Security Corner


October 25, 2012  1:54 AM

The 25 most popular (and most insecure) passwords of 2012

Ken Harthun Ken Harthun Profile: Ken Harthun

Halloween is only a week away and everyone is breaking out their scariest costumes. No doubt there will be plenty of fright going around on October 31 — all in good fun, of course — but there is some real-life scary stuff out there that would make Beelzebub squirm. I’m talking about the list of the 25 most popular passwords of 2012 published by Yahoo! on their Plugged In blog. It’s true horror at its best, at least for we Net Admins. Imagine the digital carnage that will certainly ensue, heaven forbid on our own networks.

Here’s the full list, along with how the popularity of the phrase has increased or decreased in the past year:

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja     (New)
24. mustang (New)
25. password1 (New)

I wonder how long “password” has been a popular password (probably forever). Will people never learn? Cripes! How hard is it to remember to at least pad it with some random characters. 89password(* is so much more secure and not at all difficult to remember. Send anyone you know who is guilty of using such weak passwords to Steve Gibson’s Password Haystacks page so they can learn how to create a personal padding pattern. Then, they can use all the simple (padded) passwords they want.

October 20, 2012  10:22 PM

Distributed passwords: A simple security precaution that works

Ken Harthun Ken Harthun Profile: Ken Harthun

Everyone of us has one: A user who has a “book” of passwords sitting in plain view at their workstation. This person absolutely insists on keeping passwords written down in longhand and refuses to use any type of password manager software. Yes, the book is usually closed and it’s not obviously labeled Passwords! in 72 pt. Arial Bold, but this means little in the way of true security. Any determined person could sneak in and look around. It’s a bad idea. Keeping the password list in your wallet is significantly more secure, but if you have a large list of passwords, this can be cumbersome. There is, however, one simple security precaution that works for those persons who insist on having a written list: Distributed passwords.

Distributed passwords derive from Public-key cryptography where there are two keys, one private, one public. Applying this principle to the password book, one simply splits the passwords into two sets of characters, writes one set down in the “public” book that remains visible and writes the other set down in a “private” book that is kept secret (perhaps by locking it up when not in use). This is extremely simple to implement and results in a much greater level of security. Here’s how:

Book 1                Book 2
Bank: 1234            Bank: 5678
Credit: 9876          Credit: 5432

You get the idea. The bank password is 12345678 and the Credit password is 98765432

This could be implemented with stored notes or spreadsheets as well, but if you are going to go through the effort of typing them and storing them securely, you may as well just use a password manager like KeePass or my favorite, LastPass.

In a future post, I’ll apply this principle to password succession in estate planning. Stay tuned.

 


October 20, 2012  1:35 PM

All credit card PIN numbers in the World leaked

Ken Harthun Ken Harthun Profile: Ken Harthun

Yes, it’s true. Every single credit card PIN number in the  World is known to the hackers, including yours. Don’t expect any notification from your credit card company, though because of course, I’m joking here.

There are only 10,000 possible combinations of four digits so, given any credit card in the world, the owner’s PIN will certainly have to be one of those numbers; moreover, it is absolutely guaranteed that you will share your PIN number with countless others. There’s nothing wrong with this because that will be the only thing you have in common: The credit card numbers themselves are all unique. The problem is that people are as bad at choosing random PIN numbers as they are at choosing strong passwords. It would follow, then, that some PIN numbers would be more common than others.

This post on the DataGenetics.com blog presents a PIN number analysis based on published tables of hacked password databases. 3.4 million four digit passwords were found by filtering the data. Every single one of the of the 10,000 combinations of digits from 0000 through to 9999 were represented in the dataset.

The most common four digit password was 1234. No surprise there. The least common four digit password was 8068 which showed up only 25 times in the 3.4 million passwords. Number 2 and number 3 were 1111 and 0000 respectively. The analyst found many passwords beginning with 19, likely corresponding to birth years with 1972 leading the pack.

It’s a fascinating, in-depth analysis that even seasoned Geeks like me will find enlightening.


October 12, 2012  5:45 PM

Don’t make these five security mistakes

Ken Harthun Ken Harthun Profile: Ken Harthun

Everyone knows it’s not safe out there in cyberspace. Your privacy and your money are at risk all the time if you don’t know and practice safe computing. In particular, five security mistakes can really set you up for disaster. This article from MakeUseOf goes into greater detail, but I wanted to give you my take on them, since I have been advocating safe computing practices here for years. Here’s the list:

  • Running without and/or not updating Anti-malware software
  • Running without a firewall
  • Poor email security habits
  • Weak passwords and/or passwords used more than once
  • Sharing personal information

No computer in existence should be running without anti-malware software and it’s absolutely unthinkable to let it run without updating. I recommend Microsoft Security Essentials for a worry-free solution.

