Passwords leaked - LinkedIn, eHarmony, Last.fm

Recently many password databases have been compromised and released publicly. LinkedIn, Last.fm, and eHarmony. If you are a user of any of these services your password may have been one of those leaked.

How do I tell if my account was compromised?

Lastpass, a service I recommend for password and account security, has put together a page for each of the breaches wherein you can submit your password and it will tell you if your password is in the publicly available lists. This is done in a secure manner, Lastpass never gets your unencrypted password, but rather compares your hashed input to the hashes publicly available. For those of you who don’t know what a hash is, just think encrypted.

Was My LinkedIn Password Hacked?
Was My eHarmony Password Hacked?
Was My Last.fm Password Hacked?

What now?

Even if the above pages say you are not compromised, now would be a good time to make sure you are using unique, secure and new passwords on those sites. I also suggest that you take this chance to start using a password vault, Lastpass and KeePass are good ones I’ve used in the past.

How do I keep this from affecting me in the future?

Always use different passwords for different sites. This limits the damage that can be done when any particular service is compromised. Imagine that you used the same login for your email account as your LinkedIn account and that information got out. Not only would you lose your LinkedIn account but potentially your email as well. Also remember that most accounts have a “forgot your password?” link that just email you password reset instructions. An attacker using those links can have access to any account you have ever had.

You can read more password recommendations in previous posts, specifically Password Best Practices Part 1 and Password Best Practices Part 2.

Password Best Practices (part 2)

Problems to be solved regarding passwords

Passwords provide authentication, an answer to the question “Who are you?”  We’ve covered selecting a password that is hard to crack, but there is a different problem to be solved today; passwords being used across multiple websites.

A single security breach often gives an attacker all of your passwords

When a site you have an account with has a security breach and their database is stolen, the attacker has a list of username and password combinations and often email addresses.  This allows them to access different sites and try those combinations.  Most people use the same credentials everywhere, giving the attacker virtually all their accounts with one security breach.

The solution to this problem is to use a different password for each site.

The challenge then becomes: remembering and keeping straight all of the different passwords required.  My favorite solution is a service called LastPass.

LastPass is a password vault with many features that make it both secure and available anywhere.  You use LastPass so you don’t have to remember or type your password for any site ever again.  This allows you to use very secure passwords that are unique to each site, without the hardship that would otherwise entail.

I use LastPass exclusively to store my passwords (over 200 at last count).  This allows me to keep them unique and hard to crack.

Let me show you how I use LastPass to make life easier.

Plugins, plugins everywhere

LastPass is available as browser plugins for all major browsers across all major platforms.  It is available for Mac, Windows, or Linux.  Open  any major browser on virtually any computer, login to LastPass and you will have all your passwords at your fingertips.

I use more computers than most people, due to my job and addiction to technology.  I use my iMac, iPad, iPhone, MacBook Air, my wife’s Windows 7 computer, and a couple of test Android devices almost daily and never have to scramble for login credentials when I need to get something accomplished.

Password generation

Coming up with unique, hard-to-crack passwords for each site is tedious, to say the least.  LastPass plugins provide a password generation tool.  This allows you to generate secure passwords that are long, random, and unique.

I use it’s generator for all the passwords I use.  Since LastPass frees me from remembering or typing passwords, it’s a perfect solution.

Two-factor authentication

If you keep all your passwords in LastPass, a thief who accesses your account will have ‘all the keys to the castle’.  To further secure your account, LastPass supports many different forms of two-factor authentication.  Two-factor authentication is a method that ensures you are who you say you are by not only requiring a password (something you know), but requiring a code from a device or piece of paper (something you have), greatly increasing security.  LastPass supports the YubiKey, the Google Authenticator, paper-based Grid Multifactor Authentication, Sesame: Multifactor Authentication with a USB Thumb Drive, Fingerprint Authentication, or Smart Card Authentication.  Don’t worry if you don’t know what each of those are, just notice that you have many different options to increase the security of your LastPass account.

I personally use a YubiKey to secure my account against theft.

One-time passwords

You may need to log into your account from an untrusted computer, such as a public computer or someone else’s machine.  This is dangerous since you do not know if the computer has a key logger installed.  To mitigate this risk, LastPass supports the use of one-time passwords.

One-time passwords are also useful to bypass your two-factor authentication in the off chance that you’ve lost or misplaced your two-factor authentication device or paper.

I always keep a sheet of 10 one-time passwords in a safe place.

Security check

LastPass provides what they call a security check feature.  It searches your saved credentials and gives you a score based on the difficulty of your passwords and password reuse.  It identifies sites that you use the same password on so you can change them to something unique or more difficult.

