TheRadioBoard

Don't need to start a lengthy thread on Internet safety, but I got an email this morning purporting to be from someone on this forum with whom I've corresponded in the past. It contained a link to a seemingly benign website, but that link was a simple redirect to a Russian site, where you would get a nasty download if you clicked on the link in the email. I was able to download the linked pages and open them in a text editor, but even so, my anti-virus program (Kaspersky) flashed a warning.

The email came from my correspondent's Yahoo account, a favorite target of hackers. Very often, the security questions asked when you request a password reset are easy to guess, or people use stupid passwords like abc123 or even -- gasp -- 'password.' Chances are, the hackers stole this email account from the owner, and he'll never get it back. Meanwhile, some of his less-paranoid friends may end up with infected PCs as a result. I've written to the owner of the site where the bogus file was located to let her know she needs to delete the file -- and change her passwords! As the email account is probably in the hands of the Russian mob now, it probably did no good to write to its owner, but as they already have the email address I wrote from, it doesn't matter much. (Email addresses can be spoofed, but checking the headers confirmed his account was compromised.)

Strong passwords are the order of the day! I use this site to generate them: http://strongpasswordgenerator.com/ When a site asks for a security question, remember your mother's maiden name or the name of your favorite pet may be easy to find, so pick a hard question that can't be answered by looking at your Facebook page or whatever.

It's a common assumption that we're too insignificant for hackers to go after us, but they're using robots, and anyone is fair game. Within 13 seconds yesterday, a robot made more than 20 attempts to break into my blog. Many of these attacks are run from compromised PCs, part of "bot nets," and the computer owners have no idea they're aiding and abetting criminal activities. Trying to shut down bot nets is the cyber equivalent of playing Whack-A-Mole: You get one and two more pop up. Prevention is the best solution. Use strong passwords, vary them across the sites and accounts you use, and keep your antivirus software up to date. And if someone you know sends you an email with an inexplicable link, don't click on the link. Write to the person first and confirm they knew they sent it. Anti-virus software isn't perfect. They can only react to threats after they appear. You don't want to be the beta tester for a new one!

73,

_________________

http://kr1s.kearman.com/
http://qrp.kearman.com/

AHH, one of my favorite subjects. Here's some of what I've learned. Skip to the examples in bold at the bottom of this post for results.

Yahoo accounts are some of the most often broken into. Hackers and bots use "brute force" attacks, starting with a "dictionary attack," meaning they try every word in a dictionary. Then they add numbers in various combinations e.g. that could be birthdays or addresses. For short passwords, success doesn't take long.

Bots comparatively rarely try symbols such as # or ^. There are two simple tricks to make a pretty secure, but memorable password.

1. Make it at least 12 characters long
2. Use at least one character in each of four character sets:

UPPER CASE
lower case
number (e.g. 1)
symbol (e.g. # OR $ )

Using both of these rules, the number of permutations a bot would have to try is more than astronomical.

The best part, is you can make your strong password memorable by simple doubling or tripling your current short password, then taking steps to make sure you have all four character sets. For example if your password is cat, you change it to catcatcatcat. That's much, much stronger, but still could be better. If you simply make one character upper case, such as catcatcatcaT, that would require millions more tries to break.

THEN, if you just adopt a simple rule to always start with the same number and end with the same symbol, you have a really strong password, easily memorable, e.g. 1catcatcatcaT^

According to GRC's password strength calculator, an online attack on this extended cat password would take 14.14 million trillion centuries to crack. If you want to have some fun, check you password strength here: https://www.grc.com/haystack.htm

So what have we learned on the show tonight, Mac? In an online attack scenario (assuming 1000 guesses/second) each of the following passwords would take this long to crack:

cat____________18.28 seconds

catcat__________3.72 days Why? Because catcat isn't in the dictionary, but it's still limited to a 26 character set, so there are 26 factorial = 4.03291461 × 10^26 max combinations to try

catcatcat________1.80 centuries

catcatcatcat _____31.56 thousand centuries

catcatcatcaT _____1.27 hundred million centuries Why? Because by doubling the number of characters needed to try (doubling from 26 to 52), now there are 52 factorial = 8.06581752 × 10^67 combinations to try

1catcatcatcaT^____14.14 million trillion centuries Now we've add ten more characters (the digits) PLUS another 32 keyboard symbols--YEOW, it's now 26 + 26 + 10 + 32 = 94, and 94 factorial = 1.08736616 × 10^146 maximum tries needed. Too much trouble to keep trying to crack, so they move on or beat their heads relentlessly.