A firewall running on your PC will prevent common internet malware from being able to access your PC’s open ports.

Never click on a link in an email if you don’t know the source of the email. In fact, never click on any link in any unsolicited email regardless of who it’s from, even if it appears to be from someone you know.

It goes without saying that you should always use strong passwords and never use them more than once. Yes, it’s a pain in the hindquarters, but the alternative is much worse.

Be very careful about sharing personal information with anyone, especially people you don’t know. For example, never let a credit or debit card leave your sight. Take your tab to the cashier and hand her your card so you can see it being scanned.

 

 


September 30, 2012  9:41 PM

Humor: How to destroy a hard drive in three easy steps

Ken Harthun Ken Harthun Profile: Ken Harthun

Couldn’t resist a bit of Sunday humor…

If you are looking to thoroughly and securely wipe a hard drive, here’s how to do it:

  1. Build a huge Tesla coil (a least 1 million volts);
  2. Place hard drive as shown in illustration below;
  3. Run Tesla coil for at least one minute.

 


September 29, 2012  2:15 PM

Honest Geek prevents potentional personal data disaster

Ken Harthun Ken Harthun Profile: Ken Harthun

Source: Internet

Had it not been for an honest Geek, a fellow Geek’s personal data could have been compromised. Here’s the story.

The honest Geek, calling in sick with the flu, was informed that one his sites had lost internet access. After some preliminary troubleshooting by phone, he attempted a remote access session and could not connect. Another phone call to the site to have someone reboot the server and the person reports the server says “Missing operating system.” Oh, oh. Same message after reboot. Oh, no! Makes trip to site (hasn’t been able to take a sick day for real in 15 months because of stuff like this). Walks into server room. Sees orange light glowing at USB port on front of server. Dawns on him that server rebooted over weekend due to updates. Removes thumb drive. Reboots server. All is well.

The thumb drive in question is not encrypted and contains some very sensitive personal information and was left in the slot by a consultant who was working on a telephone system upgrade. The good news is his data is safe.

The honest Geek will return the thumb drive upon receipt of further instructions from the owner who has been notified that his data is safe.

The honest Geek wonders what a fair ransom might have been, but figures that the lesson learned is sufficient. For those who wonder, the lesson is this: Personal information has no business being kept on a thumb drive that carries your Geek Toolkit. It’s simply too easy to forget to remove it when you are working in the field. If you simply must carry personal information with you, make sure the drive is encrypted.

Be careful out there.


September 29, 2012  12:38 AM

Send private data securely

Ken Harthun Ken Harthun Profile: Ken Harthun

In my job as a Network Administrator, I’m constantly called upon to reset passwords to email, network shares and sensitive corporate resources. Up to now, it has been my standard procedure to transmit passwords and other login information only by phone, but this is tedious and time-consuming and often becomes downright onerous as a rousing game of phone tag ensues. I found a better way, though, one that anyone can use to send any kind of sensitive information to anyone without fear of disclosure to the darker denizens of the interwebs.

What if you could compose a message, “Mission Impossible” style that would self-destruct after being accessed? Here are three different, free, web-based applications that allow you to create self-destructing messages.

Privnote – https://privnote.com – “Just write your note, and you’ll get a link. Then you copy and paste that link into an email (or instant message) that you send to the person who you want to read the note. When that person clicks the link for the first time, they will see the note in their browser and the note will automatically self-destruct; which means no one (even that very same person) can read the note again. The link won’t work anymore.” Privnote allows you to add a reference ID and choose to be notified when your note is read – a nice feature.

Burn Note – https://burnnote.com – “Each Burn Note can be viewed only once and then it is deleted. Deleted Burn Notes are completely erased from the Burn Note servers so it impossible for anyone to retrieve them.”

OneShare.es – https://oneshar.es – This is the simplest one of the three. You type your message, specify how long it lives before self destructing if it goes un-viewed and create the link. Similar to the other apps, the link can only be accessed one time before it dies. This is the one I have been testing in my job and I haven’t had anyone complain about it so far.

If I had a lot messages to send, I think I would prefer Privnote so I could keep track of them. Burn Note has some extra features that do a bit more than I need, but if I wanted to be really secretive about something, that would be the one I would use. OneShare.es is just right and the one that I plan to continue to use day to day.


