Hackers | Jason Palmer, CPA, CITP

Securing your Digital World with Passwords

August 15, 2012 By Jason Palmer Leave a Comment

This is a test: Grab your nearest digital device that has your personal information on it. That would be your cell or Smartphone, iPad or Android Tablet, notebook or desktop computer or iPod/mp3 player. Touch the screen or tap the keyboard to wake it up.

Does it ask you for a Password to proceed before you can access it?

If “Yes”, congratulations, you passed and understand the importance of taking as many precautions as possible to keep prying eyes out of your personal data and digital world.

If “No”, then the next question to you is “Why does your digital device not have a Password set?” Would you leave your car unlocked on the Street? Would you leave the front door of your house or apartment open so that anyone could just walk in and look around? Well, would you?

If you secure every aspect of your physical world with locks, keys, and combinations, why would you not think to do the same for your digital world?

Password security is not just for your online web accounts. Password security should be engaged and used everywhere it is supported.

I am sure that some of you have lost your cell or Smartphone. Without a Password set on the device, whoever found it immediately had access to your entire address book: every name, every phone number, perhaps full addresses, possibly birthdates. In this address book list there are probably sensitive contacts like your Doctor’s, Financial Advisors, and Attorney’s. If you are like many people, in the NOTES section, some contacts may have Account Number and (hopefully not) Password and access information to these accounts. But we are just getting started as we are only considering the wealth of information in the Address Book/Contact List. In the wrong hands, this is an identity thief’s dream.

If you have a Smartphone, every text message sent and received and every email for approximately the past two weeks is fully visible. If the person who just found your phone is a criminal or identity thief, he or she might send an email or text message that appears to come from you fraudulently asking for “assistance” to one or more of your contacts. (A popular scam is to claim that “you” are in a bad cell zone and can only text, have lost your wallet, and can “your friend” please send $100 via a wire service or mobile payment service.)

Your Smartphone most likely connects to an App Store – either the iTunes store or the Google Play store. This person may now be able to obtain additional personal information about you from Apple or Google and possibly credit card information which can then be used to break in to other accounts at other web sites discovered from your Contact/Address Book list.

The above scenarios hold true for most iPads, Android Tablets, iPods, and mp3 Players that have a contact list, email capability, and connect to any kind of App Store.

With a Notebook Computer it only gets worse: Your portable computer has all of the above and plenty of bonus content for the person who finds it. The computer will most likely contain sensitive documents. If you only have a notebook computer and no desktop computer, then it will contain your entire body of digital knowledge: Every letter, proposal, memo, spreadsheet (i.e. Expense Report, Income Information), Business Plan, poem – just about every piece of digital content you have every created will be on this one device. But wait, there’s more: Every picture you have ever downloaded from your phone or camera: you, your family members, places you have been, all of your friends, and pets. This may seem innocuous but for professional thieves, the photos may reveal additional physical targets for burglaries. (Fluffy might become pet-napped and held for ransom.)

If you are a person who accesses a corporate network, which probably does use and require a Password, and that Password is stored in the access application, DING, DING, DING – it is the Mother of all Pay Days for the unscrupulous individual who is now in possession of your notebook. That person potentially has full, unrestricted access to all of your company’s sensitive information. This time it includes not only documents but may include corporate financial information and detailed personal information about clients of the company.

Finally for the Lightening round: I am virtually positive that many of you have your Apps set for “auto-login” where your User Name along with your Password are stored in the App. (If a web site, the user name and password are stored in the Web Browser.) You have just given the person in possession of your digital device the “Keys to the Kingdom” of your Digital World. He or she is now capable of viewing (and manipulating) your Social Media, WebMail, eCommerce accounts and any other web site that has stored access information.

As you can see, for lack of taking a few extra seconds to enter a Password every time you pick up one of your digital devices, you could be needlessly exposing your entire digital world and putting yourself and those around you at extreme risk.

You lock your physical world. Lock your digital world too.

Set a Password on every device that supports the use of a Password.

For some guidelines on setting strong passwords, read my articles, “Strengthening Common Passwords” and “A Complex Password may not be a Strong Password.”