I make it a habit to go through this process every 3-4 months, since I have a tendency to be lazy.  I think of it as a security tuneup.

Form filling

LastPass can also fill forms for you.  Never again will you have to fill in complicated shipping address or registration forms.  It uses the same secure storage and synchronization routines to keep this data safe, so you can trust it with credit card numbers.

Phishing protection

LastPass knows all the URL rules that are hard for a human to know and recognize.  A human cannot distinguish http://pаypаl.com and http://paypal.com.  The former is actually a different site, as the ‘a’ characters are cyrillic (Russian glyphs), though visually identical in almost all fonts.  LastPass can tell the difference and will only enter in credentials for the real PayPal site.

Much more

• Secure Notes
• Offline Backup
• Import and Export
• Favorites
• Sharing
• Identities
• History
• Virtual Keyboard
• Bookmarklets

You can find details about all I’ve discussed here and more in LastPass’s User Manual.

Sane Password Policies for Businesses

Most companies have password policies. It is a requirement in today’s world. They want to keep their systems and data safe and secure, and authentication through passwords brings accountability to their systems.

In reality, password policies in most businesses encourage behavior, such as sharing passwords or using unsafe passwords, that undermine what the policies were created to accomplish. Without knowing that only Joe can log in as “joe”, there is no accountability or security.

I have created a set of policies that are sane and encourage good behavior. In short, policies that are effective.

Many of these policies run counter to common-knowledge best practices. If you are in a regulated field such as government or healthcare, you may not be able to implement these policies due to current laws or requirements of credit card companies. I encourage you to think critically about your policies and implement my suggestions where appropriate.

Password policies for users

Do not require frequent password changes

Frequent password changes encourage bad behavior; for example, writing passwords down somewhere unsafe. A post-it note is the most common example.

Do not enforce password reuse policies

If an administrator has to change someone’s password in order to log in as them, the user will not be able to change it back. This leads to the same bad behavior as if he required the user to change their password too frequently.

Do not require multiple passwords

This minimizes the risk that users will resort to post-its or insecure passwords. Use Single Sign-On technologies to keep the number of log-ins to a minimum. The purpose of passwords is user authentication, and users are already authenticated with the network when they log into their workstation.

Do forbid sharing of passwords or accounts

Accountability requires a one-to-one relationship between people and accounts.

Do require complex and long passwords

For passwords to be useful, they need to be secure and hard to crack. Long passwords make a bigger difference than complexity in cracking difficulty. This is even more important when you do not require your users to change passwords frequently.

Do provide help in selecting a strong, yet easy to remember password

Users are not equipped to think about passwords in a way that is effective. They need guidelines in how to select one that will not be a hardship when the policy is “16 characters and complex”. For this purpose, see my Password Best Practices post. You can download a PDF copy to distribute with a license that restricts alteration and requires attribution.

Password policies for administrators/help desk personnel

The same as above with the addition of:

Do not ever ask a user for their password

IT should set an example for users. If password sharing is forbidden, then asking users to violate that policy whenever it is convenient for IT teaches the wrong lesson. Use remote access tools to help your users. If you must log in as them and the user is unavailable, change the password rather than asking for it. With a sane password policy, it is rather trivial for users to change their passwords back.

Do use “user must change password on next login” flags

Most users will never change their password from “password.” Forcing them to change their passwords on next login will fix this vulnerability.

Do not use default passwords

Make sure that you authenticate users before giving them passwords; a default password will soon be known to everyone in the company. Authenticating users without passwords due to lost passwords, security lockouts, or IT password changes is just as important. I will cover this in a later post.

Password policies for service accounts/shared accounts

Try and minimize the use of shared accounts. Shared accounts limit accountability. If you think you need one, carefully think though the problem that needs to be solved. Sharing accounts indicates that there is an architectural problem.

Do require frequent password changes

Shared accounts and service accounts need frequent password changes, since every company has personnel turnover. A password change resets the number of people with knowledge of the current password. Any required change shorter than 90 days doesn’t make sense, six months to a year is more sane.

Do require different accounts for different purposes

The list of people who need access to a particular account will change over time in unpredictable ways. Separating accounts to particular uses ensures only the people who need access will have access.

Password best practices (part 1)

Why is this important?

With more and more of our personal information going into the “cloud” and one of the most common crimes being identity theft, account security is of the utmost importance. I’ll cover many different aspects of maintaining a secure presence online, but today am focusing on passwords.

Why is password security hard?

The human brain is not well equipped to handle good password security like it is with physical security. That which makes passwords hard to crack also make them hard to remember. For example, a good password following traditional advice is: TR9rIMwT^JXkns^&$XU&v9!x. Do we really have the capability to remember such a password? This is a problem almost everyone faces when dealing with password security.

What’s the solution?

The solution comes in two parts. This post will cover selecting a secure password that is both hard to crack and easy to remember. It is called “Password Haystacks” and comes courtesy of Steve Gibson of GRC.com.

Lifted from his site:

Which of the following two passwords is stronger, more secure, and more difficult to crack?

D0g…………………
PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two!

If you want a semi-technical explanation, go to GRC’s Haystacks page. If not, keep reading for my layman’s explanation below.

Steve did some number crunching and realized that when it comes to cracking a password, length almost always trumps complexity. If you have a minimum of complexity (at least one character from the uppercase, lowercase, numbers and symbols groups), then anything you do to make it longer is almost as good as the same length of hard to remember gibberish. Like the password examples above, just one more character in length, even though it looks simple, more than doubles the time needed to crack a password.

Lets give some more examples:

3,People,Walk,Into,a,Bar

According to GRC’s calculator, it should take “9.38 hundred billion trillion centuries” to crack under the best circumstances. I’m sure you can remember that.

TR9rIM^w

According to GRC’s calculator, it should take “1.12 minutes” to crack. A very bad example.

You can even use something like your name:

1234567890DJ.is.the.greatest
76.43 million trillion trillion centuries

Maybe something even simpler:

God I love Hershey bars!
65.10 billion trillion centuries

Or add a number or two:

God I love Hershey bars!56
8.47 thousand trillion trillion centuries

Even better.

If you don’t like sentences, one of the most common password is “monkey”:

*M0nkeySeeM0nkeyD0*
1.21 hundred trillion centuries

Or pad the password, as Steve suggests:

1234<>?monkey1234<>?
19.31 trillion centuries

Or, even this:

1!monkeymonkeymonkey1!
91.92 thousand trillion centuries

As you can see, there are many ways to create length without sacrificing rememberability.

To sum up: length, length, length. Having a longer password is drastically better than having a complicated password. Make your password long, easy to remember and type out. It’s one of the easiest ways to protect yourself online.

Do you want to see how your favorite password stacks up? Head over to GRC’s Haystacks page and see how long it takes to crack.

Coming next time

For a part two hint, head over to Lastpass’s site. We’ll be discovering how easy it is to have different passwords for each site in a secure, easy manner.

These kinds of articles come out all the time and most of us ignore them. Often it’s because there isn’t much we can do in order to protect ourselves from things like this, or we don’t really know how.

Today, I’ll break down what the average computer user really needs to know about this hack, what it can do, and what they need to do about it.

For those who don’t like to read long posts, the short of it:

Update your OS and update your browser to the latest. All major browsers and OSes have been updated to fix this hack. I’ll be posting instructions later on how to do this with all versions of Windows that I support as well as OS X.

For the person wondering what this is all about:

What exactly is SSL/TOS?

It’s simple really, you use SSL whenever you go to a Web site with https: in the url. You usually see a padlock in your browser and you get feel all warm inside knowing that you are safe.

How does SSL work?

There are these things called Root Certificate Authorities. We trust them and they vouch that the Web site you are visiting is who they say they are. There is a lot of math and cryptography behind it all but that’s the brass tacks if you will.

What happened here?

A hacker (or hackers) broke into a Root Certificate Authority named Diginotar, a Dutch company, and made them vouch that anyone is, for example, google.com. There were hundreds of certificates issued (the way we know that a Root Certificate Authority has vouched for a site, one per site).

How was this fixed?

All browsers and OSes have revoked trusting Diginotar. So we won’t trust anything they’ve vouched for anymore. You’ll get a broken padlock or an error page if you visited a site using these bad certificates.

How could this have been used against me?

This particular hack required someone in the position we call Man-in-the-Middle. Which means at your ISP or maybe a state firewall (Great FireWall of China, or Iran). There was pretty little to worry about in the United States if you trust your ISP isn’t hacking.

Doesn’t that mean that the SSL model is flawed?

Yes, if those at the top of this particular pyramid is compromised then we have no real recourse. This is a grim picture, but there are good people looking out at these situations and also trying to come up with a better solution. These hacks are rare and as long as we keep our software up to date we should’t have to worry.

This was an overly simplified explanation of SSL and this hack in particular. I have tried to be correct in the overall if not in the particulars as that would make it harder to understand. Just remember to update your software regularly and you’ll be fine. If you need help with any software updates, I’m always a phone call away.