Posts Tagged ‘passwords’

When I was young, I vividly remember a wise man sharing a proverb with me: “Locks are for honest people.” The memory is so vivid because it completely confused me … “If everyone was honest, there would be no need for locks,” I thought, naively. As it turns out, everyone isn’t honest, and if “locks keep honest people honest,” they don’t do anything to/for dishonest people. That paradox lingered in the back of my mind, and a few years later, I found myself using some sideways logic to justify learning the mechanics of lock picking.

I ordered my first set of lock picks (with instruction booklet) for around $10 online. When the package arrived, I scrambled to unwrap it like Ralphie unwrapped the “Red Ryder” BB gun in “A Christmas Story,” and I set out to find my first lock to pick. After a few unsuccessful attempts, I turned to the previously discarded instruction booklet, and I sat down to actually learn what I was supposed to be doing. That bit of study wound up being useful; with that knowledge, I managed to pick my first lock.

I tend to collect hobbies. I also tend to shift every spare thought towards my newest obsession until whatever goal I set is accomplished. To this end, I put together a mobile lock-picking training device — the cylinder/tumbler from a dead bolt, my torq wrench wrapped with electrical tape to prevent the recurrence of blisters, and my favorite snake rake. I took this device with me everywhere, unconsciously unlocking and resetting the lock as I went about my shopping, sat in a doctor’s office or walked around the block. In my mind, I was honing my skills on a mechanical challenge, but as one of my friends let me know, people who saw me playing with the lock in public would stare at me like I was a budding burglar audaciously flaunting his trade.

I spent less money on a lock picking set than I would have on a lock, and I felt like had a key to open any door. The only thing between me and the other side of a locked door in front of me was my honesty. What about the dishonest people in the world, though? They have the same access to cheap tools, and while they probably don’t practice their burgling in public, can spend just as much time sharpening their skills in private. From then on, I was much more aware of the kinds of locks I bought and used to secure my valuables.

When I started getting involved in technology, I immediately noticed the similarities between physical security and digital security. When I was growing up, NBC public service announcements taught me, “Knowledge is Power,” and that’s even truer now than it was then. We trust technology with our information, and if someone else gets access to that information, the results can be catastrophic.

Online, the most common “hacks” and security exploits are usually easily avoidable. They’re the IRL equivalent of leaving valuables on a table by an unlocked window with the thought, “The window is closed … My stuff is secure.” Some of those windows may be hard to reach, but some of them are street-level in high-traffic pedestrian areas. The most vulnerable and visible of access points: Passwords.

You’ve heard people tell you not to do silly things like making “1 2 3 4 5″ your combination lock, and your IT team has probably gotten onto you about using “password” to log onto your company’s domain, but our tendency to create simpler passwords is a response to the inherent problem that a secure password is, by its nature, hard to remember. The average Internet user probably isn’t going to use pwgen or a password lockbox … If you had a list of passwords from a given site, my guess is that you’d wind up seeing a lot more pets’ names and birth years than passwords like S0L@Y#Rpr!Vcl0udN)3mblyR#Q. What people need to understand is that the “secure” password can be just as easy to remember as “Fluffy1982.”

Making a *Usable* Secure Password

The process of creating a unique, usable and secure password is pretty straightforward:

1. Start with a series of words or phrases which have a meaning to you: A quote in a movie, song lyric, title of your favorite book series, etc. For our example, let’s use “SoftLayer Private Clouds, no assembly required.”