Technical Tip: If your device supports the use of a Swipe Pattern instead of entering a combination of numbers and letters as a Password, definitely use a Swipe Pattern. (A Swipe Pattern allows you to use your finger to draw a series of lines across the screen in a specific order to unlock the device.) Hackers can use automated programs to guess at the number and letter combinations which make up a Password. As of this writing, similar programs do not yet exist to crack a Swipe Pattern on a digital device. Although if a program did exist, most phones would still lock out all further attempts after a certain number of failures. It was reported in March of 2012 that even the FBI could not get in to a phone that used a Swipe Pattern to lock it. See more on that story here.

Strengthening Common Passwords

August 13, 2012 By Jason Palmer 1 Comment

Raise your hands. How many of you are still using one of the following as your Password:

First Name Birth Date
Kids Name
Dogs Name
First Name Date of Hire
Password
123456
Yankees
Mets

You get the idea. A Password so incredibly obvious that you really don’t even need to write it down and stick it to the underside of your keyboard for a co-worker or family member to find it. (What? You think you’re the only person in the world who would think to hide their password under their keyboard?)

Since you refuse to make a genuinely strong password as discussed in my article, “Have YOU changed your Password recently?” let’s see if we can take your existing, incredibly obvious password and make it stronger.

Let’s start with the ever popular First Name and Birth Date. WALT1901 Yes, you do get partial credit for using both Letters and Numbers but fail because these are two pieces of information that many people who might want to get in to your digital accounts already know. I understand that it is very easy to remember. We can make is stronger with just a few minor improvements.

Let us combine the First Name with the Birth Date so that we take one letter from the first name then one number from the birth date: WALT1901 becomes W1A9L0T1 .

We can make this a little stronger still by changing the Letter “L” to a Number “1” so the new password would be W1A910T1 . Changing a letter to a number in this particular manner is a form of simple letter/number substitution called LEET. (Read more about LEET at Wikipedia here.)

A determined hacker who knows your name and birth date would figure this out fairly quickly as one of the few dozen combinations and possibilities. However, the simple modification above will keep out most nosey co-workers and family members who try the incredibly obvious first. (A brute force computer program could figure this password out in a matter of minutes because it is just letters and numbers.)

Almost any Password can immediately be strengthened by using LEET – substituting numbers or special characters for letters. LEET works well as a starting point.

Password becomes P@ssw0rd or P@55w0rd
Yankees becomes Y@nk335
Mets becomes M3t5

Unfortunately, these passwords are still very easy for anyone who knows what Sports Teams you follow to figure out. LEET substitution patterns are fairly well known. (I am ignoring for the moment if you are one of the tens of thousands who still use the word “password” as your actual “password” – LEET or not, you deserve to be hacked.)

In order to throw off those who might know that you like Baseball and may use Sports Team names as your password series, we need to add a special character and mix things up a bit.

If we take our LEET version of Yankees – Y@nk335 – and add an Exclamation point – Y@nk!335 – this makes the password extremely strong from a human attack and reasonably strong from an automated attack.

Going one step further: If we move the numbers to the front: Y@nk!335 becomes 335Y@nk! – this password is even stronger and again could most likely only be broken by a brute force automated attack. (A brute force automated attack is where the computer will keep trying every letter, number, special character combination until it is successful.)

I have demonstrated that you can hang on to your common, weak Password, so you can remember it, and apply a few simple techniques to make it significantly stronger. At the bare minimum, it is will certainly keep out noisy co-workers and family members. At best, it will make the brute force hacker’s work extremely hard to break in to your digital accounts.

A few thoughts on the selection of a Password and Strength:

Understand that every password, given enough time, will be found.

As discussed, someone trying to gain entry in to your digital account is going to try the easy, common passwords first. For example, “123456” is the most common password and “Password’ is the fourth most common password. A hacker is not going to have to use any fancy brute force attack to break in to an account with either of these two passwords. In fact, they will be the first and fourth passwords that the hacker tries to use to gain entry in to your account.

The point is that any hacker will have a list of well know common passwords that include Sports Teams, Movies, Celebrities, Comic Book Characters, Seasons, Fictional Characters, Playwrights, Composers, etc. All of these well know possible passwords will be tried first and in too many cases, will be successful.

