|
|
|
|
Chillicothe News - Chillicothe, MO
Opinion from the technical trenches.
Passwords (Into the Weeds)
email print
About this blog
By Robert Handley
Kirksville native, laborer, filmmaker, sailor, technologist. I've had an interest in how things work since childhood and today making things work is my job description. I'm an IT generalist/consultant and database developer, and for the last ...
X
Please Stay Tuned...
Kirksville native, laborer, filmmaker, sailor, technologist. I've had an interest in how things work since childhood and today making things work is my job description. I'm an IT generalist/consultant and database developer, and for the last several years I've concentrated on simplifying and securing small business technology. I intend that complexity stay inside the machine, and that your experience outside it be productive and pleasant. When you make technology decisions there are many sources for information and advice, but it's sometimes overwhelming to sift through. So I'll render fact, opinion and personal experience into palatable portions that I hope you'll find helpful. I'm not a tech evangelist, rather I play a balancing act, because it's easy to collect a closet full of expensive, planet killing junk. Please stay tuned...
Recent Posts
June 14, 2012 12:01 a.m.



Thick weed alert:  It's not necessary for everyone to know password security theory, but I wish everyone did.  If you'll agree that it's ill advised to throw teenagers into a dangerous world without knowledge of STD's, then I hope you'll be similarly motivated to make your own online habits safe.  In the next post (not this one) I'll describe two apps for generating, keeping and recalling passwords that have a high probability of thwarting password theft.  This post will endeavor to explain the why and how of harm when these breaches occur.  If you understand the explanation in this blog post you'll know why prophylaxis is so important.  I've tried to keep it simple.  I might have skipped this part of the security discussion but I think there are a few propellor heads out there.  If the weeds are too deep take a pass on this blog post, but don't take a pass on safe internet activity.



 






Just last week passwords and logins were hacked from Linkedin, eHarmony and Last.fm.  These are sites that we trust to keep our passwords safe.  I wonder why they didn't really protect my stuff or their own.  In the last year you can add the US power grid (including nuclear), Northrop Grumman, Lockheed Martin, Citibank, gMail, Facebook and many others to the breach list.  Military secrets to Facebook logins, it's a really big spread.




 




I'm a subscriber to LinkedIn.  Access to my username and password was probably gained in the recent breach, but it wasn't usable by the bad guys because it was complex.  The old, still valid formula for a complex password suggests at least three of the four following criteria:  Upper case, lower case, number and special character.  So non-word strings like lz3b&FslJ^%DHa, or S8xg&bze!YZSvt, or the passphrase My cat has 2 fleas! qualify.  Some experts claim that four four-letter, unrelated-but-common words are OK too, like hoodRooftileNine.  Also, a password or phrase should be at least at least 14 characters long.  




 




Impossible you say!  Who can remember all these fancy passwords or phrases?  In fact it's quite easy.  As they say, there's an app for that, several really (next post).  




 




Even though my LinkedIn password was already complex, I changed it immediately after he incursion was announced.  No harm, no fuss really, and it can be easy for everyone.  Of course if you don't use social media, order online, bank or use other services that require passwords, then you have much less to worry about.  




 




The LinkedIn breach was avoidable if only the company had taken its responsibility seriously.  The tech departments at LinkedIn and other social sites may be overworked or just plain lazy, but they know the value of good security.  Until executives and/or shareholders are made aware, or become sufficiently embarrassed, they won't allocate resources to protect user stuff, and those users (us) will continue to endure the same old c**p.  




 




Executives at Microsoft, for instance, were enraged by the Flame and Stuxnet incursions, so Windows users may have noticed that a big update was pushed on Patch Tuesday (the second Tuesday of every month) designed to address the most egregious and known flaws.  To reiterate and be fair, Microsoft Windows, iOS, OSX and all operating systems are so complex that perfection is impossible, and we must have our gadgets.  So the cycle of attack, fix, attack again, fix again, will continue far into the future.  I get that, it's the extent of unnecessary carelessness that I find troubling.




 




The most recent password attacks against social media and entertainment sites didn't reveal the actual password of a user directly.  Most passwords are not stored in what's known as plain text, so even though John Doe's password on eHarmony might have been 12345 (weak, common password) it was not immediately revealed.  Instead these passwords were stored in an encrypted form that a casual user would have no chance of recognizing, because, when encrypted, it looks like gibberish.  There did exist some weak encryption on passwords for LinkedIn, but they had to be examined more closely in a second pass, off-line, post-theft, in an Elbonian hacker cave far, far away.  




 




Because the methods used to create encrypted password gibberish are well known, and because humans depend on habit and muscle memory (like words) to remember them, a big pile of common passwords in the encrypted form can be pre-generated, and they also look like gibberish.  Arbitrary new gibberish and old stolen gibberish can be compared by a computer (not by humans) at warp speed.  So, back in the Elbonian cave, bad guys just throw new, arbitrary gibberish against pirated gibberish, millions of throws per second, until a one-to-one match is discovered...password revealed!  It's guessing, kind of, but it's sophisticated enough to be profitable.  




 




To aid the thieves, arbitrary gibberish passwords may have already been generated and in the wild for years, distributed and easily obtained by the pirate community.  The large collection of pre-computed gibberish are known as Rainbow Tables.  Rainbow Tables exist for most methods of encryption, weak and strong.  They can contain the entire Oxford Dictionary, plus many variants, misspellings, substitutions and numerics.




 




Popular websites like Facebook, LinkedIn, Last.fm, etc., must keep vast databases of information and, when violated, they can cough up large amounts of account gibberish.  While this isn't pleasant, occasionally annoying or even costly if you fix it immediately, the negative effect is multiplied if usernames (usually email addresses) and passwords are the same for other sites in your name!  




 




So if you bank online and use the same credentials for eHarmony meanderings, and eHarmony is breached (which it was, this week, for about 6.5 million passwords), your bank account is now a vulnerable, valuable target.  Even if your password is complex, if used by multiple sites and discovered by another means (looking over your shoulder as you type, keylogger) a risk exists.  




 




Remember, TNO (Trust No One), including social media, banks and corporations that design and build our defense systems.  Consider the Chinese farmer, trying to support emaciated children and a sick wife, with no spare time to consider business ethics.  After migrating to the dystopian streets of Shenzhen, China in search of work, a difficult, dehumanizing job is gained at a gadget or serious internet equipment factory.  A stranger offers the worker $100 to slip a vulnerability into the manufacturing process, no knowlege required, just substitute a chip.  Would that employee/slave take the risk?




 




Next up:  Two password managers than can probably fix your password management conundrum.




 




Feel free to offer topic suggestions.  Commenting on the blog would be great, let’s get some discussions going.  Or, if you don’t want to comment and have a topic suggestion, please email: kdegeneralist@gmail.com




 






 




PS:  Please support Wikipedia.


Recent Posts

    latest blogs

    • Community
    • National