Posts Tagged 'Hacking'

December 10, 2014

Password Managers: One Password To Rule Them All

From banking to social media to gaming, the amount of accounts we have today is growing out of control. Let’s be honest—it’s easy to use the same password or a variation of the same password for all online accounts, but if a hacker can break one of those passwords, they are one step closer to hacking every account.

Who really has the memory to store all those passwords anyway?

That’s where a password manager can help. It controls access by storing (online or locally) every password in an encrypted file that is only accessible by one strong master password.

When a user wants access to their SoftLayer account for example, the password manager will ask for the master password instead of the SoftLayer account password. It automatically populates the username and password fields and logs in.

Password managers are very convenient, but more importantly they enhance security because of the ability to use longer and harder passwords without worrying about forgetting or writing them down on sticky notes posted to a desktop screen.

Do I need a cross-platform password manager?
Today, most people access the same accounts on desktops, tablets, and mobile devices. If that’s you, then yes, you need a cross-platform solution. These Web-based options require yearly subscriptions upwards of $50 for a single user. The convenience of logging in anywhere might be steep, but the additional features might make it worth it. Password managers like Dashlane, LastPass, 1Password, and mSecure offer:

  • Secure storage of bank cards and any identity cards like driver licenses
  • Password generators
  • Keystroke logger protection
  • Automatic backup
  • Multifactor authentication like biometrics or a token
  • Access to pre-determined contacts in case of emergency or death
  • Team password sharing (the team lead controls the master password for a single account like a FedEx account and grants access via the users individual password manager)

Do I need a locally-based password manager?
If you’re not comfortable storing passwords online or you just use your desktop to access accounts, choose a password manager that encrypts and stores passwords on your PC. This option is the least convenient but most secure. All password managers listed above come in the locally-based option for free or at a fraction of the cross-platform price.

User Error
Although much more secure than not using one, password managers do have some downfalls (that stem from user error). Just like any password, you still need to change your master password regularly, never share passwords with anyone, and once installed, a user should update existing passwords with really hard forgettable passwords or use a password generator for each online account.

And always remember to lock your computer or mobile device when not in use. Although password managers make it harder for hackers to virtually access your accounts, they do not protect against someone physically opening the file.

It’s also a good idea to check settings to ensure that when booting or waking up your device, the password manager requires you to re-enter the password.

Pa$$word1 ain’t cutting it.
If you’re not ready to commit to a password manager, think about the consequences the next time you are prompted to update your password. Adding a “1” to the end of your current password isn’t safe or smart.

We’ve all been there, and committing to a password manager in some cases is expensive and setting one up can be time consuming depending on the amount of accounts, so I understand the hesitation. But it’s worth it for that added layer of protection and security.

-JRL

September 1, 2011

The Importance of Network Security

On Friday, April 27, 2011, I powered on my Sony Playstaton 3 and prepared to sit down for an enjoyable gaming session. As a Sony customer and a PlayStation Network (PSN) user, I expected my system to be able to connect to a service that I was told would be available. Because I had to sign an agreement to join the PSN, I expected my personal information to be secure. On that morning, I logged in and had no idea that my personal security might be at risk due to a lack of tight-knit practices and possible information redundancy.

My many years of brand loyalty held strong as I was told constantly that the PSN was down as a result of a maintenance. I understand that emergencies happen and proper planning by a professional company is in place to shorten the duration of impact. As it turned out, proper planning for this type of event seemed to have been lost on Sony. A malicious security cracker was able to infiltrate their network to gain access to numerous PSN customers' sensitive personal information. This kind of blunder had every PSN customer wondering what could be done to prevent this kind of event from happening again.

You probably noticed that I used the word "cracker" as opposed to the more common "hacker." A hacker is an extremely knowledgeable person when it comes to computers and programming who knows the ins and outs of systems ... which is completely legal. The typical misconception is that all "hackers" are engaged in illegal activity, which is not true. If the hacker decides to use these skills to circumvent security for the purpose of stealing, altering and damaging (which is obviously illegal), then the hacker becomes a cracker. To put it simply: All crackers are hackers, but not all hackers are crackers.

When I started working at SoftLayer three years ago, I was told to pay very close attention to our company's security policy. Each employee is reminded of this policy very regularly. Proper security practice is essential when dealing with private customer data, and with the advancement of technology comes the availability of even more advanced tools for cracking. As a trusted technology partner, it is our obligation to maintain the highest levels of security.

There is not a day at work that I am not reminded of this, and I completely understand why. Even at a personal level, I can imagine the detrimental consequences of having my information stolen, so multiply that by thousands of customers, and it's clear that good security practices are absolutely necessary. SoftLayer recognizes what is at stake when businesses trust us with their information, and that's one of the big reasons I'm to work here. I've gone through the hassle and stress of having to cancel credit cards due to another company's negligence, and as a result, I'm joining my team in making sure none of our customers have to go through the same thing.