2. l33t up your phrase. To do this, you’d remove punctuation and spaces, and you’d replace a letter in the phrase with a special character. You predetermining these conversions to create a template of alterations to any string which only take minimal thought from you. In the simplest of cyphers, letters become a numbers or characters that resemble the letter: An “o” becomes a “0,” “e” becomes a “3,” an “a” becomes an “@,” etc. In more complicated structures, a character can be different based on where it lies in the string or what less-commmon substitutions you choose to use. Our example at this point would look like this: “S0ftL@y3rPr1v@t3Cl0udsn0@ss3mblyr3qu1r3d”
3. Right now, we have a password that would make any brute-forcing script-kiddie yearn for the Schwarts, but we’re not done yet. If someone were to find our cypher and personal phrase, they may be able to figure out our password. Also, this password is too long for use in many sites with password restrictions that cap you a 16 characters. Our goal is to create a password between 15-25 characters and be prepared to make cuts when necessary.
4. A good practice is to cut out the beginning or ending of a word. In our example (taking out the l33t substitutions for simplicity here), our phrase might look like this: “so-layer-priv-cloud-no-embly-req”
5. When we combine the shortened password with l33t substitutions, the last trick we want to incorporate is using our Shift key. An “e” might be a “3″ in a simple l33t cypher, but if we use the Shift key, the “e” becomes a “#” (Shift+”3″): “S0L@Y#Rpr!Vcl0udN)#mblyR#Q”

The main idea is that when you’re “locking” your accounts with a password, you don’t need the most complicated lock ever created … You just need one that can’t be picked easily. Establish a pattern of uncommon substitutions that you can use consistently across all of your sites, and you’ll be able to use seemingly common phrases like “Fluffy is my dog’s name” or “Neil Armstrong was an astronaut” without worrying about anyone being able to “open your window.”

-Phil (@SoftLayerDevs)

It’s been a while since our last UNIX Sysadmin Boot Camp … Are you still with me? Have you kept up with your sysadmin exercises? Are you starting to get comfortable with SSH, bash and your logs? Good. Now I have an important message for you:

Your password isn’t good enough.

Yeah, that’s a pretty general statement, but it’s shocking how many people are perfectly fine with a six- or eight-character password made up of lowercase letters. Your approach to server passwords should be twofold: Stick with it and Be organized.

Remembering a 21-character password like ^@#*!sgsDAtg5t#ghb%!^ may seem daunting, but you really don’t have to remember it. For a server, secure passwords are just as vital as any other form of security. You need to get in the habit of documenting every username and password you use and what they apply to. For the sake of everything holy, keep that information in a safe place. Folding it up and shoving it in your socks is not advised (See: blisters).

Want to make your approach to password security even better? Change your passwords every few months, and make sure you and at least one other trusted colleague or friend knows where to find them. You’re dealing with sensitive material, but you can never guarantee that you will be available to respond to a server-based emergency. In these cases, your friends and co-workers end up scrambling through bookshelves and computer files to find any trace of useful information.

Having been one of the abovementioned co-workers in this situation, I can attest that it is nearly impossible to convince customer service that you are indeed a representative of the company having no verification information or passwords to provide.

Coming soon: Now you’ve got some of the basics, what about the not-so-basics? I’ll start drafting some slightly more advanced tips for the slightly more advanced administrator. If you have any topics you’d like us to cover, don’t hesitate to let us know in a comment below.

-Ryan

The world of IT security is full of partial truths and paranoia – some of which is completely justified. Sometimes, steps are taken that actually are beneficial, but without knowing the reason behind the precautions, many administrators are lulled into a false sense of security. Here are some common misconceptions that I see in action frequently:

Security Myth #1: If I set my password strong enough, my system will be secure.

The Facts: There are many ways to compromise a system. For example: exploitable code on your website, lax filesystem permissions, and publicly accessible services running on your system (such as email or chat). In fact, having a long secure password is often like having a steel security door with retinal scan technology on a grass hut. Don’t get me wrong, having strong passwords is a great thing, but don’t forget to look at the rest of your system!

The Side Effects:

• Longer passwords take longer to type (obviously).
• You are more likely to forget a longer password.
• You are more likely to mistype a longer password (and get locked out).
• If you force this policy on your end users they are more likely to write the password down (bad).

Security Myth #2: If I replace letters with their corresponding l33t speak numbers (e.g. hello -> h3110), it will make my password more secure.

The Facts: Technically, yes it will make your password more secure, but only marginally. Simple character substitution is a common feature among brute force tools. This will slow down the brute force attack, but your system may still eventually be compromised by a hybrid dictionary attack. You might also consider configuring the brute force protection options on your server.

