Yay security again!
Someone on Twitter was speaking (in response to the Ashley Madison hack I believe) that every site should just store user passwords in a plain text file to force people to use different passwords for everything.
THIS is exactly the sort of nonsense I was talking about in my earlier security related blog post.
Sure, things are technically more secure if you don't re-use passwords. But, for the average person that isn't really a sensible demand. People will forget. Interestingly, a few days ago I was reading an article about a Russian individual who was heavily involved in identity theft schemes. The interesting part of the article was that a lot of times the scam amounted to generating fake charges and calling up to dispute them and in the process take over control of the account. The individual in the article spoke fluent English with a minimal accent where someone else would supply the answers to security questions.
Where this is going is, there are 2 ways for a person with an average or below average memory to manage a boat load of passwords. Not remember them and frequently have your password reset, or storing a file full of passwords somewhere (typically unprotected). The problem with the first one is, if you expect to forget your passwords frequently, you'll likely over compensate by making your security questions all the easier to remember. And since hijacking these fallback security measures is often the easiest way for a hacker to gain access that is definitely bad. Even worse, many of these sites restrict your security questions to lame and easily discoverable sorts of information ("what is your mothers maiden name?", "where did you grow up?", etc...). Stuff a hacker could probably easily coax out of an individual in casual conversation if they knew what they were looking for or worse, could be learned from parts of your Facebook page that are open to public.
So, clearly, having the average person attempt to memorize passwords for all of the distinct sites that they visit is out of the question. Which means, if people want to use unique passwords everywhere, and there are an ever growing number of sites and services using them, then the best bet is a central password repository. But, the problem here is simple... even IF it is encrypted, it still means that all of those unique passwords could be cracked at once by getting into your password repo. And, if that repository is stored or synced to the cloud (and lets face it, that is pretty common these days)... VOILA!!!! It is centrally located somewhere that a hacker might be able to start poking around.
Now, the odds of a hacker attempting to crack such a password depends on a number of things. For the average person, you're not likely to be an explicit target. But, the site or application that stores your passwords may be. And here we hit another conundrum, the most trustworthy will also be the most popular and the most popular are the most likely to be targeted. If you decide to avoid the mainstream password protection applications, you may simply be installing an scam application designed explicitly to steal your passwords.
And the second the first major breach of the sort happens, you'll have people crawling out of the woodworks stating that storing your passwords anywhere but your head is idiotic, but with either no direction on uniqueness or nonsensically claiming that every site should also have a unique password.
My suggestion is simple (and I'll admit, not universally applicable). I use similar passwords for similar sites except critical things like banking. Email accounts will share a password, Social networks will share a password and so on. If someone hacks my Twitter account and can then incidentally hack my Facebook account... that sucks, sure, but one social network being hacked isn't much better than 2+. And it is a hell of a lot better than someone gaining access to my emails or banking info simply because they cracked my FB password.
The other important thing is to create moderately complex passwords that aren't linked to things you would bring up in small talk or are related to important moments to you. Names of anyone in your family, honeymoon destination, house #, etc... should NEVER make an appearance in your passwords. Also, include mixed case, symbols and numbers. Even if the placement is predictable or consistent within passwords (with the exception of replacing letters with equivalent #'s like zeroes instead of O's since many dictionary based brute force attacks will include those variations, same with common mis-spellings). Basically, including those elements automatically increases the complexity of the brute force methods that are required to crack your password. They also make it iteratively harder, even for people who know you to guess your password.
Next, for security questions, I always find that the best tactic is choose any question and simply provide the same answer for all of them, whether it is actually a valid answer to the question or not. So, if you select "What is your mother's maiden name?", you might answer "goat feet". If you use the same ridiculous answer on security questions on all sites, you don't need to worry about remembering the answer to the actual security question, and you don't need to worry about people phishing for your mother's maiden name (unless, she was unfortunately, Ms. Goat Feet in her younger years).
Still possible someone might hack the internal database with the answers to the security questions, but then you're probably looking at an inside job anyway.
THIS is exactly the sort of nonsense I was talking about in my earlier security related blog post.
Sure, things are technically more secure if you don't re-use passwords. But, for the average person that isn't really a sensible demand. People will forget. Interestingly, a few days ago I was reading an article about a Russian individual who was heavily involved in identity theft schemes. The interesting part of the article was that a lot of times the scam amounted to generating fake charges and calling up to dispute them and in the process take over control of the account. The individual in the article spoke fluent English with a minimal accent where someone else would supply the answers to security questions.
Where this is going is, there are 2 ways for a person with an average or below average memory to manage a boat load of passwords. Not remember them and frequently have your password reset, or storing a file full of passwords somewhere (typically unprotected). The problem with the first one is, if you expect to forget your passwords frequently, you'll likely over compensate by making your security questions all the easier to remember. And since hijacking these fallback security measures is often the easiest way for a hacker to gain access that is definitely bad. Even worse, many of these sites restrict your security questions to lame and easily discoverable sorts of information ("what is your mothers maiden name?", "where did you grow up?", etc...). Stuff a hacker could probably easily coax out of an individual in casual conversation if they knew what they were looking for or worse, could be learned from parts of your Facebook page that are open to public.
So, clearly, having the average person attempt to memorize passwords for all of the distinct sites that they visit is out of the question. Which means, if people want to use unique passwords everywhere, and there are an ever growing number of sites and services using them, then the best bet is a central password repository. But, the problem here is simple... even IF it is encrypted, it still means that all of those unique passwords could be cracked at once by getting into your password repo. And, if that repository is stored or synced to the cloud (and lets face it, that is pretty common these days)... VOILA!!!! It is centrally located somewhere that a hacker might be able to start poking around.
Now, the odds of a hacker attempting to crack such a password depends on a number of things. For the average person, you're not likely to be an explicit target. But, the site or application that stores your passwords may be. And here we hit another conundrum, the most trustworthy will also be the most popular and the most popular are the most likely to be targeted. If you decide to avoid the mainstream password protection applications, you may simply be installing an scam application designed explicitly to steal your passwords.
And the second the first major breach of the sort happens, you'll have people crawling out of the woodworks stating that storing your passwords anywhere but your head is idiotic, but with either no direction on uniqueness or nonsensically claiming that every site should also have a unique password.
My suggestion is simple (and I'll admit, not universally applicable). I use similar passwords for similar sites except critical things like banking. Email accounts will share a password, Social networks will share a password and so on. If someone hacks my Twitter account and can then incidentally hack my Facebook account... that sucks, sure, but one social network being hacked isn't much better than 2+. And it is a hell of a lot better than someone gaining access to my emails or banking info simply because they cracked my FB password.
The other important thing is to create moderately complex passwords that aren't linked to things you would bring up in small talk or are related to important moments to you. Names of anyone in your family, honeymoon destination, house #, etc... should NEVER make an appearance in your passwords. Also, include mixed case, symbols and numbers. Even if the placement is predictable or consistent within passwords (with the exception of replacing letters with equivalent #'s like zeroes instead of O's since many dictionary based brute force attacks will include those variations, same with common mis-spellings). Basically, including those elements automatically increases the complexity of the brute force methods that are required to crack your password. They also make it iteratively harder, even for people who know you to guess your password.
Next, for security questions, I always find that the best tactic is choose any question and simply provide the same answer for all of them, whether it is actually a valid answer to the question or not. So, if you select "What is your mother's maiden name?", you might answer "goat feet". If you use the same ridiculous answer on security questions on all sites, you don't need to worry about remembering the answer to the actual security question, and you don't need to worry about people phishing for your mother's maiden name (unless, she was unfortunately, Ms. Goat Feet in her younger years).
Still possible someone might hack the internal database with the answers to the security questions, but then you're probably looking at an inside job anyway.
Comments
Post a Comment