Password Mindfulness
A larger awareness of security is something relieving to see with the ubiquity of internet access and it’s use for important networks like financial institutions. The general public is just now taking proper password security seriously, something security experts consider common sense for a long time now.
My inspiration for writing this post was a recent episode of an awesome podcast I follow called Reply All . If you have never heard of or listened to it, I highly recommend you try it out. It may be one of the most entertaining podcasts that I have come across and I listen to a lot of podcasts.
To be or not to be Pwned
Accounts like your Gmail email account are constantly being compromised. The vision that plays out in most people’s minds when it comes compromising accounts is using computers to guess or crack the user password. Something like what John Conner does here to brute force this PIN in Terminator 2
Surprisingly reality is not too far off.
From Wikipedia:
In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Although running through a list of 9999 PIN codes is fast and easy, add the alphabet to that set and it jumps to 36×36×36×36=364=1679616 . That may still be fast for some computers, keep adding another more characters to the password string and the time it takes to cracks jumps exponentially, literally
(I want to point out that the above chart is not my own work. Credit goes to: http://www.rafayhackingarticles.net/2012/03/cracking-facebook-account.html)
So if you want to protect your account use strong passwords. Give the amount of time it takes to crack even a weak password, this probably won’t be a risk unless you were targeted specifically.
It’s suspected that most consumer account compromises are the result of a single data breach at some service provider or website service like the recent Adobe Online or Yahoo attacks. There have been quite a few more to accompany these and these large breaches seem to get more and more common.
Access to any system can be accomplished in different ways.
Social engineering is the act of manipulating personnel into giving up useful information or access to a bad actor. Network attacks involve attacking vulnerabilities in the software or hardware of any networked system.
Even at low level access a malicious user can try to exploit other software on the system for privilege escalation which gives them higher access than they had before.
This could lead to the ability to access the database of the service containing all user information. Now all it takes is a few keystrokes to dump the entire database somewhere locally, yeehaw! Next steps, to the black market to sell some personal identifiable information.
Great, so some jerk has your Adobe Online account. So what? You haven’t used that in years.
Well, hackers leverage the fact that many users use the same password for different services to do something called “credential stuffing” . Basically these means to test the stolen credentials against many web services until they find a match and gain access.
“Password re-use is the main threat to ordinary users for sure” – the guy on the Reply All podcast Joseph
Password Management
You can avoid any of this and really make your life generally better than it has ever been by using a password manager. My favorite it LastPass. I have to admin that I did re-use passwords in the past. How are you supposed to remember 30 odd different strong passwords without writing them down? This is really not good practice and I am terribly ashamed of my irresponsible past. But hey, live and learn. ¯\_(ツ)_/¯
So what I used to do was to cycle between a handful of passwords that used different small variable changes. This lead me to forget any passwords I didn’t use often and spend a lot of time clicking and looking for reset password links.
LastPass changed my life. Not only does it come up with strong passwords for you, it will automatically autosave them, then auto fill them right on the website even on your phone. I am not sponsored by LastPass at all and there are many others to use that have similar features such as 1Password.
2 rules
All you have to remember is a ultra strong master password. After that just be sure to change your passwords regularly and you will be doing the 2 things for success using any password authentication.
- Use strong passwords
- Use different passwords for every account
If you remember anything from this post please remember the above 2 rules. This could very well save you from unauthorized Uber rides on your debit card or tax returns filed in your name by someone with really bad credit habits.