The Side Effects: There are no side effects – in fact, this is a far greater idea than simply using a dictionary word. However, it is best to also add some additional numbers or letters to throw off brute force tools. Many brute forcers also allow for pre-pending or post-pending a string of numbers (e.g. 123hello or hello123). It is better to place random numbers or characters in the middle of your password so that it is not vulnerable to a dictionary attack (e.g. hagen!23daas). Another alternative to a secure and easy to remember password is make an acronym of a famous phrase or quote. For example: “sticks and stones may break my bones” -> “S&smbMb!$”.

Security Myth #3: If I change the port number for RDP/SSH/Plesk or turn off ping response, my server will be safe.

The Facts: This is the myth of “security through obscurity.” Changing your port number or turning off ping will only reduce attacks from computer worms and extremely lazy hackers. Say for example that you run a website on your server. Anyone who knows the URL of the website can easily find your IP address (by ping or nslookup). Then all they have to do is port scan that IP address (using a port scanning tool such as nmap or SuperScan) to see which ports are open. If your passwords are secure enough, you needn’t worry too much about the brute force attacks from the internet. You should only consider this a secondary safeguard just in case the server happens to have a vulnerable service running on it. Your first priority is making sure your system is properly patched and updated.

The Side Effects:

• It is very difficult to track or troubleshoot packet loss on servers that have ICMP blocked.
• Changing ports may confuse your users.
• You will need to remember to include this port information in any technical support request.
• Many automated systems or scripts will require custom configuration.

When it comes to managing a server remember you can never be to careful. In this day and age we face a lot of things that can damage and even take a server to its knees here’s a few things for everyone to consider.

Anti-virus:

This is a must on systems open to the net now days. There are always nasty little things floating around looking to take your server apart from the OS out. For windows servers there are a multitude of choices and I’ll just mention a few that can help protect your goods. You can use several programs such as avast (which offers a free edition), ClamWin (open source), Kaspersky , and Panda just to name a few. I would suggest before installing any of these you check links such as http://en.wikipedia.org/wiki/List_of_antivirus_software to name one that provides a list of several choices and their compatibility. You may also want to read reviews that compare the available options and give you an idea of what to expect from them. This will allow you to make an informed choice on which one works best for you. Now with linux there are also several options for this including the well known clamav which from personal experience works really well and can be installed on a variety of linux disro’s(aka distributions). It’s very simple to use and may prevent you from headache later on down the road.

Firewalls:

Firewalls are a double edged sword but are most defiantly needed. When it comes to firewalls you can protect yourself from quite a bit of headache however if setup to strict you can block positive traffic and even yourself from reaching your server but in the long run a defiant way to help protect your server from unwanted visitors. A lot of firewalls also have modules and add-ons that further assist in protecting you and securing your server. If in doubt it’s always a good idea to have a security company do an audit and even a security hardening session with your server to make sure you are protected the best way possible.

Passwords:

This is probably one of the most important this you can do to secure your server. Use strong passwords (no using password or jello is not a secure password even if it is in all caps) and if you are worried about not being able to come up with a secure one there are several password generators on the web that can come up with secure ones to assist. Passwords should contain caps letters, numbers, symbols, and should be at minimum 8 – 10 characters (the more the better). It’s the easy to remember and easy read passwords that get you into trouble.

Armed with this information and so much more on security that can be located on the web using the great and all powerful Google should be a good start to making sure you don’t have to worry about data loss and system hacks. Also remember no matter how secure you think you are make regular backups of all your important data as if you server could crash at any time.

Passwords are difficult. On the first hand, you want to create a password that uncrackable by anyone, lest they be teenage hackers or CSI experts with magical hacking tools. On the other hand, the password has be rememberable by you yourself, lest only teenage hakcers and CSI experts with magical hacking tools are able to access your data.

So, how do you make passwords?

One of the more secure ways are to use a random letter generator, like random.org, to build random strings, pick one, and memorize it. It’s pretty secure (random.org uses real random noise to produce it’s random numbers)and with seven random alphanumeric characters, the password search space is about 2.2 trillion combinations! But are you really going to remember “QRSr0Fu” or “W96TUON” two weeks from now? (My generated set had “myELlRK” which I might be able to remember…) If you type your password every hour or so, you might remember this by muscle memory pretty quick. Just in time to have to change it, I bet.

Another way is to take a word or phrase, turn some letters into |33+sp34k, and you get something more random, but much more rememberable. So, for example, “minivan” becomes “m1n1v4n!” and “washington” becomes “w4sh1ngt0n!?!” These are actually quite rememberable; the use of non-standard characters disallows the use of rainbow tables and dictionary attacks, so they’re much less suseptable to cracking. However, what happens when you forget the “!”, or that “Washington” gets “?!?” or that you did NOT turn “t” into “+”? You could end up going through a few cycles trying to “guess” your own password. Again, if you use it all the time, you’ll learn by muscle memory. And this lets you come up with some cool passwords, like “c4p+41nK1rk”. How can you beat that?

My favorite way, however, lets you write your password down in plain sight. I tend to cycle through passwords, and if you’re anything like me you have two online banking passwords, four credit card or loan company passwords, a work domain password, 6 email passwords, a home log in password, etc, etc, etc. If you take the easy way out and use the same password everywhere, you end up making kittens and security experts cry. If, however, you have a completely separate randomized combination for each account, your brain will get stuck in an infinite loop. Using this method, you get to write down your passwords and tack them to the wall. Or put ‘em on a sticky note. In plain sight. Email them to yourself without a care. It uses a special type of encryption to keep your password safe. Not AES or DES or TEA or other TLAs. I call this “Hippocampy Encryption” (named in honor of the part of the brain that does memory type activities).

The key is to write down a set of clues that will tell you (but only you) what your password is. You can add symbols to help you remember what kind of encoding to use for your password. Here’s a password I just made up right now as an example:


Shawn's rival ^
shout your home team
Esirpretne
Sam.


Because everything on this note is simply a hint for your specific brain to recall a password, it’s specific to you. Hints don’t even have to have anything to do with the subject. The hint “Red October” could tell you the word “fortworth”, whereas for me, I’d be trying “R4M1US”, “M1SSL3S”, “jackryan”, “TomClancy”, etc. You can string three or four hints together for a password. Note, these create long passwords, and your coworkers may start to believe that you have a superhuman capacity for memorizing long strings of randomized data. Do not do anything to dissuade them from this belief. And, because the hints point to common words and numbers already lodged in your grey matter, you may be suprised just how fast you type in that 20 character long password. Compared to my speed on 7 character random strings, it’s blazing.

And due to the pattern matching ability of your brain, remembering the passwords are easy. Lets say you’ve written your clue on the back of one of your business cards, so you have it handy if you need it. After a few days, just SEEING a business card will bring your new password to the front of your mind. After a while, you’ll stop needing your hint sheet, as you’ll just remember the password. And when it comes time to change your password, shred your card and your postit, post a new one (in a different color if you can, helps the brain), and give yourself a few days. Unlike scrawling your random digits on a paper or card, even if somebody stole your “Hippocampically Encoded” card, they would have to REALLY know you (or be a really good guesser) to get the password. Even with your card, you’ve reduced them to brute searching. And if your card/note turns up missing, it takes about 30 seconds to whip up a new hint sheet. Not only is your attacker brute forcing your hint sheet, but it’s the wrong hint sheet anyway!

So… have you guessed my password above? It’s GARYkemp!1071Max. ‘Course, you’d only know that if you knew that I played Pokemon and left my rival’s name at default, that I decided that “^” meant “Make it all uppercase”, that my home team is the Kemp High School (and that I was talking high school football), that by “Shout” I meant “give it an exclamation point”, but that the whole word should be lower case (because the hint is), that Esirpretne is “Enterprise” backwards, and that I meant to make the serial numbers backwards (but not the NCC part), and that by Sam (a very common name) I meant “Give me the name of Sam’s partner in that incredibly funny cartoon by Steve Purcell, Sam and Max: Freelance Police.” The period is just decoration. If you did guess it, contact the NSA. I hear they’re hiring people like you.

-Shawn