Rss Feed
Tweeter button
Facebook button
Myspace button
Linkedin button
Delicious button
Digg button
Flickr button
Youtube button

Archive for the Category »passwords «

Don’t reuse passwords!

04
Feb 2010
By Michael

Twitter birdIf you’re a Twitter user you may have noticed that this week you might have been forced to change your password. Why? Because so many people use the same password for multiple sites that Twitter was getting hacked as a result. Turns out that so nefarious people were setting up other sites that required users to create usernames and passwords specifically to collect those passwords and try using them on other sites! Please, please, please, do not use the same password on more than one site!

Use a password generator, store your passwords in some secure software or Web site, create a passphrase that you can modify on a site-by-site basis. I don’t care how you do it, just use a different password on different sites. Still going to be lazy about this? Then at least use a different password on the really important stuff like your bank account.

Cross-posted on the ITART blog, The Travelin’ Librarian, and the NLC blog.

Category: passwords, security, twitter  Leave a Comment

Security: Unclear on the Concept

20
Feb 2008
By Michael

image I recently accepted SallieMae’s constant suggestions that I should switch to receiving all of their communications via e-mail instead of paper mail. (I was holding out for a small decrease in my outstanding debt since I’d be saving them a lot in postage over the next 15 years, but we never did see eye to eye on that one.) Anyway, today I received my first "official" e-communication from them. It was a simple e-mail telling me that my account had been updated and my new bill was available for viewing on their Web site. So far, so good.

Attached was a 48k PDF file. Using Outlook 2007 I clicked on the attachment to preview it. This failed for an unspecified reason. So, I double-clicked the attached file to open it in Adobe Reader. At this point I was prompted for a password. I drew a blank. But then something made me try my Social Security Number as the password and viola, the document opened. It was the exact same text that was in the body of the e-mail message but this one was on SallieMae letterhead.

WTF? Either send me something that deserves to be behind a password or don’t. Don’t send me text "protected" by a password that’s also being sent in the clear in a standard unsecured e-mail message.

SallieMae, just what point are you trying to make here?

Category: passwords, security  Leave a Comment

The unintended consequences of large-scale storage

10
Sep 2007
By Michael

Jeff Atwood over at Coding Horror has posted about something called Rainbow Tables. Now, I don’t want to turn this blog into a discussion of encryption so let me boil it down for you.

Windows passwords are stored in an encrypted format known as “hashes”. When you enter your password, Windows encrypts it for you and compares it to the stored hashed version. If it matches, you’re let in. If it doesn’t you’re not. There’s no way to decrypt the hashed version of your password in any reasonable amount of time, if at all, and is therefore considered a secure method of storage.

The problem now is that you can get a database of pre-hashed content. Known as rainbow tables, these are basically a table with just two columns, first column, a word (or other combination of letters) and in the second, the matching hash. Now, if you have a hash, you can look it up in the table and see what the original password is. In other words, it’s not decrypting the hash, its hashing all possible passwords in advance.

This is such a simple hack. So, why is it coming to light now. Well, the problem is large-scale portable storage. In the past, tables such as these were considered to big to bring to the computer you’re trying to hack. But these days, a 1GB flash drive would allow you to carry a rainbow table that covered all conceivable passwords between one an 14 characters in length, containing just English letters. Here’s Jeff’s chart showing example storage requirements:

Rainbow Table storage requirements

If you’re suddenly not worried about a Rainbow Table measuring 64BG I’ve got a 500GB portable USB hard drive I’d like to show you.

Here’s the bottom line, in Jeff’s example, the password “Fgpyyih804423″ (one that’s probably a hell of a lot stronger than any password you use) was broken in just 160 seconds using a rainbow table.

Category: encryption, hacking, passwords, security  2 Comments