Notice how much harder it gets to crack simply by adding a different character set? It's clear the hackers and bots are going after the easy pickings!

So how do they do an "offline cracking scenario"?

How do they know when they have got the password?

Thanks.

...................

Thanks to Bob for the GRC link. I checked one of my passwords. The site predicted it would take 1.04 billion centuries to crack it. A password I use on another site would take 2.48 hundred trillion centuries to crack! My partner in that site hates the passwords, but they give me peace of mind.

I don't know what an offline crack is, but the way they know they cracked your site is determined by header information sent back from the Yahoo etc server. You can see something similar when you log in to The RadioBoard and enter the wrong password. When they succeed they get a character string that lets them know. These bots don't use browsers, they simply send strings of data. For example, when you fill out an online form, such as the log-in page of a site, the server code that reads the form creates a string of data that goes to the server. A hacker can create a similar string and bypass the form entirely. The squiggly character images you're supposed to decode to log into some sites are a way to prevent robots from doing that, as they can't fake the image data. Someone has to visually read and interpret it. But they can be a pain for users.

In addition to brute-force attacks, hackers will try to guess the answer to a security question, so they can change the password and take over the account. This is, I believe, how Sarah Palin's account was hacked. Hackers keep up to date on security issues in common web code, like the phpBB code that runs The RadioBoard. Webmasters have to keep abreast of updates and vulnerabilities, else their sites will surely be trashed. One horrible type of attack is aimed directly at the database, making it necessary for webmasters to frequently back up the database file, which is probably huge for The RadioBoard. More likely though, they will figure out someone's password for a particular site, and assume the person used the same nickname and password combination elsewhere. Ack! I think that's how a no-longer-active RadioBoard member's posts were all edited to include links to other sites having nothing to do with radio. So it pays to use different usernames, and definitely different passwords.

73,

_________________

http://kr1s.kearman.com/
http://qrp.kearman.com/

Offline password attacks occur when the attacker gets access to a web site's password file or database, and downloads that file or database to his/her local computer. If the web site is running secure software, the passwords are not stored in plaintext in the password file, but are instead encrypted with a one-way hash function (easy to compute f(x) given x, but very difficult to compute x given f(x)).

So the attacker has a list of usernames and encrypted passwords. If the attacker also knows the function f that was used to encrypt the passwords, then the attacker can run a brute force dictionary attack by encrypting every word in the dictionary and comparing the encrypted result against all encrypted passwords in the password file. If the encrypted strings equal, then the password has been found.This attack can use as much time or resources as the attacker requires, since checking if the password has been cracked is done completely on the attacker's computer(s) - hence, "offline" password cracking.

Part of "results table" in Macro's link.





..................................

Very easy to remember unguessable passwords:

Take a bit of salt: example 2%, or $0.00
Take any book you have (you have to remember which book though)

Go to page 35, take the first (or last) letters of the first ten words.

Once upon a midnight dreary, while I pondered weak and weary

gets you OuamdwIpwa

Add a bit of salt:
OuamdwIpwa2% - An unguessable password, and still you can put a sticker like 352% on your monitor to remember the password: Page 35, 2% salt added.


Even better: use Ouamd2%wIpwa and write down the 352%.

Have to change your password to another unguessable one? 20$0 gets you the first ten starting letters on page 20, plus $0 at the end (or the beginning to make it even harder, and still you can carry the code with you, and nobody guesses your passwords.

