I get the same question every day: “How can I make a password that is strong and easy to remember?” Frankly, when I’m in the cranky mood I was earlier today, I’m tempted to answer with a simple question in return: “Do you ever bother to read my posts?” Of course, the answer is that no, they don’t bother–they’re too lazy to look up my posts. Granted, it’s far easier to ask me and make a mental note than it is to actually find a post, read it, take notes, and take action. At least you would think so. The problem is, five minutes after I answer their question, they’ll forget what I told them, and the next time they see me, they’ll ask again. It’s a vicious cycle.
Four hundred years from now, when passwords have long since been replaced with real security measures, these same people, if they were still alive, would be asking the same question.
People want it easy; they want magic. People want to twitch their noses like Samantha on the TV sitcom Bewitched and make everything work they way they want without further effort.
It doesn’t work that way.
But, there is a bit of password voodoo that’s almost as quick as a nose twitch and it won’t take more than about 15 seconds to implement:
- Turn your keyboard over
- Find the FCC ID number
- Change the case of every other character
- Voila! A strong password that no one will guess.
It’s written down for you right there on your keyboard, but who is going to think to look there? The label on the bottom of my keyboard has enough information to create a completely uncrackable password.
Need to change the password after you’ve done this? Follow this sequence:
- Reverse the case you used previously
- Reverse the order of the characters
- Reverse the case again
- Shift the characters to the left, placing the leftmost character at the end
- Reverse the case again
- Repeat #4 and #5 through several iterations
Are your getting this?
It’s always a good thing to repeat good advice and what better time to do so than when people are making resolutions to improve their lives in the coming year?
Nearly three years ago, when I was just starting this blog, I posted Can a Criminal Hacker Guess Your Password?. That post had some good advice on what not to do. Here it is again:
According to Wikepedia there are several things many people use as passwords that results in their being predictable:
Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:
- blank (none)
- the word “password”, “passcode”, “admin” and their derivates
- the user’s name or login name
- the name of their significant other or another relative
- their birthplace or date of birth
- a pet’s name
- automobile license plate number
- a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
- a row of letters from a standard keyboard layout (eg, the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)
So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Security Maxim #4: Use an unguessable, or difficult-to-guess password always.
Have a safe, happy and secure 2011!
It’s always a good thing when people take my security advice; I do, after all, give them good stuff (like that password card over there, for instance). Over the years, I’ve amassed a large store of advice and tips that I continually promote to my clients. Yesterday, I was given a task that showed me at least some of them listen.
During an on-site call on Friday, the office manager approached me and said she had discovered that some of the staff were using extremely insecure passwords, things like their initials and birthdate, and at least two cases of “password.” She asked me what to do. I told her order everyone to immediately create secure passwords with a minimum length of 8 characters and have at least three of the following: upper case letters, lower case letters, numerals and special characters. (Note: this is a law office, so users are not allowed to change passwords on their own. The owners of the firm keep a secure list of everyone’s passwords so they always have access to employees’ hard drives.)
When I checked my email yesterday morning, I found a message with a spreadsheet attached. Yes, it was the list of passwords for me to change on the server; every password conformed to the standard. So, it looks like there will be no more insecure passwords at that firm. I consider that real progress
Now, maybe I can get them to understand and use email encryption so they won’t be sending me passwords in clear text.
PandaLabs, the antimalware laboratory of Panda Security – The Cloud Security Company – has released its 2010 Annual Security Report, which details an extremely interesting year of cyber-crime, cyber-war and cyber-activism. The full report is available at: http://press.pandasecurity.com/press-room/panda-white-paper/ along with a wealth of other reports, bulletins and monographs from 2009 and 2010.
One striking discovery is that in 2010 alone, cyber-criminals created and distributed one-third of all existing viruses, creating 34 percent of all malware that has ever existed and been classified by the company. The report also highlights malware standbys that aren’t going anywhere, new and emerging malware trends, the impact cyber-criminal activity had on social media networks last year, and more.
Despite all of the drastic numbers outlined in the report, the report highlights some good news. PandaLabs discovered that the speed at which the number of new threats is growing has actually decreased when compared to 2009. Every year since 2003, new threats grew by at least 100 percent every year, but in 2010, the increase was approximately 50 percent. We can only hope that trend continues.
As you might suspect, banker Trojans still dominate among new malware that appeared in 2010, accounting for 56 percent of all samples. Viruses accounted for 22 percent, rogueware (fake antivirus software), 12 percent; worms, 10 percent.
The countries leading the list of most infections are Thailand, China and Taiwan, with 60 to 70 percent of infected computers. To see a graph of how other countries ranked, please visit: http://www.flickr.com/photos/panda_security/5299741647/. The United States did not rank in the top 20.
2010 was truly the year of cyber-crime, cyber-war and cyber-activism. Although cyber-crime has existed for many years, cyber-war became a much more active and aggressive part of the malware landscape. The most notorious was Stuxnet, a new worm that targeted nuclear power plants and managed to infect the Bushehr plant, as confirmed by the Iranian authorities. At the same time, a new worm appeared called “Here you have.” It was created by a terrorist organization whose intention was to remind the U.S. of the 9/11 attacks and call for respect for Islam, purportedly as a response to Pastor Terry Jones’ threat to burn the Koran.
2010 also witnessed the emergence of new phenomenon called cyber-protests or hacktivism. This phenomenon, made famous by the Anonymous group, is not actually new, but grabbed the headlines in 2010 for the coordinated DDoS attacks launched on copyright societies and their defense of WikiLeaks’ founder Julian Assange.
A whole spate of this floating around today. Hey, people, wake up! This is ancient.
URGENT WARNING TO ALL ABOUT NEW COMPUTER VIRUS
> This information arrived this morning, Direct from *both* *Microsoft
> and Norton *
> Please send it to everybody you know who has Access to the Internet. You
> may receive an apparently harmless e-mail titled *”Here you have it”* If
> you open the file, a message will appear on your screen saying: ‘It
> is too
> late now, your life is no longer beautiful…’
> Subsequently you will LOSE EVERYTHING IN YOUR PC, And the person who sent
> it to you will gain access to your Name, e-mail and password. This is a
> new virus which started to circulate on Saturday afternoon. AOL has
> already confirmed the severity, and the anti virus software’s are not
> capable of destroying it.
> The virus has been created by a hacker who calls himself ‘life owner’.
> PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask them to
> IT ON IMMEDIATELY ..
> *THIS HAS BEEN CONFIRMED BY SNOPES.*
Here’s the real scoop:
It’s no longer applicable and isn’t even true, folks.
It was a real virus, but is no longer a threat. This is months old
(Sept. 2009). Also, the message above is not even close to accurate. 99%
of the “scare mail” floating around the Internet is the result of people
forwarding such stuff.
[9:08:25 AM] !! Ken Harthun (Asst. Host: TIIMG): Here’s the real truth
about it from US-CERT:
“Malicious Email Campaign Circulating
“added September 9, 2010 at 08:46 pm
“US-CERT is aware of public reports of malware spreading via email.
These reports indicate that the malicious email messages contain the
subject line “Here you have” or “Just For You” and contain a link to a
seemingly legitimate PDF file. If users click on this link, they will be
redirected to a malicious website that will prompt them to download and
install a screensaver (.scr) file. If they agree to install this file,
they will become infected with an email worm that will continue to
propagate through their email contacts.”
[9:08:29 AM] !! Ken Harthun (Asst. Host: TIIMG): Note the date.
And, BTW, hackers don’t wipe out hard drives anymore, they’re way too
interested in stealing your data, passwords, account information and, of
course, your money.
If you ever have a question about this, ask me first. I stay on top of
this stuff daily. Several of the Skype rooms as well as Facebook are
cluttered with this bogus message.
Part of my hat as an InfoSec specialist is education. Use me.
To all of my loyal Security Corner readers, Happy New Year! My best wishes for you in 2011.
Don’t want to exclude the cat lovers out there. Besides, dogs aren’t the only security experts. In fact, dogs could learn a lot from cats (OK, cats could learn a lot from dogs, too). Anyway, thanks to Dr. Andrew Jones, DVM, for the idea to write this and my previous post. He sent me an email entitled “My New Years Resolution” and said, “With 2011 nearly here, one of my resolutions is too be MORE like my pets…” I agree, though my take is a little different. Pets are the best security guards we have: They sense danger when we don’t; they warn us of suspicious things; they keep insisting we take action until we do; they comfort us when we do something stupid. Pets rule!
All I really need to know about security I learned from my cat. Here is the list of lessons:
- Security is hard. Do it and then take a nap.
- Curiosity killed the PC.
- Despite what you’ve heard, cats (and your security) don’t have nine lives.
- When in doubt, assume the worst.
- When it comes to security, cop an attitude.
- Always give your cats expensive treats (Sorry, Squeakers, my cat, made me put that in there!)
- Purr when your security applications are up to date.
- Keep your claws sharp and shred intruders, even if they look like your friends.
- Don’t trust anyone who offers you a free gift (catnip) when you first meet.
Happy New Year, cat lovers!
