Saturday, October 17, 2009

Ten Ways to Keep Your Passwords Safe
We all know that other people stealing your passwords is bad, because then they can get into your stuff and do all sorts of bad stuff. But many people do things that can get their passwords stolen every day, because they don't believe that something bad will happen to them, because they're too lazy, or because they don't realize what they're doing. (I apologize for sounding like a 3-year-old while trying to generalize.) In this note, I will explain some of the ways people can get your password as well as some tips for how to prevent it.

No computer system, no matter how secure, can resist attack indefinitely. There is always some way to break the security. The goal, then, of security, is simply to slow down attackers so much that the method of break-in is impractical or they give up and move on to an easier target. If your computer looks well-secured, unless crackers have a very good reason to target you in particular, they're likely to move on.

First of all, don't forget that your passwords should ideally all be different, or at least some of them should be different.

1. Giving someone your password
It seems stupid that I need to include this, but people do it quite a bit. Are you sharing any kind of account with someone? You just gave them your password. Saved a password in your browser on a shared computer? You just gave them your password. (And not only can they log on there, they can also find what password is stored and write it down for use later.) And plenty of people share their passwords with others so they can easily log on.

Now I'm not saying that sharing passwords is inherently bad, just that you need to be cautious. Every person that knows a password multiplies the risk of having it stolen or social-engineered (more on that later). Just because you trust someone completely doesn't mean that they will keep your password with the most care possible. If you need to share your password with someone, make sure you know for sure that they will not write it down or save it and that they are smart about social engineering.

If for some reason you need to share a password with someone you don't know much about, you can always change your password temporarily and then change it back later.

2. Shoulder surfing
Although it sounds like one of those stupid things people try to do at rock concerts, it's almost undoubtedly the oldest and most low-tech way to steal a password. All you have to do is get behind someone and watch them enter their password.

Since passwords were developed, login screens have hidden the typed characters in password fields from view to make shoulder surfing much more difficult. However, someone who gets lucky, has sharp eyes, or tries multiple times will have a fairly good chance of getting your password by looking at the keyboard. . Since most people use the same password multiple times (hey, even me, and I'm writing about security here), stealing one password will allow them to get into multiple accounts. (And by the way, this problem isn't limited to computer terminals; you should always cover the PIN pad with your hand when entering numbers at an ATM or store checkout. Besides the chance of someone walking behind you and spotting your number, crackers have been known to place cameras aimed at the PIN pads to catch unwary users.)

Obviously, if your computer is placed in a closed room, it's going to be pretty hard for someone to sneak in behind you and shoulder-surf your password without you noticing. However, be careful if you invite someone you don't trust into this area; shoulder surfing is one of the things people tend not to think about. If your computer is easily visible, especially in a crowded and noisy area, you have a much bigger problem. Not only are you less likely to notice someone sneaking up behind you, people will also feel much more confident and are more likely to try to steal your password.

There are a few things you can do to try to prevent your password from being shoulder-surfed. There are two parts to successfully stealing a password in this manner, seeing the password and remembering the password until you get a chance to write it down. You can do quite a bit to help in both areas. First of all, the more complicated and nonsensical the password is, the less likely someone is to remember it. Also, it will be much harder to see what is being entered. A password like “password” has a pattern that will be easily recognized, but a password like “e5^8flc” is very unlikely to be “read” correctly, and even more unlikely to be remembered. Also, avoid long strings of contiguous or repeating letters, like “qwerty” or “adadadad.” Everyone can easily spot these. Secondly, learn to type your password as fast as possible. If you hit the keys so fast that nobody can see what you're typing, you're automatically safe. Thirdly, learn to touch-type. It will improve your overall computing experience tremendously, and it might take a while to figure out, but it's totally worth it. For security, not only are you able to type your password much faster, your fingers also cover the keyboard without any effort. Finally, if you're in a high-risk environment (open area, crowded, noisy, public), look behind you before you enter important passwords. Although it seems paranoid, you might even consider getting a monitor mirror, which clips onto your monitor and shows you what's behind you (see Not only will it allow you to catch shoulder surfers in the act and know when someone has stolen your password and you need to change it, crackers are also far more likely to move on to an easier target.

3. Search and you will find...
Many people have difficulty remembering passwords, so they write them down on sticky notes and throw them in desk drawers or stick them to the monitor. Enterprising crackers can easily find these notes and...voila, they have a valid password.

This one's easy to combat—don't write your password down. Never write your password down. Never, ever write your password down. Period. By writing down your password, you work against the whole idea of a password. If you must save passwords in your browser, make sure they're not important, and make sure your computer requires a login password while you're away from it (e.g. lock the workstation, make screen saver require password after it kicks in, log off, etc.)

If you have trouble remembering your passwords, consider using a password manager (see A password manager stores all your passwords securely so you only have to remember one (strong) master password or plug in a flash drive and unlock all your passwords. After a timeout, when you log out or lock the file (when you leave the computer, hopefully), or when you remove your flash drive, the file that stores your password is unloaded and becomes inaccessible. This will also allow you to more easily use stronger and different passwords.

4. Security vulnerabilities
No program of any significant size is safe from bugs. Matter of fact, no program is safe from bugs. So it follows logically that most major programs have, at some point, suffered from security vulnerabilities. This is not a problem in itself; the problem is that people often fail to patch these vulnerabilities in a timely manner. Nearly all security holes are patched well before they are successfully exploited, so as long as you pay attention, you have very little to worry about.

In terms of passwords, there are relatively few exploits of this sort, but it's always a good idea to keep everything up to date. Make sure automatic check-for-updates features are turned on, update to the latest versions of programs periodically, and keep a lookout for any published security advisories.

5. Database cracking
Database cracking is one of the most dangerous threats today. In database cracking (which isn't an official name, but it works, and I don't think there is an official name), a cracker or group of crackers breaks into a large database kept by a company on a secure server and steals all the information on it, which can be worth huge amounts of money. Database cracking is more commonly talked about in terms of identity theft, but it is also an easy way to steal emails, passwords (they are part of your identity, after all), and more.

Unfortunately, there's very little you can do about database cracking; you just have to trust that everyone you give your information to will do their best to keep it secure.

6. Guess the password
Since too many people use simple passwords, a cracker has a decent chance of being able to sit down in front of a computer or login page and guess the password within a few minutes, especially if he or she knows the person.

To combat this, you should make sure your password meets all of the following guidelines:
Does not include your username or any part of your username
Does not include your real name, birth date, address, phone number, email address, etc.
Does not include any personal information that could be easily obtained by a cracker; includes any information you have ever posted on the internet
Is not a phrase like “password” typed with your hands shifted.
Is not any of the passwords or similar to any of the passwords on the “Top 500 Worst Passwords of All Time” list at
Includes at least 8 characters, the more the better.
Also see the “Dictionary Attack” section for more guidelines.

7. Dictionary attack
A dictionary attack is basically a high-tech version of guessing the password. In a dictionary attack, a cracker runs a program called a dictionary cracker on the login screen they want to get the password from. The dictionary cracker comes with a dictionary file containing the most common passwords. The cracker program will try each password until it runs out of passwords, it gets locked out for too many incorrect password attempts, or it guesses the password correctly, in which case it will stop and tell the cracker what the password was.

To protect yourself from dictionary attacks, make sure your password meets the following guidelines:
Is not any of the passwords or similar to any of the passwords on the “Top 500 Worst Passwords of All Time” list at
Does not include many sequential numbers or letters, letters contiguous on the keyboard, or a combination of the two.
Is not a common English word.
Also see the “Guess the password” section for more guidelines.

8. Brute-force
A brute-force attack consists of trying every possible password until the right one is found. No matter what security measures are used, a brute-force attack is guaranteed to eventually come up with the right answer. However, a brute-force attack takes a really long time (unless it gets lucky); if you have a strong password, it could take centuries to crack it using powerful computers.

To combat brute-force attacks, make sure you have a strong password, using the password guidelines for #6 and #7.

9. Keylogging
A keylogger is a program or hardware device that stores all the keystrokes entered into a computer. Someone can install a keylogger, then later come back to retrieve the data collected, search through it for sequences that look like passwords, then attempt those passwords.

To protect yourself against software keyloggers, make sure you have an anti-malware program that includes spyware protection installed and that it scans regularly. To protect yourself from hardware keyloggers, make sure strangers cannot easily access where your keyboard plugs in, and check occasionally to make sure there are no odd devices plugged into the system (keyloggers are usually plugged in between the keyboard and the computer).

10. Social engineering
Social engineering (in a security context) is simply the process of trying to trick someone into revealing confidential information or doing something that will compromise the security of a system (like disabling security measures). Social engineering is rarely attempted in person, but there's no reason why it cannot be. One of the reasons why it is so successful is that, in many cases, it is not actually a crime, so even if the attacker is caught, they cannot be arrested. The person has chosen to give the information, after all.

To protect yourself from social engineering, you should be aware of the fact that it is likely that someone will try to do it to you at some point. First of all, never give your password to anyone else. Period. IT does not need to know your password. Nobody ever needs to know your password because of a “database crash”. If there really was a database crash, they'll make arrangements to get it fixed, and you won't be able to log in until then anyway. That really polite guy in Afghanistan who wants to deposit $112,378.26 in your PayPal account does not need to know your password.

If there's ever any doubt about whether someone really needs to know a piece of information, hang up the phone or close the email, call or email the person yourself with a number/address you know to be accurate, and ask them if they asked for it. Better yet, walk or drive there yourself (if possible). Most likely, they'll be very interested to know that someone was trying to represent them.

Never send your password or confidential information by email. There is not a single legitimate organization or website that will ever ask you to email them information about your account. Delete the email immediately, or better yet, report it to the organization that was supposedly sending it.

Finally, if someone you don't know ever calls you and asks for your information, it's best not to give it. If they want you to take a survey, fine, but they don't need to know your name, address, and email for it. If someone gathers enough apparently innocuous information, one bit at a time, they could soon have enough to impersonate you and steal more information or money.

If your password gets stolen
Immediately go change your passwords for all websites and other logins that use the password that has been stolen. Write them down temporarily (hopefully making at least some of them different to avoid this in the future). Store them in a password manager if you aren't going to remember them, then burn or shred the password sheet and throw it away.

If the cracker has changed the password, attempt to recover it. Get in touch with the company or follow a “My password has been stolen” procedure. On many sites, like Gmail, you can fill out a long form telling about your emailing habits, then the Google staff checks it against the logs and can often give you your account back. Of course, in the meantime your email may have been read, information stolen from it, and deleted, but at least you have your account back. If you think any other passwords may have been compromised by this account being taken over, go change them too.

I hope to have included most of the ways that passwords get taken. Read it, make sure you follow all the guidelines, fix a few things if you haven't, then go on with your life knowing you're that much more secure than other people. Remember: There's no way to stop the crackers, only slow them down and hope for the best.

Soren "scorchgeek" Bjornstad

Microsoft is not the answer.
Microsoft is the question.
The answer is "No."

No comments:

Post a Comment