries get negligibly bigger, only advances in technology make brute force attacks more viable and successful.  Computers today can easily attain a minimum of a billion password attempts in an hour.  That's quite a lot of attempts in a very small amount of time.  Lockdown.co.uk currently has a webpage displaying tables of data for relative password strength.

The threat for identity theft is real.  It's important that everyone who accesses the internet frequently and has important online accounts take some time periodically to change their passwords or even make them more complicated.  You can download a spreadsheet from from Mandylion Labs (6 years old) to help you understand password strength as well as help you realize instantly how relatively strong your password is compared to what brute force password cracking programs are able to achieve today.  Additionally you can go to How Secure Is My Password.net which simply allows you to type in a password and tells you how long a desktop PC running a brute force program would take to crack your password.

Additionally, many larger companies, corporations, and educational institutes (Indiana University for example) are now implementing 'passphrases' as a means of login instead of passwords.  This would mean you'd enter something like "I love chocolate cake" instead of "cakelover12".  If your online account holder's website can handle a passphrase instead of a password, you might want to choose a passphrase that you can write down for later use for more security.

I hope this helps some of you rethink and hopefully debunk previous notions of what you used to think password security meant and remember the screaming warning chick from the Incubus video every time you must create or change your password in the future.

[Skuld]

I enjoyed this read, mind if I grab for my forum? =^.^=

[Thomphoolery]

which cloud computing could easily solve if implemented correctly when it becomes mainstream in this decade or the next.  Additionally, advances in bit encryption/data encryption have become much more accessible, especially to end users.  This will also help aid in keeping our data and accounts safe in the future.

I don't think cloud computing will solve it directly, but securing the cloud definitely will. Here's the issue:

1) We want to link public clouds to private clouds
2) No one cloud trusts the other implicitly
3) Passwords suck

The solution is really the new style of federated identity we are seeing with SAML, OAuth, and OpenID. OpenID is basically crap, but at least it's better crap than passwords. SAML is seeing huge adoption, and OAuth is coming up as well.

I'm a huge fan of OAuth, and I think we can expect some great things in the near future (especially coming from the group I'm in!). Omega, if you have an interest in this stuff, I started a blog a while back on modern identity. The first post has since been mucked, but I'm trying to keep it on a "once every other week" basis. http://blog.jkmathes.org

For people not interested in the technical details of how it works, here are some quality of life tips to help not get password-fucked:

1) Use 2-factor authentication. For WoW, this means buy a damn authenticator.

2) Separate all your browsing into two physical browsers. One for entertainment and daily use, the other for purchases and secure transactions (banking, taxes, etc). If your browser is compromised, your password strength means nothing - using something like Firefox for browsing and IE for banking will help, as long as IE is used for nothing else.

3) Never execute a transaction unless the top of your browser says "https://....." and you see a locked padlock in the lower right. If you don't see these two things, the data you are about to send is *not* encrypted, and anyone between you and the server you are accessing can see all your information.

4) If you are running Chrome or Firefox, install "noscript" and "adblock" as extensions. Noscript will disable Javascript by default, and lets you enable it for sites you trust. Adblock will prevent loading of known advertising, a good portion of which hold nasty executable code if you happen to accidentally click on them.

5) If you use Facebook, Twitter, etc - make sure to use an "OAuth" option if available when accessing these sites from a 3rd party client. Twitter now forces OAuth use over password use, but Facebook allows both. In simplest terms, OAuth allows 3rd party applications to access your data without ever storing your master password. Instead, it stores a sort of "valet key" that will allow a subset of actions. Use it when you can! Pretty soon, OAuth will be the standard.

Rockin' post, Omega, this is serious stuff.

-j

[Djfurball]

3) Never execute a transaction unless the top of your browser says "https://....." and you see a locked padlock in the lower right. If you don't see these two things, the data you are about to send is *not* encrypted, and anyone between you and the server you are accessing can see all your information.

I hate SSL. That is all.

[Thomphoolery]

I hate SSL. That is all.

Managing a PKI or something is a nightmare, but TLS is the best we got. There are tons of really great libraries to ease the burden (it's built right into Java), so I dig it - as a consumer of it =)

There's actually kind of a stink right now with OAuth 2.0 moving towards TLS instead of signatures.

-j

[Omegaman]

I enjoyed this read, mind if I grab for my forum? =^.^=

Sure, man.

[Omegaman]

I hate SSL. That is all.

Managing a PKI or something is a nightmare, but TLS is the best we got. There are tons of really great libraries to ease the burden (it's built right into Java), so I dig it - as a consumer of it =)

There's actually kind of a stink right now with OAuth 2.0 moving towards TLS instead of signatures.

