P@sZW0rd!
This seems like a great password correct? WRONG! This
password can be cracked in as little as a half hour or less with a hacker that
has some simple tools. This article is to enlighten us on the use of passwords
and their frailty to keeping our most secure personal information safe. I intend to
write this article for reference only and will not name any actual tools the
hackers use.
Hashes and their Uses:
To make things secure programmers do not store the password
of users in plain text. In other words
programmers don’t have an excel spreadsheet with usernames in column A and
Passwords in Column B. If they do…they’re doing it wrong. Instead they store
what is called a hash of the password. A hash is a mathematical equation that
only the password can solve. So when you type in your password and hit “login”
you send your answer to the server and the server uses the password to solve
the equation. If it solves then it allows the user to enter if it doesn’t then
you get the “login failed, please try again”.
Hackers love Hashes
Hackers have a lot of tools to grab these hashes from the
servers. Some tools are as simple as breaking the login page with what is
called an SQL injection. Other programs could “dump” the contents of a file
that stores these hashes to their own PC. Why do hackers want a bunch of
seeming less garble? If they can solve these equations they can get your
password. If they can get your password they can use your account for whatever
they want. If you account happens to have privileges such as administrator…they
can have anything they want.
Hackers always like to boost about how many hashes they have
cracked…Its like playing Farmville to them. There are blogs all over that all
they do is post hashes that people have “collected” from somewhere and then you
get posts back of “I got 34,000 of the 90,000 in 16 hours!”
How do hackers solve these hashes?
There are plenty of tools that hackers have that are already
built for solving hashes. Some use attacks called “brute force” where it just
keeps guess on letters till it solves the hash. They use brute force both
randomly and also more focused. If the hacker knows anything about the hash and
where it comes from (which is always) the can use “Wordlists” and hope that
someone has made a password that relates to information about the hash. Hackers can also randomly put characters
together and hope for the best with “Rainbow Tables”. All these tools are very
easy to use and widely documented on the internet on how to use them.
Now I would like to go through some statements that I
defiantly would hear from others:
“My password is secure.”
I am interested in what people think is secure. If they
think the name of their dog that they talk about every day with the date he was
born is your password please think again. Anniversary dates, any dates for that
matter, are cracked in seconds. A laughable password is the use of special
characters to form a word like I displayed at the beginning of this blog. With
some simple tweaking of the hackers program it can find those passwords in
seconds. How about a sentence from your favorite book with commas, spaces and
the whole thing? This can be hacked by a simple wordlist made from millions of
books cracked in hours. Now I know of people using sequences of keys to make
their password. The famous QWERTY comes to mind. I myself thought this was very
secure. It doesn’t make a word or anything. Hackers have created wordlists for
every key combo on your keyboard and will eventually get that one too. How
about some random long character password with all the different types of
symbols and strangeness to it? If you have this type of password you probably
have it written down somewhere like a sticky note on the back of your monitor
or keyboard. “BUT MY HOUSE IS SECURE!” Could be your argument against someone
getting that sticky. Look if someone wants in your house that bad they can find
a way in. What I laugh at is the
password programs that keep all your passwords in one safe spot…behind a single
password. That single password allows access to all other passwords.
“I have a password that is 15 characters long.”
These are hard to crack. There are different types of hashes
and when you get above 14 characters it forces a more secure hash to be
created. Chances are you used a phrase or names to get all those characters
which as described above is fairly easy with the right wordlist. On the other
hand you probably have it written down to remember it.
“How can someone guess a password that is so random?”
The hacker doesn’t do much of anything once they get good
enough. They just run a program with different ways. They let the computer do
the work. The hacker doesn’t even need a powerful machine. All the hacker needs
is a little creativity. Although it is true someone with some money can buy a
very powerful password cracking machine for as little as $15Gs. 15,000 is a lot
for some…but when a hacker can get into some financial institution that can
15Gs can be made in milliseconds. What they get for $15Gs is billion passwords
a second speed. Yes they are trying to solve a hash they stole up in the 14
billion tries each second. To translate that a bit lets say your password is 8
characters long. These machines can crack that password no matter what
character, symbol or number you use in 5 hours or less. To clarify it will take
5 hours if it has to guess your password on the last guess it tries.
“But a crack my passwords website says it will take 2 zilion
years to crack my password..”
This is laughable. What this website is based on is what
hackers use as a last resort called brute force incremental. Brute force was
explained earlier but with incremental it does something like this: start with
a and go through z then add an a and then go through to z again. So a-z then
aa-az then aaa-aaz and so on with every combo also including numbers and
symbols and CAP lock. Now a smart program that does incremental would just
start in some random place as it is better then starting at “a” as if you have
no idea where to start always start in the middle and choose randomly up or
down. There are lots of other ways to
try cracking hashes before they try this. The hacker will avoid this last
resort at all costs. Just to make the point crossed the hacker will usually get
a hit before they have to turn to this last resort.
Why is this so scary?
To gain access to any system all a hacker needs is ONE
username and password. The hacker will always go after a user name with the
most privileges (admin or root). All they need is to get one of these accounts
to start their work. After they gain access…they get to have even more fun. Now
this relates to some system that is usually company owned and has lots of users
on it. Personal accounts (gmail, facebook, linkedin) they are still targeted.
If someone gained administrative access to a linkedin server they could find a
users list of hashes on it. Your personal password could be one of those
hashes. So it all comes back to the customer in the end.
What do we do then?