Once you start to use Passwords that are not common and have the above techniques applied to them, you will force the hacker to use a “brute force” method of attack which can take an incredible amount of time to succeed.

Thieves like to take the cars with the doors left unlocked and the keys in the ignition.

Make sure to lock your digital accounts with a good quality password.

With a few simple modifications to your Password, you can put up enough of a challenge that most hackers will give up and move on (unless you are a specific target of an attack.)

The sites below have a combination of Password Quality Meters and the theoretical amount of time it would take for a brute force, automated attack to succeed.

NOTE: There are significant differences in the assumptions used to determine the difficulty level in cracking your Password.

DO NOT RELY SOLELY ON THESE TOOLS FOR GUIDANCE WITHOUT UNDERSTANDING THEIR METHODOLOGIES!

The three sites below take entirely different approaches to determining the quality of a Password.

Password Quality Test Tools

The Password Meter – Traditional Analysis based on Traditional Policy Theory
http://www.passwordmeter.com/

Pass Fault – Patterns Make Passwords Easy to Crack
http://www.passfault.com
Pass Fault – Analysis based on Pattern Theory
https://passfault.appspot.com/password_strength.html

Needle in a Hay Stack Theory by Steve Gibson and Test
https://www.grc.com/haystack.htm

Have YOU changed your Password recently?

August 12, 2012 By Jason Palmer Leave a Comment

Account Security is not like the Weather. You can do something about it. Almost weekly, someone reports that a Social Media Site, Content Provider, or Financial Institution has had a breach and that customer account information “may” have been compromised.

The absolute best defense against this insane level of carelessness is a good offense.

CHANGE YOUR PASSWORDS EARLY AND OFTEN.

This is an aspect of digital account security that is completely within your control.

The sites that care most about the security of your data force you to change your password on a periodic basis of no less than ninety days. If they do not force a periodic password change, take it upon yourself to change your password at least monthly. If they really care, they force you to use a “strong” password which generally means it is more than eight alphanumeric characters, must include at least one letter, one number, one special character, and is case sensitive.

Unfortunately, most sites feel that forcing you to change your password, even if for your own protection, is too invasive and not very customer service friendly.

Be honest. How many of you have NEVER changed your password on your email account? Facebook? Gmail? AOL? AIM? AppleID? Your bank account? Seriously? Never? Need I go on?

Stop reading this right now and GO CHANGE YOUR PASSWORDS. I will wait… Hmmm… still reading? Well then the least I can do is to give you some advice on creating a strong password.

As amazing as it seems, some Banks do not allow special characters as part of the password. (Special characters are punctuation marks like # @ $ ! % * . – anything that is not a letter or number.) Even without special characters, you can still make a strong password that will be difficult to guess and withstand a good number of basic hacking techniques.

Let us start by creating a password not from a word but from a phrase. Take the first letter from each word in the title of this article as a starting point. “Have You Changed Your Password Recently” would translate to HYCYPR. This is absolutely not a word in any dictionary which eliminates the possibility of a dictionary based hacking attempt. To anyone who is not you, the password looks like complete gibberish. (A dictionary attack uses an English Dictionary or a list of common words and tries thousands of them until it succeeds.)

Now, let us make it even stronger. We are going to substitute the some of the letters with their numeric position in the Alphabet. HYCYPR is going to become 8Y3YPR. H is the eighth letter and C is the third letter of the Alphabet. To keep with my own statement that a strong password should be at least eight characters, I will pad this with some extra numbers. The final password will be “ 8Y3YPR42 ” (Ignore the quote marks.) This password is now virtually impossible to guess and it is definitely impervious to a dictionary attack. By the way, I chose 42 as that is the answer to “Life, the Universe, and Everything” from “Hitch Hikers Guide to the Universe.”

Which bring up another point: Try to use a sentence, phrase or quote that is not common or attributable to your personality, likes, or habits. If someone knows you like Douglas Adams (Author of the Hitch Hikers Series) and has figured out how you assemble your passwords, this gives that person a starting point if you are being specifically targeted.

Now that you know how to make strong passwords, GO DO IT NOW for all of your accounts.

Take this opportunity to get one giant step ahead of the hackers.