Security is always a huge concern in the IT community.  We make huge efforts to maintain firewalls, encryption via SSL, VPNs, encrypted wifi signals, program and operating system updates but the biggest security vulnerability time and time again are the passwords that people choose.

There is an article that I recently came across written from the perspective someone trying to break into a secure system.  The top 10 most used passwords list reads like a list of lazy choices from people that just don’t want to think about security:

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Even if this list didn’t cover the password that you use on every site out there, does it come close to some of your passwords?   Someone that’s motivated to gain access to your system won’t just try a handful of passwords on one system and then give up, they will try your email accounts, your facebook login, web forums and anything else they can find.  From the article:

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

So how do you protect yourself and your accounts?

Well, the obvious first answer is use good passwords.  This means your password should not be a word that’s found in any dictionary in any language all in lowercase.  Cyber crooks use software that can try tens of thousands of words per minute to crack your password and their first tool is generally a dictionary attack.  Putting a number, capital letters and special characters (i.e. !@#$%^) in your password make it exponentially more difficult to guess.  If you use an either character password all in lower case and change one letter to a capital and change another to a special character  the time that it would take to crack the password goes from 2.4 days to 2.1 centuries!!  Check out this chart to see the difficulty of cracking your password:

This is all great unless you make a password so complex you can’t remember it. So how do you make a secure yet usable password?

Start with something you can remember (though not someone’s name or a dictionary word).  For this article I’ll start with “ilikecheese”.  Right off the bat this is a long password so it’ll take a while to crack but it’s fairly easy to guess if someone knew my penchant for cheese.  First thing you can do is swap out a letter or two for numbers that look similar.

ilikecheese could become il1kech3es3

Then you can put in a capital letter and a special character:

il1keCh3es3! will take over 18,000,000 computing years to crack!  For all intents that’s uncrackable.

The second thing to remember is don’t use the same password for everything!  The reason for this is that different websites have different security measures in place and if someone can steal your password from an online forum and use it to log into your online banking you’re in trouble. The best practice is to use a different password for every site and use a password manager (not your browser) to store them all. Roboform for PC users and 1password for Mac are both excellent choices.

I admit that I don’t use totally unique passwords for every site I use, there’s just too many of them.  The trick that I use is I have a handful of different passwords with different complexity that I use depending on the site I’m logging into.  If someone steals my digg.com password they’ll be able to get into my slashdot.org account, but not into the online retailers I use.  If someone managed to steal the password for a shopping site I use, they wouldn’t be able to get into my banking or credit card accounts.  For the financial sites I do use different passwords for each, that way if my bank is hacked my credit cards are safe and I can still eat while the damage is fixed.

Don’t trade your password for chocolate

It’s a funny thought that people would give strangers on the street their passwords for a chocolate bar, but over 70% of the people tested by a security firm in 2004 did just that.

http://news.bbc.co.uk/2/hi/technology/3639679.stm

Don’t give your password to anyone.  Not a stranger offering you candy, not your family, not your coworkers, not even your IT person (if we need your password you can type it for us), no one.

At the end of the day computer security is always a balancing act between restricting access and ease of usability, I’ve just seen too many people use the same password everywhere and get into trouble because of it.

[onemansblog.com via lifehacker]

image from kk+ on flickr

If you’re like me you use the built-in functionality of your web browser to save and manage your passwords to various online sites.  If you’re being careful and protecting your passwords from prying eyes you’re using a master password to protect your password list.  What happens if you forget your master password?  Before now you were kind of stuck.  Your passwords would remain safe but inaccessible, rendering them useless.  Now a recovery tool called FireMaster that can help you recover your passwords.

Before I go any further I’d like to remind everyone that these tools can be used for both good and evil.  Please use this to recover a lost password for yourself or someone that asks you, don’t use this to snoop on someone else’s online business.  These tools are a godsend for tech guys, but if people misuse them it just makes it harder for legitimate users to get their hands on them.

FireMaster let’s you ran password recovery using several different methods

You can have it try words out of a dictionary to see if there’s a match.  This is very fast but often times won’t work (because you put a number or special character in your password, right??).

It can try with a brtue force method.  Brute force password cracking is when you guess the password by going through every possible permutation (aaa, aab, aac, aad, and on) until you successfully guess the right one.

The third option is a hybrid mode.  This uses the dictionary method but then adds random characters on top of the basic words (pass123, test987, etc

This can take hours or even days depending on the complexity of your password, so if you remember some basic parameters of your password you can speed things along greatly.  A string such as

FireMaster.exe -q -b -l 8 “pass????” c:\testpath

Would do a brute force scan of the password, however you remember that the password was 8 characters long and started with “pass”  this type of focused scan can literally shave days off a complex password’s scan.

This is worth trying if you need your passwords from Firefox’s password manager.  If you’ve used FireMaster let us know in the comments.

[ securityxploded.com via ghacks.net]