Thanks to Dr. Andrew Jones, DVM for the idea to write this post. He sent me an email entitled “My New Years Resolution” and said, “With 2011 nearly here, one of my resolutions is too be MORE like my pets…” I agree, though my take is a little different. Pets are the best security guards we have: They sense danger when we don’t; they warn us of suspicious things; they keep insisting we take action until we do; they comfort us when we do something stupid. Pets rule!
All I really need to know about security I learned from my dog. Here is the list of lessons:
- Never pass up the opportunity to to give your dog a treat (OK, that’s not really security related, but my Missy Yorkie made me say that).
- Always sniff the air before deciding what to do.
- When loved ones send email with links, sniff to make sure they are really your loved ones.
- When in doubt, take a nap, then stretch before you click.
- Have fun, romp and surf when you know it’s safe.
- Be loyal to your security consultants (like me…).
- Never pretend to be someone else.
- Implement safe security practices with gusto and enthusiasm.
- If the information you want is buried, dig for it; if you still can’t find it, Ask the Geek!
- Never, never, never trust a link until you have sniffed it and determined it’s friendly.
Happy New Year, dog lovers!
Being visible as a journalist on the Internet, I get feedback because my writing reaches a large audience. Thanks to you, my loyal readers and followers, most of the feedback is positive. But, there is the occasional negative comment, usually from the reader who either looks at the world through a fog of misguided optimism or one who is completely convinced that everyone in the entire world is out to get him.
Both viewpoints are insane.
I present, herewith, two examples. I have taken literary license with them so they make sense (some of these people can’t construct a sentence that even remotely resembles proper grammar).
hi geek. I think to you may worry to [sic] much about passwords and things because I have never had anyone steel [sic] my password because noone [sic] would try to do anything to me because noone knows who I am on the internet so noone will know my name and my password which is a long one its 123456asdfjkl; Can anyone hack me? thanks joe.
Yikes! Joe, just draw all your money out of the bank in cash and throw it out of a 30-story window.
Here’s another one from the overly-paranoid, conspiracy-theorist sector:
Are you f****** serious, you idiot? You recommend 12-character passwords. Are you insane? The government has all of your information. If you’re using windoze [sic] you’re hacked. The NSA is watching every move you make. I run Linux. Everything is encrypted on my computer and my login name is 84 characters long. My password is 128 random characters (I got them from your recommendation of Steve Gibson’s perfect password site, so thanks at least for that). Think about it.
What do YOU think? Do I worry too much, or am I a complete idiot for recommending the things I do?
Hint: Not one system I have administered or owned since 1995 has been breached; I have not lost a single dollar to hackers as a result of any compromise to the security of my accounts and neither have any of my clients. But, in the interest of complete disclosure, there have been several people whom I have supported who have not listened to me and have subsequently suffered financial losses. I consider those my personal failures.
I think it’s safe to listen to me and take my advice. So, I hereby declare 2011 the year of “Internet Security Awareness.”
Let’s ramp it up, shall we?
And, Joe, I can hack you in less than three minutes thanks to the information you sent me. I won’t, but someone might try. Please read everything I’ve ever written about online security…
A friend of mine, whom I’ll call Sally, told me of a recent hack on their PayPal account that could only have resulted from her clicking a link that a “trusted friend” sent her in an email. You know, one of those “You have to see this!” things. She gets them all the time of course, and most of the time, they are what they claim to be. Only this time, the friend had gotten herself infected with a mass mailing trojan; even though the message appeared to be legitimate (since it was sent from the “friend,”) it was bogus.
The link installed a keylogger. Prior to going on vacation, Sally checked her PayPal and bank accounts. The hackers got her login information. When she tried to use her debit card, she found she was overdrawn by several thousand dollars. It ruined her vacation and took her the better part of two weeks to get her money back. Fortunately, the bank waived all overdraft fees. Lesson learned.
Now, what could she have done? Trust is what these hackers rely on; naturally, Sally would trust an email from her friend. That it wasn’t from her friend, is something that Sally probably didn’t suspect. But, she could have a personal security policy in place whereby she routinely calls her friend and mentions the email/link. If the friend says, “What email/link?” then you had better just delete it.
I have a fellow geek friend who routinely sends me scientific news, astronomy links, etc. I expect them, but I never open them until after I have talked with him (which I do several times a week) because he always asks me, “What did you think about [that particular article I sent you]?” My response is usually, “Oh, I’ve been busy, let me take a look (knowing, now, that it’s from him).” Then, we talk about it.
NEVER click a link you’re unsure about. Make a phone call to the “friend” that sent it to you. If you can’t call them, them just delete the message.
You won’t be missing out on anything important, trust me.