I have to encrypt securely in my work (very sensitive data) ,and nobody can decrypt 53x12.7z while for me is clear what the (quite large) password is. (Different algorithm used here though. )

Michel

Very good info here, but what if you have some passwords "stored" and they are automatically entered for each site you go to. Is that a ok practice or should you always physically enter the password?

SWsenior

Passwords stored by your browser are encrypted, but that's easy to break. If your firewall fails to keep out an intruder, the passwords could be retrieved. There are 'services' out there that connect directly to your PC for troubleshooting. Very dangerous, as they have full control of the system, just as if they were sitting at the keyboard. Now that firewalls are installed by default, newer systems are less susceptible. Needless to say, if your system is stolen....

73,

_________________

http://kr1s.kearman.com/
http://qrp.kearman.com/

Thanks Jim,

I have cox, broadband and firewallsare up, and using a leak test from GRC, it was unable to connect, so I must be ok!

SWsenior

I personally never store passwords for 'commercial'/'financial' sites, and use different algorithm for those sites than for sites like Theradioboard.

But to make it easy again:
- take the 'book' algorithm
- Add eg. 3rd letter of the sitename in lower case, then last letter sitename in Uppercase. Again, easy to remember algorithm
Example: starting at line two of a poem of Wordsworth take eight startcharacters:


I wandered lonely as a cloud
that floats on high o'er vales and hills,
$% (add a bit of salt at end of line)

lower case e of The , + uppercase D of Radioboard <- )

Results in
Tfohovah$%eD

Algorithm: Use poem, line starting at two, add salt at end of line, third letter lower case, last letter upper case

requires in teh order of 96^12 guesses , or 10.000.000.000.000.000.000.000 to crack

You can remember (If you can remember Wordsworth's poem), but guessing gets like hell. Now do this for all different websites, and you have:
- a very difficult password, and different password for each and every website

To allow for the younger generation:

Instead of 'poem' use
- favorite song, Wtr*#IbiyfeD (When the rain
Is blowing in your face

Instead of 'difficult characters' use the last two numbers of you telephone number: Wtr81IbiyfeD

Vary, but make it:
- personal, hence easy to remember as an algorithm, but impossible to crack as a password. And sitename dependent.


And no, SWsenior, I work in security and fraud detection. You are NOT safe by walls alone.
My preferred policy: Store passwords for forum sites etc but never for sites that can bill you in any way. And do not forget: Typing in a password like TfohovahwaeD gets routine over time. I already have my first ten characters (of my personal high security passwords) on automatic reflex. The pause to look at the website for the salt characters is also automatic.

Interesting algorithm to make a good password, helpful. In my company the password length is now set to 15 characters minimum, and mandatory to use special characters. A good invest in safety, even if I relatively often type-in my password to fast and generate typos ... nevertheless I also use long passwords in my own stuff.

Just one question - at my own PC I use KeePass to store my passwords. Any idea how safe are the passwords stored in its database (assuming a secure password is used to access the database)?

Just wonder why many banks still only allow short passwords (with some positive exceptions).


Brösel

Looks as though the composite master key provides good security. Unless you are storing national-security stuff, most hackers will probably move on to easier targets.


These are the same geniuses who brought us the current financial crisis. They aren't gambling with their money, after all!

73,

_________________

http://kr1s.kearman.com/
http://qrp.kearman.com/

According to Steve Gibson (the Gibson of GRC, referenced above) banks have updated front ends but old mainframe back ends that don't accommodate long passwords and different character sets.

Still it seems like good password protection could be done in the updated front end. I personally suspect that banks are not sufficiently motivated to implement better security.

IF you are very concerned, you can enhance banking security by using a dedicated PC that is only on the internet when banking and used for nothing else. Alternatively, you can use your regular PC and boot with a Linux CD for every banking transaction.

Some very helpful info here.

I want to repeat one idea mentioned earlier but worth repeating - do NOT use the same password for everything. I have a few quickie (but medium strength) passwords I use for non critical stuff like forum signins, but for work, banking, any ecommerce site, I have individual, strong passwords.