#167 - Feature: Password Security
Motto: My Heartbleed's for You
The motto is not grammatically incorrect. I used "Heartbleed" as a possessive noun.
Now that we've got that out of the way - welcome to the passwords best practices feature. You're about to hear about computer passwords from me, a non-expert who has done a possibly passable amount of research.
Let me start with the heart:
Heartbleed is a bug in OpenSSL that was recently found and immediately exploited.
In a nutshell, it works like this (thanks to Randall Munroe and his site - XKCD):
The information the hacker gets in this exploit is whatever just so happens to be stored in memory after the bugged ping was sent. This could be your username, password, credit card information, security question and response, or, more likely, worthless network gibberish and/or somebody else's personal info.
There are two particularly scary things going on here:
1. You have absolutely know what of knowing if your data was successfully mined by hackers.
2. Even if you were doing absolutely everything right (security wise) on your end, you could still have your information stolen.
The only thing you can do is change your passwords on any and all services that were affected by this bug (who have since patched their servers), especially if you used them during the timeframe between when the exploit was made public and when it was patched on the service you used.
That's Heartbleed.
It is NOT how your personal information is most likely to get stolen, though.
Introduction to Password Security:
"Hacking" is a very vague term. There's tons of things that could fall under the umbrella of "hacking". What most people generally think of, though, is somebody breaking into your accounts by tricking the system into thinking they are you by logging in with your password (or having your password reset). This could be done via password guessing, brute-force attacks, malicious software, or through "social engineering". Password guessing is easy. If I had to guess your password, I'd start with "123456", "password", "password1", and several variants of your name or your dog's, significant other's, or kid's names. To protect against this, you shouldn't make your password easy to guess. If that doesn't work, I would move on to some sort of brute force method. I don't know all the logistics behind it (because I've never tried hacking someone's accounts), but I do know that it is more sophisticated than entering "000000", then reloading the page and entering "000001". People who use brute force attacks don't do so on the web interface. In laymen's terms, they download an encrypted portion of the page, then run a sophisticated password guessing program, one that has a list of the top 5 million most used passwords and tries all those, then starts in with the "000001" stuff. There's the possibility for malicious software to do you in. Keyloggers that record literally every keystroke you make. There's way more in the way of malware, but I'm going to mention keyloggers later on. Lastly, there's social engineering. If I wanted to hack your Facebook account, I'd pull up your account and see you posting about your dog Fluffy. I'd try to log into your Facebook account using the password "Fluffy" or "msfluffy" or "I<3fluffy". Maybe I'd go to your security questions (to reset your password), and put in the most generic answers I can think of: "What was the name of your favorite teacher?", well I'm going to guess it's "Jesus". Am I right? Then you're in trouble. If you save your passwords in the browser, I can sit down at your computer and have a few of them saved to my USB drive within a minute. If I get your email, the one you use to log into everything else, then I've got you. All your account are belong to me. So, what can we do? Top 5: Quick Security Tips 1. Don't make your passwords easy to guess. 2. Don't reuse your passwords. 3. Don't make your security questions easy to guess. 4. Use 2-factor authentication, where possible. 5. Use a password manager The first 3 tips from above are obvious. But what is 2-factor authentication? What is a password manager? How do I use those things? I'm going to spend the rest of this post answering those very questions. Two-Factor Authentication "Authentication" is a verb. When you log into your Gmail, you put in your email address, then you put in your password. If you put in the correct password, you are "authenticated", that is - the service you are trying to use deems you as an authentic user. You are the person who should have access to this account because you know the password. There are 3 major types of authentication - they are authentication using something you KNOW, something you HAVE, or something you ARE. Something you KNOW - you know the password, you're in. Most internet things operate this way. Something you HAVE - you have the key, so you can open the door. The door example isn't a metaphor, it's a physical manifestation of authentication using something you have. Something you ARE - your fingerprint, iris, face, et cetera. This method is high tech and much cooler sounding and looking than the two above. 2-factor authentication means you are using two of the three categories above to authenticate. You need to know the password AND have the key. You need to know the password AND show us your fingerprint. You need to have your ID badge AND scan your iris. There are some very well-known second factor authentication options - the iPhone 5S will unlock without your pin if use the fingerprint scanner. But that's an "or" situation. Your finger OR the password will work. For security, you need an "and". There are plenty of ways to get an "and" in the digital world. I use Google's 2 Factor authentication for Gmail. In short, when someone tries to log into any Google service from a computer I haven't already whitelisted, Google sends me a text message with a 6 digit code. Basically, my phone becomes a key. If you want access to my accounts, you'll need my password AND my phone. I suggest, at a minimum, enabling two-factor authentication for your Google account. Password Manager So, what is a password manager? What does it accomplish? Password tips 1 & 2 are hard to do in conjunction with one-another. Keeping complex passwords and keeping every password unique is astonishingly difficult. Enter the password management software of your choice. A keeper of the keys. An encrypted password-protected database that remembers all your login credentials for you... and might do more than that. Instead of remembering a different and complex password for every service you use, you only have to remember one. It's basically just that simple. But they can be more useful than that. They protect you from brute force attacks and password guessing by generating new, random passwords for you. Could you remember "L30x_)sS~l3pqQ.