This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.
Two-factor authentication is one of the best things you can do to make sure your accounts don’t get hacked. We’ve talked about it a bit before, but here’s a list of all the popular services that offer it, and where you should go to turn it on right now.
Read the full list @ Lifehacker.
On a certain level, I’d love to own a copy of this. I’d shelve it right next to my first edition of A Million Random Digits with 100,000 Normal Deviates.
In summer 2012 the social network LinkedIn.com got hacked and lost its whole user database. A few months later parts of the decrypted password list surfaced on the Internet. These eight volumes contain 4.7 million LinkedIn clear text user passwords printed in alphabetical order. Visitors are invited to look up their own password.
Read the full article @ Dataform.de.
The folks at LastPass have a simple way to search the database of hacked passwords (and password hints) released by the recent Adobe hack. Please check, and change accordingly. (Mine was and I did.)
You may have a great password but what I get out of this article is the following: turn on two-factor authentication if at all possible!
In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.
Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.
The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99” and “7c6a180b36896a0a8c02787eeafb0e4c” are the MD5 hashes for “password” and “password1” respectively. (For more details on password hashing, see the earlier Ars feature “Why passwords have never been weaker—and crackers have never been stronger.”)
While Anderson’s 47-percent success rate is impressive, it’s miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn’t disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.
Read the full article @ arstechnica.com.
LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyber attack on its computer systems, which an email from CEO Tim O’Shaughnessy — just sent to employees and obtained byAllThingsD.com — said resulted in “unauthorized access to some customer data from our servers.”
The breach has impacted 50 million customers of the Washington, D.C.-based company, who will now be required to reset their passwords. All of LivingSocial’s countries across the world appear to have been affected, except in Thailand, Korea, Indonesia and the Philippines, as LivingSocial units Ticketmonster and Ensogo there were on separate systems.
One positive note in a not-so-positive situation: The email sent to employees and customers noted that neither customer credit card nor merchant financial information was accessed in the cyber attack.
Read the full article on AllThingsD.
Not “me,” but Nate Anderson. Trouble is, it’s easier that you think.
At the beginning of a sunny Monday morning earlier this month, I had never cracked a password. By the end of the day, I had cracked 8,000. Even though I knew password cracking was easy, I didn’t know it was ridiculously easy—well, ridiculously easy once I overcame the urge to bash my laptop with a sledgehammer and finally figured out what I was doing.
My journey into the Dark-ish Side began during a chat with our security editor, Dan Goodin, who remarked in an offhand fashion that cracking passwords was approaching entry-level “script kiddie stuff.” This got me thinking, because—though I understand password cracking conceptually—I can’t hack my way out of the proverbial paper bag. I’m the very definition of a “script kiddie,” someone who needs the simplified and automated tools created by others to mount attacks that he couldn’t manage if left to his own devices. Sure, in a moment of poor decision-making in college, I once logged into port 25 of our school’s unguarded e-mail server and faked a prank message to another student—but that was the extent of my black hat activities. If cracking passwords were truly a script kiddie activity, I was perfectly placed to test that assertion.
It sounded like an interesting challenge. Could I, using only free tools and the resources of the Internet, successfully:
- Find a set of passwords to crack
- Find a password cracker
- Find a set of high-quality wordlists and
- Get them all running on commodity laptop hardware in order to
- Successfully crack at least one password
- In less than a day of work?
I could. And I walked away from the experiment with a visceral sense of password fragility. Watching your own password fall in less than a second is the sort of online security lesson everyone should learn at least once—and it provides a free education in how to build a better password.
Read the full article @ ArsTechnica.com.
During my TechTalk webinar yesterday I mentioned, yet again, the need for good passwords. In the past I’ve shown sites that will create a good password for you, and sites that will rank you good, or bad, you password is. But yesterday I demoed HowSecureIsMyPassword.net. Instead of telling you whether your password is good or bad, it tells you how long it would take a desktop computer to crack your password.
For example if I enter one of my standard 10 character passwords it tells me that it would take about 163 days to crack. Adding just one character of punctuation to that password (adding, not replacing, to make it an 11 character password) changes that result to 1,000 years. It’s still telling you how good or bad your password is but doing so in a very different way.
So, what’s the breakthrough? Already this morning I’ve had two of my co-workers who attended the webinar come into my office and tell me that they’d used the site and how good, or bad, their passwords were and how they were glad that they had already changed them or would be doing so today. I’ve also heard other conversation about passwords from down the hall with other co-workers.
So, if you’ve been having “the conversation” about passwords in your library and feel like you’re not getting anywhere, trying showing them HowSecureIsMyPassword.net and let me know if you get the same results.
First, there’s a new Common Craft making the rounds about secure passwords. Then yesterday I saw my friend Bobbi Newman’s blog post How to Create a Secure Password. I didn’t necessarily want to give everyone “the talk” about password as part of my 30×30 exercise but one suggestion of Bobbi’s set me off: change your passwords every six months. Sorry, but no.
Full disclosure: As a state employee I have to change my login password every 90 days. Given the choice I’d rather have to change it every six months but I still disagree with the concept.
I’ll keep this simple, having people change their passwords ends up causing either or both of the following problems:
This has been known for decades. Check out this quote from UNIX System Readings and Applications, Volume II published in 1987:
“[password aging] only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords.”
I agree with everything else Bobbi and Common Craft have to say about passwords. So let’s focus on convincing people that creating several/many good passwords is worth the time and effort and not make them worry about the fact that they’ll have to do it all over again in a few months.
If you’re a Twitter user you may have noticed that this week you might have been forced to change your password. Why? Because so many people use the same password for multiple sites that Twitter was getting hacked as a result. Turns out that so nefarious people were setting up other sites that required users to create usernames and passwords specifically to collect those passwords and try using them on other sites! Please, please, please, do not use the same password on more than one site!
Use a password generator, store your passwords in some secure software or Web site, create a passphrase that you can modify on a site-by-site basis. I don’t care how you do it, just use a different password on different sites. Still going to be lazy about this? Then at least use a different password on the really important stuff like your bank account.