Welcome to another Techie Tip Tuesday
I started to record this weeks tip as a video, but as I was doing it, I realised that the content really wasn’t suitable! So I’ve reverted to text for this week alone.
Today I wanted to talk a bit about passwords. Once we’re done, you’ll know why you should use different passwords on all your accounts, how to make your passwords difficult to guess and decrypt and I’ll also give you some ideas on how to make sure you never forget your login information no matter how random your passwords are!
Over the past couple of years there’s been a noticeable increase in the amount of companies that have admitted that their web sites have been compromised and account details stolen. Companies like LinkedIn, Adobe, Sony, Twitter, Facebook, to name a few of the most famous, have all been hacked at some point. Now with some of these companies, you will understand immediately why it becomes a huge issue; they’ve got your credit card details attached to your account.
But what about the other Web sites? Lets say you have an account on a hobby related Forum. Surely on your average forum there’ll be nothing of value?
Think about how much information you might reveal to a few fellow photographers, football supporters, Mums or whatever social group you’re connected with. There’s a whole new “art” these days for bad guys to use what is known as social engineering to find out enough information about you to get access to your money, or to commit identity fraud. If you’re part of any networks its almost impossible to prevent this, but being conscious of your security will reduce the risks.
Here’s another thought…… what if you use the same user name and password whenever you can? Most people try to do this, and bad guys know it. If they can get your details from one site, the chances are that you’ll use that same information somewhere else that does store confidential information that they can exploit for their gain.
Expand for some more technical detail
Ok, lets just talk for a minute about how Web sites store your password. You’ll may have heard talk of ‘salting’ and ‘hashing’ passwords, so I thought it might be best to briefly explain what this means.
When a Web site holds a database of user accounts, they’ll typically store them in one of three ways.
First, and the most insecure method would be plain text. That means that your login name and password are stored together in an un-encrypted file. You can see that if a bad guy were to get hold of this file he’d have full access to all of the sites user details without any further effort. Pretty scary stuff. In this case, a password of “password” would be stored exactly like that.
The next method used would be hashed passwords. With this method, when you first enter your password, the site runs an algorithm over it using a single passcode producing what’s known as a hash, and your actual password is never stored anywhere. Subsequently when you log in, it runs the same algorithm and checks the result against the recorded hash before allowing you access. In this case a password of “password” might, depending on the hashing passcode, appear as s89F$d-&dhjkl.
Now lets say a bad guy gets hold of that password database – and this is usually done by hacking into the Web site that holds all the data. Using dedicated computers, they attempt to find the hashing passcode by running through every permutation of characters on one record from the database. Typically this will take a maximum of 4-5 hours. So within 5 hours of stealing that database, they can have every single account name and password decrypted and available to them. Most of the companies that have admitted being compromised have taken longer than this to realise they’ve been attacked.
Salting adds a further level of complexity to the decryption because each account has a random code added to the password before it is hashed. The additional code is stored in a further file, which sounds like it makes it easy, but the randomness of the salting it means decrypting the file is so much harder. In this case a password of “password” might end up being salted with a random binary code of 10011011, giving you password10011011 to be hashed, leaving something like Dk&$dk^21u89S_!d5hj as the hashed and salted reference in the database. The binary salt code would be stored in a further file. The end result being expected decryption time would go to something like 3.5 years for the full database. What can happen though, is that in a huge database of salted and hashed records, some of them will be salted with the same code, so once they work this out, they potentially have a subset of the records. This explains why sometimes companies will admit to their password databases being stolen, but aren’t sure how much data has been exposed.
To throw some further light on how the bad guys break the encryption, let me explain that there are a number of passwords that are really common (see here). In a hashed file, anyone using these will get the same hash. In a large enough database, the chances are some of them will have the same salt meaning the hashed and salted data will look the same across multiple records. So they find these records and work backwards to try and decrypt the hashing passcode and the the salt. So, when you use a really simple password, not only are you making it easy for someone to guess it, you;re also increasing the risk of decryption to everyone else using that system.
Now your typical hobby forum may use one of the less secure methods of password storage, and will probably be administered by another hobbyist. The chances are they might not be quite so experienced as a systems administrator for a bank and may not even know that their system has been compromised. So its a perfect target for an experienced bad guy to attack.
Anyway thats some of the background of how passwords are stored, stolen and unfortunately hacked. What do we need to learn from this?
1. Never use the same password on more then one site.
I did consider recommending using one generic password on hobbyist sites, but you’ll be amazed at how much personal information can be gleaned from these sites, and its much easier for the bad guys if your login details are known or easily obtained.
2. ALWAYS use a long, complicated password
The more complex your password is, not only is it harder to guess, but its harder to decrypt because the obvious patterns are not there for a bad guy to know he’s been successful. You need to add numbers, capitals and symbols to a password to make it as complex as possible. One tip I can suggest here is devise your own rules for your passwords. Replace l’s with an exclamation mark, G’s with a number 9, maybe have the first and third letters always capitals. Make your own rules as to how you will create passwords, but make it so they don’t look like real words at the least, making them completely random would be even better.
3. If you hear that a Web site has been compromised, LOG IN and change your password immediately.
That way, if the bad guys do decrypt your password, hopefully you’ll have beaten them to it and blocked their access.
I realise that telling you to use different and difficult passwords is going to make it extremely hard for you to remember them all. So how do we get around that? Well there’s a raft of password utilities available, and the one I always recommend is 1Password (see the bottom of the post for links). This app is available for Mac, iPhone, iPad and many other platforms meaning that you can store all of your passwords on almost all of your devices. To access them, you only need ONE password……..and of course, I’d strongly suggest you make it a long, complex one for your own security!
The advantage of using a password manager is that many of them have their own secure password generators. For example, in 1Password, when creating a new password you can tell the app you need a password of 10 characters and it’ll generate something random containing whatever you tell it the password can contain. And then it’ll remember it.
I’ll almost certainly do a full review of 1Password in a Product Feature Friday some time soon, but until then take my advice that this is one of the more user friendly password managers out there. I do have to add a note here that storing all your passwords in one place does have its own risks, especially if you use any of the cloud options within 1Password or its competitors. As I always say, if you do keep confidential information on anything, whether it’s a piece of paper or a £2000 computer PLAY SAFE! Make sure that information is secure, and this is something we’re more than happy to help you with if you wish. But, as always, physical security is always essential. Keep your devices secure; don’t become a victim by leaving your phone or computer in a bar or coffee shop!
Take the precautions I’ve recommended and you’re doing as much as you can to prevent unauthorised to your finances, and thats really what we’re concerned with here. Hackers, generally, don’t do this for fun……they do it for money. Make it hard for them and they’ll go after lower-hanging fruit such as someone that uses password as their password.
If you have aay questions on todays content, or need some more advice, please don’t hesitate to call us. And of course we’d love to hear from you if have any feedback on any of our posts, this one or any of the others. If you’ve got questions that we might be able to use as a basis for future videos, please let us know. Finally, I’d love you to subscribe to our Youtube channel!
Take it easy, have a great day and I’ll be back tomorrow with something new
Chris
[…] mentioned this several times before (here, here, and here), but if you’re one of the 2.4 million people at risk because of the Carphone Warehouse data loss […]