Unfortunately we as consumers can’t do much. We have to wait
for our supplier to work things out and find ways to combat this. The high hope
is that the suppliers are the only ones that have these admin rights/privileges
and they understand the importance of strong passwords. There are some groups
doing great things. 2 form factor authentication is becoming a great way to
combat this. How 2 form essentially works is there are different ways you can
tell the system you are who you say you are. These forms answer one of these
three questions:
·
What you know
·
What you have
·
What you are
Since passwords are “things that you know” there has to be a
second question answered for it to become 2 form authentications. Google has
done this well with their gmail accounts. They are now allowing these 2 forms
by answering “what you know” and “what you have” by making a password and
getting a password from your phone. To finish this idea “What you are” can be
answered by finger prints or retina scans.
What do we have left for a defense then since passwords are
not secure?
Since we are stuck with what we have and no way to make it
different we should find the best way to make our passwords harder than the
other guys. This is a theory I like to call “Better than your neighbor”. If a
potential burglar wants to get into a house on the block they will choose the
easiest door. The easiest door usually is the one that is unlocked or partially
open. Now think if you have a dog, an alarm, a fence, a dead bolt… it deters
the confidence of the burglar to look elsewhere…most of the time. Burglars
usually are not that smart. Think of it, if they were smart why would they be
robbing? They could make money a lot easier than robbing a couple places. Now
it is true we have those shady people that like to do it just to have fun.
These people we got to watch out for cause they take all these obstacles as a
challenge and enjoy the more challenging. Also to cover the bases I guess you
can say there are exceptions to the above statements. You can have a smart
burglar.
What are some pointers to creating a good password?
With companies still enforcing passwords I guess the best
thing we can do is make it at least somewhat hard for them. Here are some pointers:
- passwords:
- Of all the ways to create a password, sequences seems to throw off hackers a lot. Find a way to sequence your passwords on the keyboard using letters, upper and lower, numbers and symbols. So maybe something like this for a linkedin.com
i.
“L” for the first part of the website name (linked)
then count left 2 “j” then up 2 “&” then right 2 “9” then down 2 “l” then
use “i” for in (the second part) and go left one “U” up one “7” right one “*”
down one “i”. then to finish it off put something random like “%laugh” the
entire password together would look like this:
1. Lj&9liU7*i%laugh
a. You
may laugh at this but that will almost never be cracked…and the above 14
characters is met (more secure hash) and you don’t have to write it down. Notice the use of the shift key is every other
one.
2. Now
I am going to get some reader saying “OK I will do it exactly like that above…”
Please be creative and at least think how you can personalize this sequence. At
least change the numbers or the direction of your sequence. I would suggest
coming up with a new password scheme all together as some crafty
hacker/programmer is already trolled this website and put my above scheme and
any other scheme that relates to it into a wordlist just in case…which he will
use if he has to.
- Create a DIFFERENT password for all websites you sign into. If your password is cracked then the first thing a hacker will do is use this password for all the other websites you go to.
- I would like to pause here and just say that a hacker isn’t doing a lot of work here. Someone did a ton of work in creating a program to do all this digging into a personal life and just hands over the program to other hackers. All they do is run programs and let the program do all the work. So when you think “man these hackers get personal” just remember they aren’t doing much work…just letting a program do it all for them. ** it may be true that some hackers out there do some manual things…but I think you get this “exceptions happen always in life”.
- Passphrases: As a side note these passphrases are starting to become the target rather then the password hashes. They are easier by the fact that a hacker gets to see details (the questions) of what the hash could contain that make it easier for the hacker to use to gain access to the account.
- Do not use the correct answer to the question. If the question is “What was your favorite pets name?” do NOT answer the question…at least directly. If you pets name was “Charlie” please oh please do no use this. A keen hacker that is focused on you will be getting to know you very well and if anything is on the internet it would be personal details about your life…especially that of your favorite animal. I have heard use something that isn’t even expected…like the word “telephone bike” or something random that cannot be guessed. As you notice telephone and bike have almost nothing in common and no one in their right mind would think your favorite pets name is related to telephone or bike…
Conclusion:
- Please, tell all your neighbors, tell your friends and family about “safe” passwords. The more people know about this the better we all get. We live in a community that survives by people telling others of hazards.
- Please tell them to put “safe” passwords on their wireless. Please put “safe” passwords to the configuration page of your routers as well as a DIFFERNET good “safe” password for access to your wireless network.
- Use password sharing on all your files and folders inside your network…yes even to your trusted itunes shared folder on your Drobo or NAS.
- Use a good “safe” password on your cloud storage. This is a big target as it houses all your personal financial data.
- Do not think that your home “firewall” can block intruders from accessing your PC. All it takes is one email or one exploit (some malicious piece of code that uses vulnerabilities from software to gain access to your pc) to get into your PC behind a firewall. Use the next to bullet points to guard
- Use an antivirus. There is some debate on if they really do a good job. I say the freebies do a lot. The freebies (like avg free, MSE, etc) at least block known bad places and even can tell you you are accessing a bad website. It is better then nothing. I personally enjoy webroot endpoint. It is not free but they do a great job and there is very little that can get passed them as they do a ton more then the freebie such as automatically update the clients with any exploit that just barely dropped into an outsiders knowledge (zero day exploits).
- Do not click on anything that you don’t know where it will take you. Popups, stray emails, banners (those flashing “free screensaver!” things), any thing saying “click here” without reference to where “here” is.
I hope this helps everyone. I truly hope I have shouted this
loud and clear. I have done lots of research…but as always there could be some
kind of mistake out there…Who can say they haven’t made a mistake?
Some after notes:
I refer to hackers as a HE…there are SHE’s. I don’t get why
but for some people this he/she bit gets people angry. Any English book will
state: the word “He” can be used in a non gender specific setting. Same goes
for all the other languages in the world. If you are speaking to general public
and you even have the inclination that someone out there could be male then you
always talk to the group as a HE audience not a she… If I offend…just remember
what they say about “taking offence”…I am not to blame.
