I have seen a lot of people and businesses over the years ignore Password strength. This post is wrote to educate people on why password strength is so important. First of all, going back to the 90’s when computers were not Online people used general passwords; this was fine. People still seem to think that it’s still OK because ‘Hey, I never had my password stolen in the 90’s’… well you didn’t have the password stolen because the only people around you or in your office were trust-able colleagues or family and the password could only be used locally. Today the passwords you use are used to access accounts for many things online; from email, general websites, blogs, social media, shops, forums, internet banking – the list goes on – all of these sites and services are accessible to everyone on the web.
Points of Interest:
- If you can remember a password it is not secure
- False advice – spread by those wanting to access your information
- Using the Same Password for multiple sites is beyond bad – I explain why
- Short Passwords can be brute forced in minutes or hours
- Someone could be in your account/s right now – without you even knowing
- Encryption is your biggest asset Online
- Password storage advice
The age old saying that every security expert tells you; but you ignore ‘If you can remember a password it is not secure’, but it is right on so many levels. If you can remember your password generally you are just using either 1) Family or Pet Names 2) Telephone Number 3) Date of Birth 4) Company Name or a mix of these. The first thing that any person who wants access to an account that is subject to brute force (constantly trying passwords – no site should allow this but not all developers care about security) does is use a piece of software with a database of ‘knowns’, this includes: names dates of birth etc. If you are subject to this, that person will access your account within minutes.
This brings me to a point of false advice which seems to be on the rise by both Governments and Intelligence Agencies. We have seen this on many occasions recently in mainstream news, you might think ‘But they only want to help us surely’, well not really. The UK Government has recently made adverts for password security stating “Multiple words make a great Password”, this is so wrong as described above. In the UK over the past 6 years the Tories have been trying to push through something called the IPBill, this bill was created so that the Government can access everything you do Online through your ISP. The bill is Illegal under EU and International Privacy + Human Rights Law. The bill has also been chucked out of parliament by MP’s on 3 occasions now. They have also been trying to create propaganda in mainstream media to drop ECHR (European Court of Human Rights) jurisdiction. Intelligence Agencies employ general computing graduates (basic level of computer understanding) – so they want the data handed to them on a plate – which means: place everything in a massive target-able database that is also accessible by millions working for Intelligence Agencies and could be edited to create a false positive. They want any way they can to access your accounts and private data (more so than any criminal or hacker).
How many of you use the same password? If you think this is not bad I will state one thing here: what happens when one database is leaked online by a company that does not care about security? Simple answer: the person who targeted that data – be it a hacker or intelligence agency (the later more probable) – will have a list of email addresses and passwords. Proper security experts and developers who care about security when developing already know that passwords should never be put in a database in plain text; they should always be salted and hashed – which means only the server knows how to check the passwords. When passwords are checked they are never decrypted from the database, they are merely checked through re-encrypting. Developers used to use encryption called MD5 – this is no longer a secure way of storing, but is better than nothing. With the data these people will setup software databases to check the email and password on multiple websites – this means they are not brute forcing – so this technique will work (and be hard to detect by administrators) on all websites.
Short passwords you use can be brute forced by intelligence agencies and hackers within minutes or hours, if it is possible to brute force on the specific website or encrypted volume. This is why companies like google and banks not only allow longer passwords but also provide two-tier authentication. This means you can get an app on your phone that creates a secure code that will only ever be created on your specific device. It is basically a move on from those small number authenticators that banks used to give out for online banking.
The only way that you will know if someone has accessed your account on any said website is if they have proper logging of IP’s, next to no public email or store sites do this. Most social media websites do and you can usually look at signed in sessions and previous IP’s that have entered the account. If the site is Developed by a Developer that does not care about Security you will never know who could be sat in your account.
This brings me to the encryption point: encryption is every internet users biggest asset, yet governments and intelligence agencies are trying to force back doors in encryption – which means force an encryption company to write a vulnerability in their code that not only your intelligence agency can access – but hackers, criminals, terrorists, every intelligence agency around the world will also be able to access. How do you think your credit card information or banking information is protected online? Yes – it is encrypted. When you send your payment information over a secure website (like this site) the data is encrypted between your computer and the server with something called SSL or TLS, if SSL has a back door it is made redundant: hackers and criminals could quite easily intercept the information between you and the server – not just intelligence agencies. Only people who don’t understand how bad this is are going along like sheep with governments. The Netherlands recently announced that it is to support Encryption because it is so vital.
So, what can you do to improve your password security? First of all there are a number of ways in which you can store passwords. Nearly all websites you use accept long passwords now, wherever you can – use the longest password possible. Software like KeePass will create a secure password and store it in a database, if you use this I suggest you create a key to open the database and place it on a USB disk (pref-ably a Encrypted USB disk), that way you will have two-tier authentication – the only person who can access the database is the person who has the USB disk. With this software it copies your password to the clipboard just by double clicking and removes it from the clipboard after a certain amount of time, so your password is not stored if you forget or have to quickly go out and close the database. Make sure you remove the USB disk and close the database when not in use or if you have people around you that you do not trust.
Conclusion:
The thing to remember is: people like me and other security researchers are not out to spread miss-information; we understand the systems and how data is stored and communicated between computers and servers. Yet a lot of people take their Government or The Press’s (which is basically controlled by the Government) word over experts – if you question the Government, MP’s or the press promoting these ridiculous laws about technical aspects, they don’t have a clue. This has also been shown many occasions recently in News interviews. This kind of thinking is only destroying online rights and online security and is quite frankly ridiculous. There is also a lot of propaganda going on in mainstream media which is promoted by Governments and Intelligence Agencies.
If you have read this entire article I would like to thank you and hope that it helps to keep you safer online.
Links of Interest:
1 - Bruce Schneier - The Conflict between Privacy and Security
I suggest that you watch this video if you have an interest. Bruce Schneier is one of the worlds top Cryptographers and explains to a military unit his views on where they should be going.