Passwords, passwords, passwords!

The “why” is simple: the computer needs to know who you are.

Back in the day, our computers took us on faith. My TI-99 and my Amiga took for granted that if I was sitting in front of my computer that I had every right to be there and do whatever I wanted. I didn’t store credit card numbers, personal details, or do online banking on my computers back then. There was no network…you either sat in front of the computer….or you did something else.

This started to change with Windows 2000 and Windows XP. While lots of small businesses are still running on a random collection of desktop PCs, there are more and more of us using networks and sharing stuff between computers.

Even if you’re not running a server, think of the “stuff” on your computer today. Quickbooks, MS Office Accounting…letters or other documents with your personal financial info? Do you have credit card numbers saved anywhere? Bank web site passwords?

What’s to keep your kids, your cleaning staff, your disgruntled ex-employee, or some Romanian hacker from taking this stuff?

It’s important for your computer to know who you are.The easiest and most popular way is with a username and password. If you can type a username and a password that matches what’s on file, then the computer decides that you are that user, with full rights and priviliges. Other ways include fingerprint readers, “smart cards,” and USB “keys.”

We all know from the movies that bad guys sit in dark rooms with gazillons of screens, furiously banging away at keyboard and using super-secret magic to hack into computer systems. Well, okay. How do bad guys really break passwords?

* Guessing. Most small businesses users I’ve seen use the same passwords: kids’ names, pets’ names, important dates, etc. People who know you can guess these very easily. People with access to your personal info can usually guess these too. Remember that friends and colleagues may “go off the deep end” and turn against you.

* Brute Force. these are automatic attacks that are done over the network. Hackers have lists of thousands of words and write scripts to try millions of usernames and passwords. It doesn’t matter that this takes a long time, because the nasty guys run the same attacks against a couple thousand addresses at a time. Even a 1% “hit rate” gives a dozen machines to play with. There are several other topics here like “rainbow tables” but suffice to say they’re all automated techniques that don’t require a large degree of skill….but do require network or physical access to the machine.

* Social engineering. Nasty guy (or girl) calls up and says they’re from Verizon, Comcast, your bank, etc….and they need your username and password to “test” or “verify” your account.

* Shoulder Surfing. If you’re a slow typist, someone can watch you type and figure out which keys you’re hitting with surprising accuracy.

* Keylogging and other malware. Some of the “crapware” (spyware/viruses/malware etc) out there will install a new program that sends EVERY KEYSTROKE YOU TYPE to a file. Comb through this for a few minutes and you’re bound to find some good passwords!

Protecting yourself

* If you don’t have a password on every computer you use, set one up after reading the rest of this piece.

Don’t share passwords. If someone else needs access to your files, sites, or any of your stuff, set up sharing and a different, also-protected account for their stuff.

Don’t give your password or username to anyone you don’t know and trust. Just because they say they work for your bank’s “fraud prevention unit” doesn’t mean they do.

Run updated Anti-virus, anti-spyware, and personal firewall software on your PC.

Have a seperate computer at home for Internet and games. Don’t treat your work computer like a toy. Don’t treat your work-from-home computer like a toy.

Know and understand your responsibilities. If you handle credit cards, social security numbers, or medical details, remember that it’s ultimately your responsibility to make sure that info is protected properly. Understand your HIPPA and PCI/DSS responsibilities.How do I come up with good passwords? We want something that’s 8 characters long, includes numbers, letters, and symbols (if allowed), and does not contain any common words or numbers.

  • Use a “pass phrase.” Most versions of Windows allow you to use a very long password….like “Every third Sunday my 14 kids have Ice Cream!” It’s too long for a casual observer to remember, to strange for you to forget, and long enough that an automated cracker will have a hard time with it.
  • Pick a song. Take the first letter of each word of the song and use that. Mix in a number, capital letter, or symbol where appropriate. For example….Stairway to Heaven gives us:

That’s 18 characters of very strong, random un-crackable-ness.

  • use a password manager. I really like (and use) RoboForm. RF has a built-in password generator, so I remember my RoboForm password and IT fills in the others for me when needed. You still need a very strong password for RF itself, though.

A common misconception: Substituting a numbers for letters doesn’t do much except for slowing down casual guessers. You would think that p@$$w0rD would be MUCH more secure than password. It’s not. The “brute force” lists already contain nearly all substitutions of common words. It’s trivial for the program to say “If you’re trying safe, try $afe, S@fe, saf3, and all other combinations.”

I welcome your feedback and any suggestions you have for future topics!

-Greg C

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: