Entry for March 11, 2008

How to set up an intruder alarm on your email account

Thu Mar 6, 2008 10:26PM EST

http://tech.yahoo.com/blogs/hughes/24172

This may or may not come as a shocker, but according to a recent FTC survey on identity theft, 16 percent of the victims said their information was stolen by people they knew, which included friends, relatives, neighbors, and coworkers. This is very important because it serves as a reminder that we need to take extra precautions whether we're at home or at work. It's probably a good idea to disable cookies, so you don't save login and password information of your accounts, and you should never keep sensitive information where thieves can easily find it.

I've gotten several emails from readers asking me how they can find out if someone has accessed their personal email account, so I thought I'd point you to an excellent post written by PCWorld's Erik Larkin on how to set a hacker alarm on your web mail box. This is a good way to find out if anyone besides you is logging into your email account.

Here's the gist:

Open an account with OneStatFree.com, and use a disposable e-mail address to complete the registration process.
You'll receive an email from OneStat with an attached file. Save the file, note the account number, and then delete the email.
Rename the file with a name that would catch a hacker's eye like "AccountPasswords." Save the .txt file as an .htm file so it opens up in a web browser.
Send an email with the .htm file to the account you want to monitor. Use a subject title that is eye catching.
Wait for the hacker to take the bait. If the attachment is opened by anyone else but you, the hit counter will record their IP address.

Hackers are very clever, so you want to change your password frequently to something that's a little harder to crack.

Tips to make your inbox less vulnerable to identity theft

Thu Mar 6, 2008 10:23PM EST

http://tech.yahoo.com/blogs/hughes/24171

Identity theft continues to be a big concern among Americans who engage in online transactions, and for good reason. Last year, an FTC survey found that 8.3 million American adults were victims of identity theft in 2005, and an alarming 85 percent reported that one or more of their existing accounts had been misused. Those accounts included email, credit card, banking, medical insurance, and other Internet payment accounts.

Now you may not give this much thought, but your email account is a prime target for hackers because it holds sensitive information about you that puts you at great risk of identity theft. Think about it. When you open an online account, you're likely to get an email that contains your username and password, and if you're like most Americans, then you probably keep those emails in a folder for future reference. Oftentimes, we forget to delete these emails, or get comfortable with our online filing system, so we just have to be careful with whatever method we choose.

Here are a few tips to help you keep your inbox clean, and your identity safe:

One problem many of us face is remembering multiple passwords and usernames. Instead of writing them down, or keeping those password emails in your inbox, you should create high, medium, and low security passwords you can remember. Becky Worley had some great advice on giving your accounts a password makeover in an earlier post.
Faxes, contracts, and other important documents are being sent through email as attachments. If these attachments contain sensitive information, I recommend you save them to an external hard drive or a location only you know about, and then delete them from your inbox.
Delete any sensitive email in your inbox that contain passwords or financial information, especially if you receive banking alerts with account balances.
Remember, if you lose your iPhone or Blackberry, anyone who finds it gains access to your email too. Always delete emails you don't want anyone to ever read, and put a password on your phone for extra protection.
Never forward sensitive information to anyone. Remember, they are as vulnerable as you are.

Next up, I will tell you how to set up a hacker alarm on your inbox, so you know when/if hackers access your account.

How Do They Crack Your Password?

Mon Jan 22, 2007 3:22AM EST

http://tech.yahoo.com/blog/null/13947

Reader Rich Brozenec writes: I read your story about passwords. I have a question. Almost all my internet accounts (banks, Amazon, credit cards, etc.) have a limit on the number of password tries they allow [before timing out additional attempts]. Your story implies an infinite number of attempts using various combinations of letters and numbers, but is that really the case, or is there a way around these limits?

A little backstory on how passwords are cracked is in order. As some emailers and commenters have noted, "brute force" password cracking is probably not the most popular method by which passwords are broken. Social engineering, phishing, and other nefarious methods are actually much easier: All of these involve you willingly giving up your password to a malicious hacker through some form of misdirection and deceit. You may get a call from "your bank" with a problem on your account. Or you may get an email from "eBay" with a question about your listing... which takes you to a phony website.

The most secure password in the world won't protect you against hacking attempts like these. If you actually tell someone your password, you're out of luck.

The kind of password attacks I'm talking about when I write stories about password security and strength involve brute force attacks of various sorts. These attacks typically involve the theft of password records by various means. You read about them every day: Hackers compromise networks and abscond with user data. Or, more commonly, someone steals a laptop loaded with user records for some company or another. (User IDs are usually not encrypted and are linked directly to the hashed password.)

Most of the time, though, just having this user data doesn't mean your password is now in the hands of hackers (though if you read that a company you deal with has been victimized, you should always change your password as a matter of precaution). That's because most companies store passwords in encrypted formats called hashes. A hash is created by taking your password, applying a mathematical function to it, then storing the result of that function in the database instead of the actual password. When you log in to a website, the site runs that same math function against your password, then checks the database to see if the hashes match. If they do, you're in.

The reason hashes are secure is that they are not reversible. Say your password is daisy123; its hash may be 1b3c2c45d0a977b508f637097a94cbfb. (And in fact, it really is in one of the most common hash systems.) It's easy to go from daisy123 to the hash. Not so easy to go the other way. Thus, it's much safer to store the hash. Make sense so far?

So, what happens if a hacker knows the hash of your password? He tries out likely passwords to see if he can get a match. Again, it's easy to hash several hundred passwords per second, and eventually he'll get to daisy123, since it is, as noted in a prior article, a quite insecure password. But if your password is appropriately complex, he'll probably never be able to crack it: Having the hash will be as useless as having no information about your password.

There are copious other methods for cracking passwords (and there are even online databases of hashes that make looking up common passwords child's play), but this is the most common way, especially when cracking passwords in bulk (when you have thousands or millions of hashes to look through). It shakes out pretty much the same way every time: If a thief absconds with 100,000 user records, a relatively simple brute force attack against those hashes using common cracking software will probably net 20,000 passwords he can use.

In other words: Be safe out there.

How to Pick a Genuinely Secure Password

Wed Jan 17, 2007 3:24AM EST

http://tech.yahoo.com/blog/null/13353;_ylt=AsJwQ2DOF9_8OXQgSIlufkMVPpA5

When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.

So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.

What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.

How Pathetic Is Your Password?

Tue Apr 4, 2006 1:36PM EDT

http://tech.yahoo.com/blog/null/44;_ylt=ApWyAf7l9k_0oJGi5inluHvxMJA5

Think putting a "1" on the end of "daisy" is going to stymie crackers intent on breaking your password? Turns out that with a reasonably up-to-date computer, a dedicated hacker should be able to break it, by brute force, in about an hour and a half.

Lockdown.co.uk has a handy document that shows just how secure your password really is, based on its length and the type of characters you use in it (all numbers, letters and numbers, uppercase/lowercase, special symbols, etc.).

Think about your most common passwords, then visit the site. You'll be most interested in the results for a "Class D" attack, which represents somone with a single, very fast PC. (Class E and Class F represent multiple PC attacks and aren't as likely to be involved with someone trying to break into your eBay account.)

As an example, the site notes that a password like "darren" would take all of 30 seconds to break. "Land3rz" would take 4 days. And "B33r&Mug" would take 23 whopping years.

Key to great security isn't just length, but adding in non-traditional characters, too: A great password should be eight characters long (or more), and include at least one number, one uppercase letter, and one special character like an ampersand. To make it easy on yourself, try using the same button on the keyboard in both lower- and uppercase versions. For example: "JjKkIi*8" requires you only hit four different keys (plus Shift), and they're all clustered in a tight group.

Frequent Password Change Policy: A Bad Idea

Fri Apr 28, 2006 11:26AM EDT

http://tech.yahoo.com/blog/null/123;_ylt=Au3GS8MUW5ZQ6zdCdWr4a5DxMJA5

Many of you in heavy-duty corporate environments have to deal with one of my biggest pet peeves in all of technology: Changing your password on a quarterly, monthly, or more frequent basis.

CERIAS and tech security expert Eugene H. Spafford offers a biting and insightful essay on why this kind of policy is not only a useless idea, but a potentially dangerous one, too. It's a "best practice" that generated 30 years ago when some network administrator thought it would be a good idea. (That idea: That if someone already had access, if you changed your password, he wouldn't have it for long.) Well today's intrusion detection methods are much better, and the odds of someone having illegal access for a long period of time without being discovered are considerably lower. The "frequent change" policy is out of date.

But the policy stuck back then, and now we're stuck with it, despite there being no scientific basis that it actually increases security. (In fact, it's almost definitely harmful since people use a series of passwords that are actually easier to guess. Many people forced to suffer through this ridiculous policy simply use a series of simple passwords with a number on the end that increments every time they're forced to make a change: strawberry01, strawberry02, and so on.)

If you're fed up with constantly changing, and then forgetting, your password, print out this article (or forward a link), and hand it to your IT manager or whoever's in charge of your network. Just say no to overly frequent password changes!

10 myths about Windows passwords

Mon Feb 25, 2008 2:23PM EST

http://tech.yahoo.com/blog/null/1640;_ylt=Ag45m2v4Iton6s1P7Mg8fmjxMJA5

When I first clicked on this article, I expected to see yet another diatribe telling you to use numbers, mixed-case letters, and special characters when you created a password. Boy was I wrong.

Get past some of the geeky language and you'll find a truly eye-opening story about the security of passwords in Windows.

Some key points from the piece (at least, points that challenge the conventional wisdom of password security):

Random passwords aren't necessarily more secure. Strings of garbage like Gh&739(*j are hard to remember, easy to mistype, and can be vulnerable to password crackers, especially if they are short.
The most secure passwords are 15 characters or longer.
Replacing an "o" with a "0" does nothing for security. Do you really think a hacker can't figure out to try d0g instead of dog? Adding a few digits to a cracking program is no big deal.
Realistically, changing your password every four months is good enough.
Documenting your password is not necessarily a bad thing. If a password is written down and stored securely (say, in a safe), this can be useful if an employee quits, for example. Many people store their passwords in a safe deposit box in the event of emergencies, so spouses or children can get access to bank accounts and the like.

Surprisingly, Mark Burnett's piece dates back to 2002, but the lessons are still relevant today. Give it a spin. Maybe consider changing your passwords this weekend.

2008-03-11 03:53:23 GMT

Site Home