Category: security

On Choosing Secure Passwords

I couldn’t agree with this more and if you’re not using a password manager at this point, then you’re just doing the Internet wrong.

I use 1password and recommend it. Yes, it’s pay but that’s good!

My default password generation recipe is 23 characters of upper and lower case letters. I use letters only in case I’m ever having to manually type the stupid thing on a touch screen.

There are still some passwords you have to remember. Obviously you need to remember the password to your 1password file! I also remember the password to my Dropbox account (and I use 2-factor authentication) because that’s what I use to sync my 1password file. I also changed my iPhone from a 4 digit PIN to a strong password since the 5s has the finger print scanner. It’s becoming harder and harder to pick good ones. I used the Diceware method of generating my passwords.

Again, I agree with all this:

Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them. Password Safe includes a random password generation function. Tell it how many characters you want — twelve is my default — and it’ll give you passwords like y.)v_|.7)7Bl, B3h4_[%}kgv), and QG6,FN4nFAm_. The program supports cut and paste, so you’re not actually typing those characters very much. I’m recommending Password Safe for Windows because I wrote the first version, know the person currently in charge of the code, and trust its security. There are ports of Password Safe to other OSs, but I had nothing to do with those. There are also other password managers out there, if you want to shop around.

There’s more to passwords than simply choosing a good one:

  1. Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
  2. Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.
  3. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
  4. One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.

Boston Marathon: What if all personnel had gps enabled, personal dvrs?

In the wake of the bombings at the Boston Marathon I’ve been listening to the radio and reading about the bombings. One of the early reports described how one of the bombs was pretty close to a security guard who was scanning the crowd. If the bomber didn’t look suspicious  then there’s no reason for the security guard to remember the bomber at all so I’m not trying to fault the guard.

But what if all security personnel at the event wore a Google glass type device that recorded everything during their shift? What if these devices were GPS enabled and all of the video was download into a server and that data could then be datamined? For instance, show me all video from all devices that occured between 1:00pm and 3:00pm at coordinate X.

This nerdy idea has been bouncing around in my head for a few days and I hope typing it out will make it stop. 😉

Two great articles on password security

Why passwords have never been weaker—and crackers have never been stronger (Ars)

The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.

More than just one password: Lessons from an epic hack (1password)

Mat Honan, a 1Password user and writer for Wired, did everything right. He had strong, unique passwords everywhere. Yet he was the victim of an “epic hack”, and had to put a great deal of effort intogetting his digital life back.

A very brief account of this Homer-worthy hack is that someone talking to Amazon customer service got into Mat’s Amazon account, from which they were able to learn enough about him to then call Apple’s customer service to get a new password set. Once they had Mat Honan’s Apple ID and password they used Remote Wipe to erase his iOS devices and his Macs.  This has been written about extensively elsewhere, but I would like to talk about this in the context of whether there are useful lessons for 1Password users.


Apple and Amazon security flaws, changes I made to protect myself

Update: Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack

Last night, I read in horror Mat Honan’s account of how he got hacked and how a large part of his digital existence ceased to exist. The scarest part of this “hack” was that it didn’t take advantage of any sort of software bug or security vulnerability. It wasn’t even really somebody doing any sort of social engineering. Some clever people just used the available account recovery processes of Amazon, Apple and Google in order to gain unauthorized access to multiple accounts and delete everything.

Apple only requires a person validate the account holder name, billing address and the last 4 of the credit card on file. The first two are pretty trivial to get. If a person has their own domain name, usually a dns lookup will reveal the billing address. So how did the people involved in this get the last 4 of a credit card #? Enter Amazon.

The Amazon part is a two part process but is pretty trivial:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

The Amazon bit of this hack is astoundingly easy! Yikes! So now with the last 4 of the CC in hand, the hackers called up Apple and was issued a temporary password.

Gmail also played a role in this hack because the target of the hack was actually Mat’s Twitter account. Mat was using his email address as his backup account with Google thus the hackers targeted the Apple account.

After I read the article I was horrified to realize that my Apple ID was vulnerable to the same hack. Somebody could access my Amazon account using the process outlined above (assuming Amazon hasn’t already changed their security processes), call Apple Care and get access to my Apple ID. Since I had recently switched most of my online accounts to use my Apple email address, it was trivial to get the keys to my digital kingdom: Twitter, Facebook, etc. Here are the actions I took to harden myself against these types of hacks:

  • I changed the CC on file with Apple (iTunes) to a different CC from the one I have on file with Amazon. In fact, I’ve never used this new CC with any online site at all. That by itself would have prevented the hack described by Mat from working. I actually deleted the CC’s I had on file with Amazon but a look at the order history reveals the last 4 of the CC used on each order.
  • I verified that I didn’t have my email address as my backup with gmail.
  • I enabled 2-step authentication on gmail.
  • I’m switching my online accounts back to my gmail account instead of using my account.
My trust in Apple security has been shattered. I feel that the two factor authentication with gmail better protects me from account recovery attacks. Not just that but having used the icloud solution for a while, gmail is just a better, more full featured email solution.

Please review your accounts to make sure you’re not vulnerable to this hack.