Tuesday 9 August 2011

It's a hacker’s life...so why do we make it SO easy for them.

Like many other developers, I often have to think up new passwords for myself and other users accounts. While I use a Mac dashboard to generate passwords, many people use the weakest link - the good old human memory - for their passwords. In almost all cases, this will create the weakest link in a security chain.

How quick could your account be hacked?

A user-selected eight-character password, containing numbers, mixed case, and symbols would take an average of 15 minutes to crack. Just following a quick test should reveal a lot about your own password security habits. For example, have you ever used a password that was based on the following: -

  • Your Company name
  • Your own first and / or last name
  • Your date of birth or marriage
  • The name of your pet or spouse
  • The name of any of your family members
  • Any significant date or place in your life
  • The word 'password' or a synonym of that word
  • A common (keyboard) sequence or pattern such as 123456 or 'qwerty'
  • A common word found in a dictionary of any language (eeeeks!)
  • Less than 6 characters in total
I bet you answered yes to at least one of the above and the hackers will all know this! In order to create the strongest possible passwords, you should really consider some of the ways in which your account can be accessed and how this is done.


1. Brute-forcing

Here the attacker launches an attack using one or more computers that try as many password combinations in as fast a time as possible. For example: the brute-forcer could make the script start with the password '01', then try 'ab', then 'd28d', then '2j4dh3D' or any other repeatable sequence of characters.

Increasing the length of the password, using mixed case and special characters can do this. Rapidly increasing high-end computer processors and the development of special software has unfortunately made brute-forcing a relatively simple task for computers compared to a couple of years ago… thanks for that Intel!



2. Dictionary/Rainbow table

Rainbow tables are massive lists (some up to several terabytes in size) containing common words and passwords. These rainbow tables often include entire dictionaries in several languages, hence the related term 'dictionary attack'. The attacker will loop through the strings listed in the rainbow table in an attempt to match the strings with the password you've entered. Considering the vast amount of passwords listed in such a rainbow table, adding a simple '1' (password1) or '!' (password!) probably won't keep you safe.

Rainbow tables are fed directly by Virus, spread by applications like Flash Player on web banners. They basically download a keylogger virus to the PC, which tracks the user typing on a keyboard then feeds this information back to the Rainbow tables.


3. Social engineering

With this type, the attacker will try to gain knowledge from you that is just left lying around. They will extract information from your Twitter/Facebook profile (name of family members/pets etc).

General tips for keeping safe.
  • We would suggest that your confidential information is probably not safe unless you use a 12-digit randomised password.
  • Using numbers as letters won't keep you safe because rainbow tables will include strings like 'p4ssw0rd'
  • Many users have passwords that are 8 characters long. Try using 9 (or even 13) to lower the chance of attackers guessing it
  • Don't use related passwords like 'passwordtwitter' and 'passwordHotmail'
  • Don't use online services to create your password unless your 100% sure it's safe
  • While using secure services with a character drop down list, don't use the keyboard to select a character. Always use the mouse.
  • Keep virus-scanning software up to date.
O happy days. Is nothing sacred…………NO!

Posted by Richard Sprinks











No comments :