$3x"? You think it's easy to guess? Easy to force open? That's a randomly generated password from my password manager. It's what all my passwords look like, and they are all different. But they can be more useful than that. They protect you from keylogger attacks, because you'll never actually be typing out your new ungodly long passwords. They will be copied and pasted into the webpage, either by automatically or manually. You'll only type your database password, which is only useful if the hacker also has access to your database. But they can be more useful than that. Do you know every site to which you have a membership? Now that Heartbleed has come up, and you should change all your passwords, do you even know what all you have passwords to? Will you have to go through the trouble of memorizing new passwords now? For me, I'll just go down the list, use it to login to all my accounts, use it to generate new passwords, change my passwords, save the new ones in my database, and be right back to exactly where I was before. It's an inconvenience, but much less so than if I weren't using the system. But they can be more useful than that. Every password manager I've found allows you to securely store notes or comments related to each password in the database. Got a password for your insurance account? How about storing your agent's contact information, your policy number, its expiration date, and whatever else you can think of in there. Now, you know that when you accidentally hit that tree that drunkenly ran out in the middle of the road in front of your car, you will have all the information you need readily available. And that's just the stuff I use password managers for, they can do a lot more. How do I use those things? Sign into Google. Hover your picture in the top-right corner of the page. Click "account". Click "Security". Under 2-Step Verification, click the link and follow the on-screen instructions. I did the process over a year ago, I don't remember it being at all challenging. From that point on, whenever you sign in to Google from an unknown computer, you will receive a text message with a verification code. If ever ONCE you receive a verification code when you aren't trying to sign in, you'll know this process was worth it (because someone will have tried to hack your system but been stopped by the 2nd step of verification). It is an inconvenience if and only if you are logging into new computer all the time... and if that's the case you really need to take security very seriously. When it comes to password managers, there are several options: LastPass, 1Password, KeePass, Roboform, and many others. I have experience with two of these options, LastPass and KeePass. I highly recommend both. LastPass: LastPass is probably the biggest, most popular password management solution. It's an online password manager that falls into the category of "freemium". You can set up and use 80% of its functionality without ever paying a dollar. If you want to use some advanced functionality (most importantly, if you want to use their mobile apps), you'll be paying. The good news is you'll only be paying $1/month. That one dollar buys you into a very robust and well maintained password solution. Your data is stored in LastPass's servers, but it is stored and sent to you in an encrypted state. The decryption is done locally, which means your credentials are never visible to their servers or anyone else without the password. You can also set up 2-factor authentication to open up your password vault. KeePass: KeePass is probably the next best, next most popular solution to this problem. It's a completely free, open-source password manager. It's less fancy, has fewer bells and whistles, a little rougher around the edges perhaps, and maintained by who knows who in their spare time... but it is designed to work entirely offline. Your passwords are never sent to anyone's servers. They are never stored in an unencrypted state. You own the database file and are free to do with it what you please... and there's something very fulfilling about that. After reviewing both options heavily for a month, I decided to go with KeePass. I love being able to move the file with all my important personal information around. It's great. I have copies of it stored on my computer, hard drive, two flash drives, and on my phone. Beyond the ability to own the database file, I think I went with KeePass because it offered fewer bells and whistles that I didn't want to use. I'd rather not have something that I want than have something that I don't want. I don't want multiple form-fill identities. I don't want a dedicated area to store my credit cards, I don't want to share a list of my passwords with any other "trusted users". I just want what KeePass gives me... and I'm glad I have it. There's tons more to computer security
The information the hacker gets in this exploit is whatever just so happens to be stored in memory after the bugged ping was sent. This could be your username, password, credit card information, security question and response, or, more likely, worthless network gibberish and/or somebody else's personal info.
