OFFICIAL SECURITY BLOG

Too Tough to Crack?

April 22, 2013 | BY

During the course of your life, there are many times when you have to prove who you are.  Whether it’s applying for a loan, getting your driver’s license, or signing into your email account, a process has to occur to “authenticate” your identity.  Otherwise, anybody could be you.

In the 21st century, we’ve seen a sharp increase in Identity Theft, a term you’ve probably heard a lot in the media.  The idea of pretending to be someone you’re not is nothing new, but in the digital era, fooling a computer is a little easier than your bank teller.  The problem has become so prevalent that companies have emerged dedicated solely to fighting identify theft related crimes.

lifelock

Companies like LifeLock had emerged amidst the increasing amount of Identity Theft.

 
When it comes to your digital life, passwords hold the keys.  While new technology emerges like biometric scanners and smart cards, the password is still the most commonly used form of authentication since it is both cheap and easy to implement.  Over the years, you’ve probably used a password for virtually all of your online accounts, from your Facebook account, your personal email, and even your bank account (and probably the same password for all of them).

Considering this, it’s no surprise that, since your passwords are so valuable, they’re highly targeted by hackers and malware.  News reports develop almost daily of security breaches where passwords are stolen from private database—just a few days ago, in fact, the co-founder of the infamous “Pirate Bay” bit torrent site was charged with hacking crimes in Sweden, where personal data was stolen from several companies.

In addition, programs like keyloggers are often packaged into much of today’s modern malware to record a user’s keystrokes while using a computer, often for the purpose of obtaining passwords.  With the danger of drive-by downloads, this kind of malware could be installed to your computer without your prior knowledge or consent.  What’s more, there are several password “cracking” programs in existence that use several techniques to brute-force weak passwords.

cain

Cain & Abel, a popular password cracking tool.

 
So what can you, the user, do to protect yourself?  This blog post will talk about password security from all angles, and give you the best tips at protecting your private information.

Step 1: Use a strong password
You’ve probably tried to register an account online before and had the system return with a message that your password isn’t strong enough or doesn’t meet the complexity requirements.  You then might have become frustrated and added “123!” to the end of what you had.  I know I’m guilty of this.

The problem most of us run into is we can’t remember these convoluted passwords.  In fact, some of us resort to keyboard patterns or familiar movie names to help us remember, but that isn’t really going to make your password any “stronger” as it’s vulnerable to shoulder-surfing (someone else watching) and password tables often guess them.

Creating a strong password can seem difficult at first but there are tools available to make it easier.  For instance, go to http://howsecureismypassword.net/ and type in a password you might consider using (don’t worry, it’s safe).  If your password can be cracked instantly or in a short amount of time, it may be time to change it to something more complex.  Try to remember the following when creating your password:

–          Make it long (at least 12 characters)
–          Use numbers, and maybe a special character
–          Consider making random letters in your password uppercase
–          Use words that are memorable to you, but nothing others could easily guess.

Step 2: Change your password periodically
Before getting involved with computer security, I used the same password for years (“taco” to be exact).  Not only was it an extremely weak password that could be cracked instantly, but having a password on my accounts that never changed made them more vulnerable to attack.

A lot of network administrators enforce this by having network users change their passwords every 30-90 days.  This has been considered a security “best practice”, because in theory, your password will be harder to guess or crack if it’s constantly changing.

Unfortunately, this technique isn’t going to help you much if your password is compromised, as some password crackers don’t need much time to brute-force most common passwords, as research suggests.  However, it’s still considered a good idea to change your password at least once a year to keep it changing and therefore slightly less vulnerable.

Step 3: Use a unique password for every account
We both know that you’re likely using the same password on most if not all of your accounts.  As a matter of fact, it’s probably a safe bet that if I had your email password, I’d also have your bank password.  The obvious problem with this is when one account becomes compromised, all of them do.

On the other hand, you may have a lot of online accounts; I can count at least 40-50 that I have.  The issue of remembering this many passwords then come into play.  Sure, you could always write them down on a piece of paper and keep it somewhere safe, but what happens if you lose it?  You’ve then lost access to much of your digital life.

The next step in this process will give you a sigh of relief as we discuss a tool used to manage all of these passwords.

Step 4: Use a password manager
If you’re dreading the thought of remembering all of these complex passwords, consider trying a password manager.  A password manager is a piece of software that helps you organize your passwords.  A big benefit to using this kind of software is that you can store your passwords in one location, and then access them all using your “master password”.  This way, you only need to know your master password and you know now have access to all of your passwords.

roboform

Roboform is a great password manager with lots of features.

 
In addition, most password managers have an “autofill” option that automatically fills out web forms on your favorite web sites.  This can be useful if you shop online frequently and don’t like to store your personal information on external servers, but would rather enter it every time.  This sort of feature also protects you from phishing scams, as the password manager will remember the site it needs to autofill and will not work properly if the site doesn’t match.

Password managers also have some drawbacks.  While it may seem convenient to only remember one password to access all of your accounts, this also means your master password is highly sought after by prying eyes, and the results could be devastating if all of your accounts are suddenly compromised.

Even still, password managers are a viable choice by many in a world where we have an account for nearly everything online.  If you’re going to use a password manager, consider the following:

–          ALWAYS use a Password Manager that encrypts your passwords
–          Ensure your master password is both complex and long, impossible to brute-force
–          Do not disclose your master password.  Ever.
–          Protect your computer from malware that could obtain your master password.

Step 5: Consider two-factor authentication if available
In the case of computers, two-factor or two-step authentication requires a password as well as another piece of information to prove you are who you say you are.

Two-factor authentication has become more popular in recent years as more passwords are compromised and another layer of defense is needed to protect users and their personal data.  The second factor can be various things; you may be asked for a special pin number, or a special code may be sent to your cell phone.

2-step

2-step verification advertised for Google accounts.

 
Two-factor authentication is a great solution for many, but some might consider it inconvenient.  For example, your workplace may not allow you to bring your phone inside, and your email requires your phone to sign-in.  In addition, two-factor authentication is still susceptible to man-in-the-middle (MITM) type attacks where an attacker may acquire SMS messages containing authentication codes, although this is less likely to occur.

Step 6: Protect yourself from Malware and other attacks, now and always
On a final note, taking the time to create a strong password won’t matter much if you’re infected with malware that targets them.  Unfortunately, no password is “too tough to crack” for a keylogger.

Every computer needs to have ample malware protection.  The malware of today can not only log your keystrokes, but take screenshots of everything you click, defeating protection tools like virtual keyboards, designed to protect against keyloggers.  In addition, hackers often install backdoors onto compromised hosts so they can revisit their victims, oftentimes bringing password cracking tools with them in an attempt to crack other passwords on the network.

The bottom line: protect yourself.  The passwords we use every day safeguard much of our private lives, so take some time to make sure they’re strong enough to withstand an attack.  I hope this article has given you a better idea of how to protect yourself and your personal data, be careful out there!

_______________________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques.  His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell