Archive

Posts Tagged ‘password’

Security Sprint – Internet Passwords

January 27th, 2010 Josh No comments

We're all busy people. A security sprint should take no more than two hours... which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.

You've probably heard about some of the recent attacks against various websites. The problem here is that if one of the sites you use gets attacked AND they're not encrypting your password AND you're using the same password on other sites, then that one breach on one site can put all your other sites at risk. Of course, if you want to be on the Internet, you have to accept some risk... but it's hard to accept the risk when you don't know it's there. So let's figure it out.

1) Take twenty minutes and make a list of all of your Internet sites in a spreadsheet. Try to remember all of them, not just the common ones. There's a list below to get you started:

2) Go to the login page of each site and click on the "forgot your password?" link. Yes, this will reset your password, but that's the point.

3) Once the new password arrives in your email, look at it. Does it sound like something you'd pick for yourself? If so, there's a good chance that they're not encrypting their passwords properly. Create a "secure" column in your spreadsheet and mark them as "no".

4) If the password arrives and looks random, then they reset your password for you... which probably means that they can't access your password directly. This means that it's probably encrypted in the database. Mark these as "yes" in the "secure" column.

5) There is a drawback to this plan, and that's that all of your passwords will change. Most of the sites that you marked as secure will force you to change your password when you log back in. If they don't, change their "yes" to "no".

6) Now you have a list of all of your sites and know which ones are the more trustworthy. The last step to this sprint is to reset your passwords to something more secure. There are lots of articles and tools out there, and I see no need to add to the pile. All I'll say is that you should pick ones that you can remember and that aren't the same for all sites. If you want to use really complex systems, look into password wallet software.

7) Once all your passwords are changed, and you have an idea of how risky your sites are, you can proceed with your Internet life in relative security.

Sites to consider:

  • Email: Gmail, Yahoo Mail, Hotmail
  • Social: MySpace, Facebook, Livejournal, Twitter
  • Professional: LinkedIn, Plaxo, Namez, Zoominfo, Notchup
  • Images: Flickr, Photobucket, Smugmug
  • Documents: Scribd, Docstoc, Instructables, SlideShare
  • Shopping: Amazon, Zappos
  • Bookmarking: Delicious
  • Video: YouTube, Vimeo
Tags:

Related posts

Categories: Sprint Tags:

Mythic Monday – The Sphinx

April 6th, 2009 Josh No comments

“Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”

That was the riddle asked by the Sphinx, a creature sent to Thebes to by Hera (or Ares).  When the riddle was answered incorrectly, the Sphinx would strangle and devour the challenger.  This went on for a while until Oedipus, who answered "man" and explained that the "time of day" was a metaphor for "time of life" and that the question refers to the stages of life: baby crawling, man walking, old man with a cane.  After this, the Sphinx (being unable to come up with another clever riddle) promptly killed herself.

Today's myth is fairly transparently about password security.  The Sphinx made three basic errors that we can learn from:

Question/Answer Pairs

We've all seen the "security question" prompts.  They often ask about pets or parental surnames.  Sometimes they ask about special anniversaries.  In any event, if you are moderately findable online, a quick search of genealogy databases or photo-sharing sites can turn up answers to such questions.  To combat this, you can either hide all information relating to you, search it out online and remove it, visit public libraries and burn all the public records and brain-wipe all your friends... or you can answer the question nonsensically.  Just because the field says "mother's maiden name", doesn't mean that you have to put that in there.  Maybe put in your favorite fruit instead.

Suppose the answer to the Sphinx's riddle wasn't "Man", but was "Kiwi"?  Sure, the myth wouldn't make much sense, and Oedipus would have become dinner rather than king, but the riddle would have much less guessable.

Short Answer

You know how irritating it is to have to have a password that is "at least 8 characters"?  Well, the reason is that there are people that can try all sorts of different words until they get in.  It's as if someone in power (like, say, Oedipus) were sending numerous peasants to the Sphinx with random answers.  It would have gone something like this:

  • Sphinx: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
  • Peasant 1:  Umm, (checks list) an apple!
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 2: How about an eagle?
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 3: (looks about warilly) man?
  • Sphinx: Close, but we just changed the answer in the previous section.  (strangle) (OM NOM NOM NOM)
  • Peasant 4: (reads the previous section).  Kiwi!
  • Sphinx: Drat!  (strangles self and throws body over cliff)
  • Peasant 4: Yay!  I win.
  • Oedipus: (strangles peasant 4) (looks around warilly) Yay! I win.

So, the Sphinx manages to survive a bit longer, but is still undone because the answer is short and guessable.  Let's protect against that by changing the answer from "Kiwi" to "My favorite of all the fruits is the kiwi... the fruit that needs a shave!"  That'd be a lot harder to guess.  Hard enough the Oedipus might even run out of peasants before he gets to it.

Only One Question

Ah, but what if you have an exceptionally smart guesser.  Suppose they know something about the person choosing the password.  Even incredibly long passphrases have to be remembered, so odds are that a little bit of social engineering can be of use.  If we fully embrace anachronisms and have a Sphinx that is a Star Wars fan, odds are that the pass phrase would appear on the list of 30 Most Memorable ‘Star Wars’ Quotes. Similarly, if the Sphinx were known to enjoy Shakespeare, 200+ Famous Bardisms might be a good place to start. The point here is to pre-load the disposable peasants with likely answers, so that Oedipus can hit upon it while there is still a peasant to kill and claim the credit.

A clever Sphinx can protect herself by coming up with multiple riddles. In the security field, we'd call this multi-factor authentication, which we shorten to "know/have/are". To extend our horribly-mistreated metaphor, the Sphinx would be highly secure if she:

  1. Something you know:
    • Q: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
    • A: "My favorite of all the fruits is the kiwi... the fruit that needs a shave!"
  2. Something you have:
    • Q: "Do you have the key that unlocks this super special box that I borrowed from Pandora?
    • A: (peasant offers a herring that has been painted plaid)
      • Remember, the answer should be nonsensical and nontrivial.  A plaid herring covers both requirements in most instances.  Besides, it's generally best to leave Pandora's box closed.
  3. Something you are:
    • Q: "How do I know that you are truly you?"
    • A: (peasant shows the Sphinx that birthmark that Oedipus painted on his arm)
      • It's very difficult to forge the "something you are" check, but it can be done if the verification technology is flawed, be it a fingerprint scanner that doesn't check body temperature or a stupid Sphinx.

Thus, the only person that could get past the Sphinx would be someone that managed to prove their identity three different ways, which makes it extremely likely that the person allowed is the one authorized... or someone that has privileged information as to which questions will be asked and which answers are expected.  So, make sure that your questions and answers are reasonably secure, but also make sure that you don't let anyone else know that they are.  Secrets are only good so long as they are kept secret.

That's why the Sphinx had to kill herself, you know.

Tags: , , ,

Related posts

Categories: Mythology Tags: , , ,