There are two particularly scary things going on here:
1. You have absolutely know what of knowing if your data was successfully mined by hackers.
2. Even if you were doing absolutely everything right (security wise) on your end, you could still have your information stolen.
The only thing you can do is change your passwords on any and all services that were affected by this bug (who have since patched their servers), especially if you used them during the timeframe between when the exploit was made public and when it was patched on the service you used.
That's Heartbleed.
It is NOT how your personal information is most likely to get stolen, though.
Introduction to Password Security:
"Hacking" is a very vague term. There's tons of things that could fall under the umbrella of "hacking". What most people generally think of, though, is somebody breaking into your accounts by tricking the system into thinking they are you by logging in with your password (or having your password reset). This could be done via password guessing, brute-force attacks, malicious software, or through "social engineering". Password guessing is easy. If I had to guess your password, I'd start with "123456", "password", "password1", and several variants of your name or your dog's, significant other's, or kid's names. To protect against this, you shouldn't make your password easy to guess. If that doesn't work, I would move on to some sort of brute force method. I don't know all the logistics behind it (because I've never tried hacking someone's accounts), but I do know that it is more sophisticated than entering "000000", then reloading the page and entering "000001". People who use brute force attacks don't do so on the web interface. In laymen's terms, they download an encrypted portion of the page, then run a sophisticated password guessing program, one that has a list of the top 5 million most used passwords and tries all those, then starts in with the "000001" stuff. There's the possibility for malicious software to do you in. Keyloggers that record literally every keystroke you make. There's way more in the way of malware, but I'm going to mention keyloggers later on. Lastly, there's social engineering. If I wanted to hack your Facebook account, I'd pull up your account and see you posting about your dog Fluffy. I'd try to log into your Facebook account using the password "Fluffy" or "msfluffy" or "I<3fluffy". Maybe I'd go to your security questions (to reset your password), and put in the most generic answers I can think of: "What was the name of your favorite teacher?", well I'm going to guess it's "Jesus". Am I right? Then you're in trouble. If you save your passwords in the browser, I can sit down at your computer and have a few of them saved to my USB drive within a minute. If I get your email, the one you use to log into everything else, then I've got you. All your account are belong to me. So, what can we do? Top 5: Quick Security Tips 1. Don't make your passwords easy to guess. 2. Don't reuse your passwords. 3. Don't make your security questions easy to guess. 4. Use 2-factor authentication, where possible. 5. Use a password manager The first 3 tips from above are obvious. But what is 2-factor authentication? What is a password manager? How do I use those things? I'm going to spend the rest of this post answering those very questions. Two-Factor Authentication "Authentication" is a verb. When you log into your Gmail, you put in your email address, then you put in your password. If you put in the correct password, you are "authenticated", that is - the service you are trying to use deems you as an authentic user. You are the person who should have access to this account because you know the password. There are 3 major types of authentication - they are authentication using something you KNOW, something you HAVE, or something you ARE. Something you KNOW - you know the password, you're in. Most internet things operate this way. Something you HAVE - you have the key, so you can open the door. The door example isn't a metaphor, it's a physical manifestation of authentication using something you have. Something you ARE - your fingerprint, iris, face, et cetera. This method is high tech and much cooler sounding and looking than the two above. 2-factor authentication means you are using two of the three categories above to authenticate. You need to know the password AND have the key. You need to know the password AND show us your fingerprint. You need to have your ID badge AND scan your iris. There are some very well-known second factor authentication options - the iPhone 5S will unlock without your pin if use the fingerprint scanner. But that's an "or" situation. Your finger OR the password will work. For security, you need an "and". There are plenty of ways to get an "and" in the digital world. I use Google's 2 Factor authentication for Gmail. In short, when someone tries to log into any Google service from a computer I haven't already whitelisted, Google sends me a text message with a 6 digit code. Basically, my phone becomes a key. If you want access to my accounts, you'll need my password AND my phone. I suggest, at a minimum, enabling two-factor authentication for your Google account. Password Manager So, what is a password manager? What does it accomplish? Password tips 1 & 2 are hard to do in conjunction with one-another. Keeping complex passwords and keeping every password unique is astonishingly difficult. Enter the password management software of your choice. A keeper of the keys. An encrypted password-protected database that remembers all your login credentials for you... and might do more than that. Instead of remembering a different and complex password for every service you use, you only have to remember one. It's basically just that simple. But they can be more useful than that. They protect you from brute force attacks and password guessing by generating new, random passwords for you. Could you remember "L30x_)sS~l3pqQ.