-j

What's it going to take to get signatures back in the OAuth 2.0 spec?  I realize it's still in draft form so maybe enough devs and/or companies can influence the community enough to ensure signatures are part of OAuth 2.0.  With Web 2.0 around the corner and all the potential XML, AJAX, etc. interactivity between sites, I'm a little concerned about all of those web apps being secure, which I think you might have alluded to with your statement of "linking public and private clouds who don't trust each other implicitly" as an issue.

[Thomphoolery]

What's it going to take to get signatures back in the OAuth 2.0 spec?  I realize it's still in draft form so maybe enough devs and/or companies can influence the community enough to ensure signatures are part of OAuth 2.0.  With Web 2.0 around the corner and all the potential XML, AJAX, etc. interactivity between sites, I'm a little concerned about all of those web apps being secure, which I think you might have alluded to with your statement of "linking public and private clouds who don't trust each other implicitly" as an issue.

It's going to take a good use-case, really.

Here's the problem: Crypto stuff is hard on implementers. With OAuth 1, clients had to provide signature functionality to prove ownership and safe transit. There are tons of libraries available, but OAuth still didn't hit widestream usage because of the implementation burden. So OAuth 2 comes along and says: "Ok dudes, you don't need to sign anything - let's use plain old bearer tokens and instead rely on SSL, which *is* widespread."

Of course, SSL is just as hard to implement - often harder. There's no good way to win here. hehe

If you ask me, signatures were much easier.

-j

[Omegaman]

1) Use 2-factor authentication. For WoW, this means buy a damn authenticator.

2) Separate all your browsing into two physical browsers. One for entertainment and daily use, the other for purchases and secure transactions (banking, taxes, etc). If your browser is compromised, your password strength means nothing - using something like Firefox for browsing and IE for banking will help, as long as IE is used for nothing else.

3) Never execute a transaction unless the top of your browser says "https://....." and you see a locked padlock in the lower right. If you don't see these two things, the data you are about to send is *not* encrypted, and anyone between you and the server you are accessing can see all your information.

4) If you are running Chrome or Firefox, install "noscript" and "adblock" as extensions. Noscript will disable Javascript by default, and lets you enable it for sites you trust. Adblock will prevent loading of known advertising, a good portion of which hold nasty executable code if you happen to accidentally click on them.

5) If you use Facebook, Twitter, etc - make sure to use an "OAuth" option if available when accessing these sites from a 3rd party client. Twitter now forces OAuth use over password use, but Facebook allows both. In simplest terms, OAuth allows 3rd party applications to access your data without ever storing your master password. Instead, it stores a sort of "valet key" that will allow a subset of actions. Use it when you can! Pretty soon, OAuth will be the standard.

Thom's tips above are *awesome* and definitely should be followed, esp. #2.  I wanted to add 2 more very important tips for safe and secure browsing:

6) Avoid sending secure or sensitive data (confidential files, company files, usernames, passwords, credit card data, etc.) over WiFi "hotspots" and just avoid WiFi altogether for these transactions for the ultra-paranoid.  There are many reported cases (namely Starbucks after they offered free WiFi) where hackers will sit with their laptop in the store and will do everything from run packet sniffers (stealing the raw data being sent by you over the wifi) as well as run "man in the middle" attacks where they can steal cookies, etc. and actually "act" as your computer.  These attacks are called "sidejacking" as they essentially are pulling right up next to your WiFi connection and stealing your credentials and then using coexisting sessions using the stolen, copied credentials.  The inherent problem with WiFi is that it's still broadcast over a radio signal, which is easily accessible to anyone with a receiver.  Additionally, most WiFi hotspots (esp. free ones) will use the wireless security that's the lowest common denominator (or none at all in some cases) which is usually WEP, which has been easily cracked/hacked recently fairly easily.  If you are stuck or forced to use a WiFi hotspot, try to connect using WPA/WPA2 if possible.  These algorithms used by WPA/WPA2 standards are very difficult to crack and near impossible to brute force.  Just remember that while WiFi (and free WiFi) is very convenient, don't forget the potential security vulnerabilities you maybe exposing yourself and your personal data to.

7) For those who have many passwords and accounts that are behind login screens, I'd highly suggest using a password management program / app called Lastpass from Lastpass.com.  You can do the research yourself on the product, but it's by far the *best* password remembering/encryption/storage service I've been able to find.  Essentially you only have to remember *one* password and the applet will autofill login credentials for each and every website that you use.  It is free to use and LastPass apps are available for almost all OSes, mobile devices, and web browsers.  They offer a premium service for $1 a month which gives you access to the the mobile device apps, stand alone LastPass (don't need to install plugin for browser) as well as other features like encrypting a USB flash drive as 2nd factor authentication. They use SHA256 (secure hashing algorithm) for their security token which is extremely secure (compare to 128 bit encryption used by Windows 7 BitLocker for drives).