Blog article
See all stories »

Check Your Password Security

Passwords are the bane of the security community. We are forced to rely on them, while knowing they’re only as secure as our operating systems, which can be compromised by spyware and malware. There are a number of common techniques used to crack passwords.

Dictionary attacks: These rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “1234567,” “12345678,” “123456789,” “princess,” “qwerty,” and “abc123.” Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research.

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

There are a number of ways to create more secure passwords. One option is to create passwords based on a formula, using a familiar name or word, plus a familiar number, plus the first four words of the website where that password will be used. Mix in a combination of upper and lowercase letters, and you have a secure password. Using this formula, your Bank of America password could be “Dog7Bank,” for example. (Add one capital letter and an asterisk to your password, and it can add a couple of centuries to the time it would take for a password cracking program to come up with it.)

Password managers can also help generate and store secure passwords. Some people like Lastpass. Another incredibly efficient and secure service is Roboform, which has a “Generate” tab in its browser toolbar that creates passwords that can’t be guessed, like “ChF95udk.” All your passwords are backed up on a secure encrypted server and can sync on multiple PCs.

It is just as important is to make sure your PC is free of malicious programs like spyware and keylogging software. Beware of RATs, or Remote Access Trojans, which can capture every keystroke typed, take a snapshot of your screen, and even take rolling video of your screen with a webcam. But what’s most damaging is the possibility of a RAT gaining full access to your files, including any passwords being stored by a password manager.

Use antivirus and anti-spyware software and firewalls, and set up your PC to require administrative rights in order to install any new software.

3484

Comments: (3)

A Finextra member
A Finextra member 21 March, 2011, 12:33Be the first to give this comment the thumbs up 0 likes

Great stuff, only hard thing is to remember passwords, especially hard ones.

In our service, all the critical transactions are not performed using solid username- password combination but third party solutions where one time passwords or device is used. Same thing goes for first time use or solution when password is forgotten. It is small cost compering solution where password is send by email and first account is stolen. There goes reputation of small company.

John Dring
John Dring - Intel Network Services - Swindon 23 March, 2011, 15:28Be the first to give this comment the thumbs up 0 likes

I was about to post about Verified by Visa and Matercard SecureCode (and may still do so), but its related to passwords and in particular your part about 'forgotten passwords'.

So, I am not a fan of VbV or SecurCode. The only reason seems to be to protect Visa and Mastercard, not the consumer and not the Merchant.  IMO, they add inconvenience, distrust and complexity to online transactions.  Not to mention I think they are INSECURE.  So do others, apparently: http://news.slashdot.org/story/10/01/28/195216/Why-Verified-By-Visa-System-Is-Insecure 

Having just merrily typed 3 complete passwords into VbV (which I am not happy about doing), I was transferred to the VbV Password Reset workflow.  This 'challenges' me for such secure information as my DOB and Postcode!  Then allows me to input a new VbV password.    Anyone with a copy of my Visa card can go through this process and then happily do CNP purchases as me.

Its pathetic.  No matter how secure my original password was.

 

John Dring
John Dring - Intel Network Services - Swindon 23 March, 2011, 15:33Be the first to give this comment the thumbs up 0 likes

Of course, when I said INSECURE, I meant UNSECURE !!!