$3x"? You think it's easy to guess? Easy to force open? That's a randomly generated password from my password manager. It's what all my passwords look like, and they are all different. But they can be more useful than that. They protect you from keylogger attacks, because you'll never actually be typing out your new ungodly long passwords. They will be copied and pasted into the webpage, either by automatically or manually. You'll only type your database password, which is only useful if the hacker also has access to your database. But they can be more useful than that. Do you know every site to which you have a membership? Now that Heartbleed has come up, and you should change all your passwords, do you even know what all you have passwords to? Will you have to go through the trouble of memorizing new passwords now? For me, I'll just go down the list, use it to login to all my accounts, use it to generate new passwords, change my passwords, save the new ones in my database, and be right back to exactly where I was before. It's an inconvenience, but much less so than if I weren't using the system. But they can be more useful than that. Every password manager I've found allows you to securely store notes or comments related to each password in the database. Got a password for your insurance account? How about storing your agent's contact information, your policy number, its expiration date, and whatever else you can think of in there. Now, you know that when you accidentally hit that tree that drunkenly ran out in the middle of the road in front of your car, you will have all the information you need readily available. And that's just the stuff I use password managers for, they can do a lot more. How do I use those things? Sign into Google. Hover your picture in the top-right corner of the page. Click "account". Click "Security". Under 2-Step Verification, click the link and follow the on-screen instructions. I did the process over a year ago, I don't remember it being at all challenging. From that point on, whenever you sign in to Google from an unknown computer, you will receive a text message with a verification code. If ever ONCE you receive a verification code when you aren't trying to sign in, you'll know this process was worth it (because someone will have tried to hack your system but been stopped by the 2nd step of verification). It is an inconvenience if and only if you are logging into new computer all the time... and if that's the case you really need to take security very seriously. When it comes to password managers, there are several options: LastPass, 1Password, KeePass, Roboform, and many others. I have experience with two of these options, LastPass and KeePass. I highly recommend both. LastPass: LastPass is probably the biggest, most popular password management solution. It's an online password manager that falls into the category of "freemium". You can set up and use 80% of its functionality without ever paying a dollar. If you want to use some advanced functionality (most importantly, if you want to use their mobile apps), you'll be paying. The good news is you'll only be paying $1/month. That one dollar buys you into a very robust and well maintained password solution. Your data is stored in LastPass's servers, but it is stored and sent to you in an encrypted state. The decryption is done locally, which means your credentials are never visible to their servers or anyone else without the password. You can also set up 2-factor authentication to open up your password vault. KeePass: KeePass is probably the next best, next most popular solution to this problem. It's a completely free, open-source password manager. It's less fancy, has fewer bells and whistles, a little rougher around the edges perhaps, and maintained by who knows who in their spare time... but it is designed to work entirely offline. Your passwords are never sent to anyone's servers. They are never stored in an unencrypted state. You own the database file and are free to do with it what you please... and there's something very fulfilling about that. After reviewing both options heavily for a month, I decided to go with KeePass. I love being able to move the file with all my important personal information around. It's great. I have copies of it stored on my computer, hard drive, two flash drives, and on my phone. Beyond the ability to own the database file, I think I went with KeePass because it offered fewer bells and whistles that I didn't want to use. I'd rather not have something that I want than have something that I don't want. I don't want multiple form-fill identities. I don't want a dedicated area to store my credit cards, I don't want to share a list of my passwords with any other "trusted users". I just want what KeePass gives me... and I'm glad I have it. There's tons more to computer security
Top 5: Most Commonly Used Passwords, Circa 2013
5. abc123
4. qwerty
3. 12345678
2. password
1. 123456If you use any of those, you're stupid.
Quote:
“correcthorsebatterystaple”
- Randall Munroe, in another XKCD about Passwords -
Comments