-Jonathan

February 13, 2008

The Usage Of Complex Algorithms For Password Generation

Passwords are difficult. On the first hand, you want to create a password that uncrackable by anyone, lest they be teenage hackers or CSI experts with magical hacking tools. On the other hand, the password has be rememberable by you yourself, lest only teenage hakcers and CSI experts with magical hacking tools are able to access your data.

So, how do you make passwords?

One of the more secure ways are to use a random letter generator, like random.org, to build random strings, pick one, and memorize it. It's pretty secure (random.org uses real random noise to produce it's random numbers)and with seven random alphanumeric characters, the password search space is about 2.2 trillion combinations! But are you really going to remember "QRSr0Fu" or "W96TUON" two weeks from now? (My generated set had "myELlRK" which I might be able to remember...) If you type your password every hour or so, you might remember this by muscle memory pretty quick. Just in time to have to change it, I bet.

Another way is to take a word or phrase, turn some letters into |33+sp34k, and you get something more random, but much more rememberable. So, for example, "minivan" becomes "m1n1v4n!" and "washington" becomes "w4sh1ngt0n!?!" These are actually quite rememberable; the use of non-standard characters disallows the use of rainbow tables and dictionary attacks, so they're much less suseptable to cracking. However, what happens when you forget the "!", or that "Washington" gets "?!?" or that you did NOT turn "t" into "+"? You could end up going through a few cycles trying to "guess" your own password. Again, if you use it all the time, you'll learn by muscle memory. And this lets you come up with some cool passwords, like "c4p+41nK1rk". How can you beat that?

My favorite way, however, lets you write your password down in plain sight. I tend to cycle through passwords, and if you're anything like me you have two online banking passwords, four credit card or loan company passwords, a work domain password, 6 email passwords, a home log in password, etc, etc, etc. If you take the easy way out and use the same password everywhere, you end up making kittens and security experts cry. If, however, you have a completely separate randomized combination for each account, your brain will get stuck in an infinite loop. Using this method, you get to write down your passwords and tack them to the wall. Or put 'em on a sticky note. In plain sight. Email them to yourself without a care. It uses a special type of encryption to keep your password safe. Not AES or DES or TEA or other TLAs. I call this "Hippocampy Encryption" (named in honor of the part of the brain that does memory type activities).

The key is to write down a set of clues that will tell you (but only you) what your password is. You can add symbols to help you remember what kind of encoding to use for your password. Here's a password I just made up right now as an example:


Shawn's rival ^
shout your home team
Esirpretne
Sam.

Because everything on this note is simply a hint for your specific brain to recall a password, it's specific to you. Hints don't even have to have anything to do with the subject. The hint "Red October" could tell you the word "fortworth", whereas for me, I'd be trying "R4M1US", "M1SSL3S", "jackryan", "TomClancy", etc. You can string three or four hints together for a password. Note, these create long passwords, and your coworkers may start to believe that you have a superhuman capacity for memorizing long strings of randomized data. Do not do anything to dissuade them from this belief. And, because the hints point to common words and numbers already lodged in your grey matter, you may be suprised just how fast you type in that 20 character long password. Compared to my speed on 7 character random strings, it's blazing.

And due to the pattern matching ability of your brain, remembering the passwords are easy. Lets say you've written your clue on the back of one of your business cards, so you have it handy if you need it. After a few days, just SEEING a business card will bring your new password to the front of your mind. After a while, you'll stop needing your hint sheet, as you'll just remember the password. And when it comes time to change your password, shred your card and your postit, post a new one (in a different color if you can, helps the brain), and give yourself a few days. Unlike scrawling your random digits on a paper or card, even if somebody stole your "Hippocampically Encoded" card, they would have to REALLY know you (or be a really good guesser) to get the password. Even with your card, you've reduced them to brute searching. And if your card/note turns up missing, it takes about 30 seconds to whip up a new hint sheet. Not only is your attacker brute forcing your hint sheet, but it's the wrong hint sheet anyway!

So... have you guessed my password above? It's GARYkemp!1071Max. 'Course, you'd only know that if you knew that I played Pokemon and left my rival's name at default, that I decided that "^" meant "Make it all uppercase", that my home team is the Kemp High School (and that I was talking high school football), that by "Shout" I meant "give it an exclamation point", but that the whole word should be lower case (because the hint is), that Esirpretne is "Enterprise" backwards, and that I meant to make the serial numbers backwards (but not the NCC part), and that by Sam (a very common name) I meant "Give me the name of Sam's partner in that incredibly funny cartoon by Steve Purcell, Sam and Max: Freelance Police." The period is just decoration. If you did guess it, contact the NSA. I hear they're hiring people like you.

-Zoey

Subscribe to hacking