In Part 2 of this series I want to talk about protecting your social networking account, and it all boils down to…
And No… you probably don’t already know everything you need to know about passwords, so you really need to keep reading. I’m going to show you exactly some of the ways the bad guys get at your passwords.
If you missed it please first read Social Networking Self-Defense: Part I
So it’s pretty obvious that anyone who gets hold of your login credentials, most importantly your password, can modify your personal pages to their heart’s content.
Now, you might be thinking something like “OK, I’ll memorize my password, never write it down, and never tell anyone”.
Well, good, that at least that would be a step in the right direction, but unless you clearly understand how vulnerable passwords are, it won’t be a big enough step. Not by a long shot.
Let’s take a look at password cracking itself…
How to Crack Passwords
Something that very few computer users realize is just how easily common passwords can be cracked. There are all sorts of special password cracking programs readily available to those who take the trouble to look. None of those programs are infallible, but one thing is certain: passwords made up of common words, or common words with a few numbers appended, are usually cracked fairly quickly.
In the past, when writing on this topic, I have always avoided giving any details on password cracking programs. I just didn’t want to be responsible for encouraging anyone to seek out and use such tools.
However, search engines such as Google, Bing, Yahoo etc have become so accurate and all-inclusive as to make these things fairly easy to find. So now I think I can probably achieve more by actually proving their existence to you.
Here’s a list of the 10 top password crackers, according to the Security Tools [http://sectools.org/crackers.html] website, with their descriptions slightly edited for this article.
Cain and Abel : The top password recovery tool for Windows. UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker, currently available for many flavors of Unix, DOS, Win32, BeOS and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find at:
THC Hydra : A Fast network authentication cracker which supports many different services. When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more.
Aircrack : The fastest available WEP/WPA cracking tool, Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force.
L0phtcrack : Windows password auditing and recovery application. L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). L0phtCrack 5 was discontinued by Symantec in 2006 then re-acquired by the original L0pht guys and reborn as L0phtCrack 6 in 2009. For free alternatives consider Ophcrack, Cain and Abel, or John the Ripper.
Airsnort : 802.11 WEP Encryption Cracking Tool. AirSnort is a wireless LAN tool that recovers encryption keys. It operates by passively monitoring transmissions and computing the encryption key when enough packets have been gathered.
SolarWinds : A plethora of network discovery/monitoring/attack tools. SolarWinds has created and sells dozens of special-purpose tools targeted at systems administrators. Security-related tools include many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available, and more.
Pwdump : Pwdump is a Windows password recovery tool able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. It outputs the data in L0phtcrack-compatible form, and can write to an output file.
RainbowCrack : The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack uses a time-memory trade-off to do all the cracking-time computation in advance and store the results in so-called “rainbow tables”. It does take a long time to pre-compute the tables but RainbowCrack can be hundreds of times faster than a brute force cracker once the pre-computation is finished.
Brutus : A network brute-force authentication cracker. This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SM
All of those programs work on Windows, and many of them on other operating systems as well. Obviously not all are suitable for cracking all types of passwords under all circumstances, but in the hands of even a reasonably competent person any of several can be a serious threat to your security.
Still not convinced?
A recent Computerworld article describes the massive market for usernames and passwords or social network accounts. One hacker alone has 1.5 million Facebook accounts on offer!
Seriously, you REALLY need to click here and read that article.
And hey! If you aren’t already calling up your Facebook account to change the password (in line with the suggestions here-in) then I’m afraid you’re a sucker just waiting to be sucked dry.
What NOT to do
As a result of a major phishing attack in late 2006 approximately 34,000 MySpace passwords became available for download. Some researchers saw this as an opportunity to analyze what sort of passwords people were using. Here’s a list of the 20 most popular passwords:
|1. password1||6. qwerty1||11. 123456||16. jordan23|
|2. abc123||7. fuckyou||12. soccer||17. slipknot1|
|3. myspace1||8. 123abc||13. monkey1||18. superman1|
|4. password||9. baseball1||14. liverpool1||19. iloveyou1|
|5. blink182||10. football1||15. princess1||20. monkey|
Not one of those passwords would present the slightest problem to a decent cracking program. Here are some more statistics from the analysis of those 34,000 passwords:
- Numbers were used in well over half the passwords.
- When used, numbers were most often appended to the end of the password.
- Almost 1% of users had the word “password” as all or part of their password.
- Words, colors, years, names, sports, hobbies and music groups were very popular.
- Other popular words include: angel, baby, boy, girl, big, me, the.
- Cuss words were very popular. Because these are common and well known they should be considered as dictionary words, whether they appear in any “real” dictionary or not.
- Also popular were the names of sports (golf, football, soccer, etc.), professional sports teams and college team nicknames.
Again, all very easy stuff for a good cracking program.
I’ll be going into some detail here because I want you to understand very clearly the extreme importance of using good strong passwords if you are serious about protecting yourself.
So let’s look now at exactly what makes for a strong password, from the password cracker’s point of view.
What you SHOULD do
The most important aspects of a password are its length and composition, but there is an apparent catch involved. If length and composition are right for a strong password, then it’s very unlikely you’ll be able to remember even one password, let alone the many that most people need to use. But don’t worry, we’ll solve that dilemma in a moment. First let’s look at the password itself.
The length aspect is simple: the longer a password, the harder it is to derive using special password cracking tools.
Composition is a bit more complex. To be truly effective, the characters that make up the password should consist of a mixture of upper and lower case alphabetic characters (A-Z, a-z), numerals (0-9), plus punctuation and special characters (!@#$%^&*). In addition, repetition of characters should be kept to a minimum and the password should not contain any real names or dictionary words. Here is an example of a 20 character password that conforms nicely to those rules:
Yes, I know what you’re thinking:
“How on earth could I ever remember something like that?”
And the answer is…
Now, I’m a PC user, so I don’t use 1Password, but I have read their material, watched a video on the product and asked some Mac users whose opinions I respect. What I can tell you is that it works very much like RoboForm, performing much the same tasks, and is highly regarded by those Mac users I consulted. For all practical purposes any mention of RoboForm features that follows applies also to 1Password.
When installed, both RoboForm and 1Password take up residence on your browser toolbar.
Secure password generation is a handy feature, but the real power of RoboForm, and the thing that makes it so indispensable to security minded people, is that it can remember the complex passwords that it generates, and also remember which website or login form each password relates to. This is a massively significant feature.
On visiting a web page that contains login fields, RoboForm provides you with a one-click prompt that will fill in all the necessary fields with login information that is specific to that page only.
Similarly, when you manually fill in login fields for a site that you haven’t visited before, you can quickly and easily store those login credentials for one-click retrieval on future visits to that site.
In other words, the longer and more complex a password the better, because you’ll never have to remember it. Nor do you need to be tempted to use the same password on multiple websites, because with RoboForm having five, 25 or 50 long, complex, meaningless passwords is no more of a load on your brain than having just one.
RoboForm offers another extremely useful feature not directly related to passwords but worthy of mention if it will entice you to use this excellent utility.
One-click filling out of forms with any number of personal details can be a real time saver. Name, address, landline phone number, mobile number, fax, date of birth, credit card details — virtually any sort of information required on a form can be intelligently provided with a single click. That’s one click for the whole form, not one click for each field! RoboForm knows what’s being asked for and provides just that.
Both RoboForm and 1Password offer free 30-day trials, after which each application will continue to operate but with a reduced feature set. Here’s the situation was RoboForm:
|Feature||30-day Trial||Post-Trial||Pro Version|
|Tab Instances in identity||3 maximum||3 maximum||Unlimited|
|Custom fields in identity||3 maximum||3 maximum||Unlimited|
|Support||Online only||Online only||Phone & Online|
By all means trial the product first, but believe me, purchasing the full version is a very easy decision. Most people will definitely need many more than 10 pass cards alone, not to mention how useful multiple identities and profiles can be, and the ability to create numerous custom fields.
Again, here’s where to get‘em:
For PC users : RoboForm
For Mac users : 1Password