Friday, 8 June 2012

Computer security ( part 2)

ok lets continue from were we security( part 1)

....The hacker could try to just guess your password, attempting to log in again and again, hoping to get lucky. They might know the username and just guess the password, or more likely they are guessing both. There are 86400 seconds in a day, and suppose your bank permits 1 login attempt per second. The bad guy could just go through the list of 100000 common passwords ("password", "password123", "janexyz", ...) trying to get lucky. This works, since they only need to guess correctly for a few accounts, and they can do the attack in bulk.
Clearly, the bank or whatever should detect thousands of bad logins and slow down or freeze the account. This can cause problems for the legitimate user however, so it's a balance. One simple policy is that the Bank can process login attempts at a slowish rate, such one every second to prevent the bad guys from trying 100 billion different passwords.

Dictionary Attack Example

Here's a real "log file" from my server where it routinely records what happens each day. What you see here is the attacker is trying guess both the username and password on the account. It happens that the username for each attempt is printed in the log file but the password is not. No doubt they are trying common passwords, such as "secret" "password12" etc. It's funny to me that you can see that their list of usernames to try is sort of alphabetical order, and they are just running through it in the most obvious way. So what you need to understand is .. this sort of attack is clicking along, every second of every day aimed at basically all the servers on the internet. They just need to succeed with a few accounts here and there, even though they fail 99.99% of the time. This is why you should not have a password which is close to a dictionary word or someone's name, or is a password people often choose. The good news is .. with just 4 random letters added to your password .. suddenly this dictionary attack is not going to work -- there's not enough seconds in the day.

Bad Passwords

  • Do not need to be super elaborate (some sites go crazy with this)
  • List of common passwords - do not use these!
    -Common passwords-
  • Avoid a password that thousands of others out there have also chosen

Good Passwords

  • What I do for secure passwords, e.g a bank site
  • Start with a word, add misspelling, then add some random letters
  • Could add some digits and/or punctuation and maybe some upper case letters
    mottens,erx -- fine
    Mottens,9erx -- better
    MotenX,97erx -- probably more complex than necessary
  • Important that the "erx" is truly nonsense, not like "xyz" that someone else on earth might tend to pick.
  • Other problem: what if the site itself is compromised, so the bad-guy possibly gets your password that way? Therefore, do not re-use your passwords across important sites like banks.
  • Consider writing down important passwords on a slip of paper at home. Otherwise it's hard to keep it all straight in your head. 
You do not need a super elaborate password, but you don't want it to be susceptible to a dictionary attack either. My suggestions:
  • The list of common passwords contains passwords that are just a word or a word plus a tiny variation, like "jane" or "secret1" or "mittens123", or two words like "catmittens", so it's vital that your password does not look like that.
  • It's ok to have a word fragment, but it should also include significant nonsense letters. Personally, I like starting with a word, since it is easy to remember and fast to type, but then random junk needs to be added in and around it.
  • Some sites go crazy, requiring many upper case letters, and digits, and punctuation letters. I think that's not necessary. It's "security theater": adding more complexity and the appearance of action but without actually adding to security.
For an important site like a bank, you should use a password different from your other passwords. It should not be the case that by stealing your facebook or twitter password, they now have access to your bank. I write the passwords down on a piece of paper at my house in case I forget. The bad guy in Russia or whatever does not have some team of ninjas that's going to break into my house and get passwords off my slip of paper. The attacks are bulk, mindless affairs that work on the low-hanging fruit. One technique for writing down passwords is to pick a little suffix you memorize, like "x936" or whatever, and that always goes on the end of your passwords. Write the passwords down, but never the suffix. That way, even with the piece of paper, a bad guy still does not have the passwords. Or maybe its better to just write the passwords out clearly, so your family can access your email etc. if you are in the hospital.
Email is tricky -- once they have your email password, then they may be able to do a password reset and get into your account. In that sense, your email password is the most important

stayed tuned for the third part tomorrow....

No comments: