Protect your passwords!

Another day, another list of (hashed) account passwords stolen from an online forum. Attacks like this are pretty much routine these days. Luckily, password breaches are one of those cases where you, as a user, can prevent the fallout from affecting you. Here's how.

What gets stolen?

All services- forums, social networks, games, etc.- that allow you to sign in must have a record somewhere of who is allowed to sign in and what credentials will be accepted.

That means that somewhere on a server, there will be a table with a row like "UserName, EmailAddress, HashedPassword" for each user, you among them.

It is these tables that get stolen, usually by exploiting flaws in server-side software tools, but sometimes by conning an employee into giving up the admin password.

How do the bad guys use that data?

Your password is almost never stored in plain text. Rather, when you sign up for a service, your password is "salted"- a bit of random data is tacked on the end. (Some badly designed systems skip the salt, making the task of guessing the passwords somewhat faster.) The salted password is "hashed"- in other words, it is run through a one-way mathematical function that yields a string of gibberish. Calculating the gibberish from the password is easy, but doing the reverse is nearly impossible. The hashed, salted password is what gets saved in the table of users.

When you go to sign in to the service, the password you enter is salted (with the same salt) and hashed (with the same algorithm). If the result matches your line of the users table, you're allowed in.

Now let's pretend we're a group of bad guys who've stolen a copy of some site's table of users. (Or, like the reporter who wrote this excellent Ars Technica piece, we could do it for real with actual user data found on a 'cybercrime for newbies' forum.) We have email addresses, default usernames, and a string of gibberish for each. We want to do something profitable with that data.

It turns out that most people use simple, easy-to-guess passwords from a relatively short list. If we take some lists of common passwords, some rules people often use to create passwords (eg. l337speak) and a nice fast computer, we can just start guessing. It goes something like:

  1. Use the word lists and rules to create a candidate password.
  2. Hash it using the same algorithm used by the site you stole the table of users from.
  3. See if the hash matches anything in the table.
  4. Repeat until you get bored.

Now we have a list of emails, their default usernames, and their passwords. We're doing all of this offline, on our own machine, so the server won't see thousands of bad login attempts that would set off a red flag.

We can now try those same credentials on other sites- PayPal, for example, or Gmail, or Ebay,  or perhaps the major banks. Or we could sell the list to someone who needs a bunch of accounts for their own criminal activities. There are entire hidden communities dedicated to this kind of cracking, and there's plenty of money in cyber crime to justify the risk of getting caught.

And if my account is on such a list?

Then at least a few criminal organizations have access to your account on the site that was compromised.

But, more importantly, if you've used that same password elsewhere, the same crooks now control your accounts on other services, too.

So how do I protect myself?

Don't re-use passwords. Just don't. One password for one service, period. They should be long enough and complicated enough that they'll be hard for a computer to guess. So anything less than eight characters is out, any one word from the dictionary is out, and replacing letters with numbers is out.

As long as you aren't re-using your passwords, any one site's security breach will be contained to that one site. The credentials the bad guys manage to extract will be useless anywhere else.

Have I mentioned that you should never re-use the same password on multiple sites?

But I can't remember so many passwords!

That's OK, no-one can. That's why we have KeePass, KeePassX, LastPass, 1Password, and many other tools that keep your "keyring" of passwords safely locked up under a few hundred thousand rounds of AES256 encryption (the same technology the CIA uses to protect stuff stamped "Top Secret").

The master passphrase that unlocks the keyring must, of course, be very secure indeed, and you must never tell it to anybody. A phrase from a book, or better yet a string of four or five random words (possibly from different languages), is a good choice.

Now you've gone from remembering 94* different passwords like "i<3cat$" to remembering one long, complex, but easy to remember- because it's real words, and you use it a lot- passphrase.

What's more, since you don't have to memorize the individual passwords to each account, those passwords can be truly random things like "GlWf7c8M7swo0Mmw5qMQ", which the bad guys will have a hell of a hard time guessing no matter how much computer power they throw at it.

* No joke. I have nearly a hundred KeePass entries and I am far from being an outlier. Think about how many tech support forums you've used only a couple of times, or vendors you only use once a year and have to submit a password reset for every time you go there.

This is not hard

Installing and setting up KeePass (or something similar) is no harder than installing any other piece of stand-alone software. Logging in to every single account you use to set the new passwords is a bit tedious,. but not difficult.

In KeePass, if you set the title of each entry to something that appears in the title bar of the Web site it's used on, just hitting Ctrl Alt A will automatically look up and enter the appropriate login for every site you use. (No more forgetting the password from that one specialist vendor you used two years ago and now need to buy from again.) LastPass, 1Password and others have similar features.

The most challenging part is synchronizing your password database between devices. Some folks like Dropbox for this (it's perfectly OK to put a heavily-encrypted password database in the relatively insecure Dropbox). Others prefer password managers that sync themselves over the web. Use whatever works for you, as long as it's well protected by strong encryption and a long, non-guessable passphrase.




Add new comment