Passwords

Your Wallet is the Best Password Manager

Although I use them for sites that don’t require much security, password managers are something I generally stay away from. Why? Because they store the information on my hard drive or a website, both of which could be compromised by a determined hacker. Even a relatively unsophisticated hacker could exploit an unpatched vulnerability leaving my passwords open to inspection. My personal security policy is to make it as hard as possible for someone to get to my passwords.

I write them down and keep them in my wallet.

Yes, that is the most secure “password manager” there is. No one can get to your wallet from the Internet or your PC. Passwords written on a piece of paper and stored in your wallet are nearly impossible to compromise–someone would have to steal your wallet (or you’d have to lose it) to get at them. How likely is that? I’m 55 years old and have never lost my wallet or had one stolen. Just be sure not to write down your username with the passwords.

How to Prevent DNS Rebinding Attacks

There’s nothing new about the DNS rebinding attack, but it’s in the news again. Dan Kaminsky, Director of Penetration Testing for IOActive has shown a video of the attack in action at the RSA 2008 Conference. I first addressed this problem more than a year ago in a Lockergnome posting, and just recently in this Security Corner article. Both of those articles say the same thing: Change the default password on routers, switches, and any other configurable device on your network.

There’s another thing you can do: Use OpenDNS; they block known phishing and malware-infested sites, thereby making your web surfing more secure. They also just released a nifty tool called FixMyLinksys that makes it easy for anyone to change the default password and enable OpenDNS. An article at DarkReading.com had this to say about OpenDNS:

…“This will stop all the automated attacks that Dan is showing at the RSA conference today. It’s easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.

OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. “In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.

I’ve been using OpenDNS for some time; I’m glad to see they’ve addressed this issue directly.

Are You Lazy? Then You Have Security Risks

True computer and network security takes a lot of work to implement and it takes a lot of work to use. Despite training (if any) and admonitions by their supervisors and the IT department, the lazy create simple, easily-guessable passwords, write them down, and post them on sticky notes right in their cubicle or on their monitor. Even though we IT folks enforce password complexity policies, the effort is wasted if the user post their passwords in plain sight.

Maybe I’m dreaming, but I think that even the lazy can take the time to come up with serious passwords and take measures to make them memorable and/or write them down in a secure way. My article on generating secure passwords describes a method of doing this; it takes a bit of work at first, but once implemented, it’s a simple system that even the lazy can appreciate. (You may guess that I’m no fan of password managers or stored passwords and your guess would be right.)

If more of us IT geeks put more work into developing simple password generation and mnemomic systems for the lazy users, perhaps our networks would be more secure; perhaps not, but it can’t hurt now, can it?

Can a Criminal Hacker Guess Your Password?

In my last post, I stressed the importance of changing the default username and passwords of all configurable network devices. That’s good advice. But a weak password, one that is easily guessable, is almost as bad as no password. Far too many people use a password that’s obvious; i.e., given some basic information about the person, a determined hacker could easily guess it without too much effort.

I have two clients, both of which generate some serious confidential data, who set up initial passwords for new users in the form password.2008 or changeme. (Thankfully, I recently convinced both of these clients to implement password policies!) I’ve been able to use basic observation and small talk to guess users’ passwords about 20% of the time. The first thing I try is a blank password–you’d be surprised how often that works, especially for home users. Next, I’ll try the user name, the spouse’s name or “password.” I may try a couple of other things, like “123456,” “asdfjkl;” or, believe it or not, “********.” Usually, though, I just ask them for the password and they give it to me.

According to Wikepedia there are several things many people use as passwords that results in their being predictable:

Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:

• blank (none)
• the word “password”, “passcode”, “admin” and their derivates
• the user’s name or login name
• the name of their significant other or another relative
• their birthplace or date of birth
• a pet’s name
• automobile license plate number
• a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
• a row of letters from a standard keyboard layout (eg, the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)

So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Security Maxim #4: Use an unguessable, or difficult-to-guess password always.

Next time: How you can do everything right and still be vulnerable to attack.

Cheers!
The Geek