September 23, 2012  8:44 PM

Carry your passwords in your wallet

Ken Harthun Ken Harthun Profile: Ken Harthun

You probably own at least one USB thumb drive, stick, jump drive — whatever you want to call it. I have seven of them ranging in size from 64 MB (yes, you read that right) to 16 GB. They’re very handy and I use them all the time, but they all have one major flaw: They’re too big to carry in your wallet. Why would you want to carry one in your wallet? For the same reason that I consider your wallet your most secure password manager (see Your Wallet is the Best Password Manager), I consider your wallet the best place to keep a portable storage device.

I’m sure the picture gave it away already, but Micro SD cards are perfect for carrying in your wallet. A MicroSD card is about the size of a man’s thumbnail (giving new meaning to the term “thumb drive”). This makes it perfect for carrying in a photo slot in your wallet if you use an adapter or a USB reader like the ones shown. So, here’s what you do (assuming you don’t have some other password manager application):

  1. Create an encrypted partition on the Micro SD card (see A portable app to password protect your USB sticks);
  2. Create a text file or spreadsheet containing all of your critical logon information;
  3. Store the file on the encrypted partition.
  4. DO NOT FORGET your master partition encryption password.

For #4, I suggest a password concocted from a sentence of your own creation.  For example, “My Yorkie loves to play bone and is 4 years old!” This becomes mYltpbai4yo!

If you really want to be secure, I have some other ways for you to do this, but it’s Sunday and I’m going to watch some football and baseball. (Best time of the year – football starts, baseball season is winding down.)


September 21, 2012  1:48 AM

A portable app to password protect your USB sticks

Ken Harthun Ken Harthun Profile: Ken Harthun

Handy as they are, USB thumb drives, sticks, jump drives — whatever you choose to call them — are small and easily lost despite your best precautions. This is why it’s a bad idea to keep any sensitive information on them unless you encrypt the drive or password protect your files. Many popular USB sticks come with their own security software, but what if you have a generic one sans software? You’ll have to find a way on your own to protect it.

Most of the bundled security software allows you to either encrypt the whole drive or create an encrypted area on the drive. I have always been an advocate of TrueCrypt as one of the best Open Source encryption programs in existence. There is a catch to using TrueCrypt, however, as this MakeUseOf article points out: If you want to transfer files to a computer on which you don’t have administrator rights, you’re out of luck.

Enter Rohos Mini Drive, a portable application that allows you to work with a password protected partition on any PC. You just click the “Rohos Mini” icon on the USB flash drive root folder and enter your disk password. Rohos will start a volume and will stay in the system tray. It doesn’t require administrative privileges to open the password protected USB drive partition on a guest PC. It stays in the system tray so you can close the disk when you finish working.

Rohos Mini Drive comes in both free and paid versions. The free version has limitations, of course, the main one being a 2 GB encrypted partition size. I don’t consider this a hindrance, however; my needs are limited to transporting the occasional sensitive file and 2 GB would be more than enough to store secure notes containing passwords and other key numbers.

Give it a test drive and let me know what you think.

 


September 12, 2012  3:49 PM

Track your stolen laptop or phone

Ken Harthun Ken Harthun Profile: Ken Harthun

Your laptop bag is sitting next to you as you wait for your plane. Someone off to your left engages you in conversation for a minute and when you turn back, your laptop bag is gone. You turn to ask the person you were speaking with if they saw anything and they are also gone. Doh!

Is this a common scenario? Maybe. What matters is that your laptop has been stolen along with everything you had stored on it. If there was unencrypted confidential information such as corporate secrets, personal or corporate banking information — even if it was only personal photos and documents — this is a disaster. You’re better off if it was all encrypted, and if you have backups you’ll be OK, but you’ve still lost a valuable piece of property. Is there any hope for recovery?

The good news is that if you had installed a tracking utility, chances are good that the laptop can be located and the thief caught red-handed.

As you might expect, there are quite a few applications available, both paid, commercial solutions and free, Open Source solutions covering the major OS platforms. Here are two of the top trackers:

Hidden (Mac only) – http://hiddenapp.com/ – Basic plan is $15.00/year for one computer. “Hidden is a small application which sits idle on your computer until you need it. When your computer gets stolen simply log in to your online Tracking Control Panel and mark your computer as stolen. Hidden will kick into action and locate your stolen computer anywhere on the planet, collect photos of the thief and screen shots of the computer in use.” Hidden has been in the news a bit.

Prey (Windows, Linux, MacOS, Android, iOS) – http://preyproject.com/ – Open Source, free for up to three devices with Pro Plans available. “You install a tiny agent in your PC or phone, which silently waits for a remote signal to wake up and work its magic. This signal is sent either from the Internet or through an SMS message, and allows you to gather information regarding the device’s location, hardware and network status, and optionally trigger specific actions on it.”


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: