Many everyday users may reckon that no news is good news in the security field, with the belief that not having been breached is a sign that their accounts are secure. In most cases, it may merely mean they haven't been noticed yet. Due to the nature of computers, without intervention on the part of the user or the service, any credentials can be cracked with enough time. A good password is often the difference between a password being broken in 20 attempts or 2217.4. A modern computer can make a large number of attempts in a short amount of time, but 20 failed attempts will not attract much attention and 2217.4 will, hopefully giving the user or system administrator a chance to correct the issue. If a password is bad enough, there's nothing even sophisticated services can do to prevent breaches, so it's important to learn to make passwords that are both memorable and hard to crack.
I've written previously on the subject of security, but this article will focus on passwords and credentials: how hackers break your passwords, how to create a good password, what else to do to increase security and what the future of security looks like. First though, here are some reminders that even professional organisations are open to breaches.
- Game of Thrones recently had the majority of its newest season leaked well in advance of their intended release, which may be due to one of HBO's partners releasing screeners without permission or one of their partners being breached.
- Tarantino decided to continue making the Hateful Eight, despite the fact that the entire script was posted online before filming got underway.
- In the office, posting passwords on a sticky note can lead to unfortunate consequences, like broadcasting them.
- Even in the world of espionage, bad practices can lead to unfortunate consequences (for the spies anyway).
- The recent iCloud photo debacle is currently believed to have been the result of attacks directed at celebrities.
- Even with sophisticated security breaches, bad practices can make the situation worse, like keeping passwords in an unlocked spreadsheet.
- If you need more, here's a list of the major hacks of 2013 and 2014.
It's tempting to assume that hackers are working on a level that the majority of users can't understand, but ignoring the terribly boring aspect behind a lot of it, often hackers simply work like confidence artists, using trust as a weapon. Unfortunately, there are a lot of methods that hackers employ, but this article will cover a few of the most common.
The most common way hackers gain access to an account is by asking the user for their credentials. Often, this involves sending phishing emails out with links to sites duplicating the appearance of a site the user trusts, which then requests the user sign into the false site. Once done, the hacker has the credentials entered into the site. In some cases, hackers may target specific users with more professionally created emails to dupe the user in a more complicated scam.
Other times, hackers may use phones; a common scam is to pretend to be technical support following up with a scheduled call or having detected a virus on the user's system. The instruction given over the phone typically involves installing malware, the nature of which is discussed in more detail in another section.
Another, simpler form of social engineering is to breach a trusted source and allow users to download their malware without suspicion. They can do this by gaining access to a developer's license on a platform like Apple's App Store or the Google Play Store (although such breaches have been rare thus far) or a more sophisticated technique like a masque attack. Once the malware is installed, it can do a number of detrimental things.
Some malware is more annoying that anything else, redirecting website traffic, changing the default search service or injecting ads onto pages the user visits, while other malware is more catastrophic and causes the computer to cease functioning. Where credentials are involved, however, what the hacker wants is access and information. In some cases, they may attempt to do that by locking down either the computer or browser and instructing the user to call a technical support number to be answered by a confederate. Obviously, this leads back to social engineering. In others, the malware will record every keystroke and report it back to the user, allowing them to know the user's password for a variety of online services. Another common form of malware allows the hacker to either view the screen or to simply control the device.
Obviously, in any of those cases, the hacker has more access to the user's computer than is desired. Some of these cases can be solved by running an antivirus program, but in others, it may be necessary to take the system offline or boot into the system's safe mode (which is present on every OS I've used for years). Regardless, it's a good bet that at least one service has been breached if malware is installed. This kind of access doesn't always require malware, however.
The software development cycle is sometimes rushed, leading to a released piece of software being basically a public beta. That being the case, flaws and software vulnerabilities are often present, allowing exploits by those aware of it. There's not much to be said about this, other than that keeping software up to date is important, because updates will hopefully fix these issues. Large scale vulnerabilities like Heartbleed will be the ones that end users hear about, unless they enjoy reading release notes. Both security experts and hackers are constantly vigilant for vulnerabilities and hopefully they're addressed before they become a problem.
This is what hackers are famous for (and why they're more properly called crackers). There are two common methods: exploiting personal information and brute force attacks.
By looking at your public profiles online, public records, articles about you and any other public presence you maintain or forgot about, hackers can figure out the kind of personal information frequently used in passwords: birthdays, pet names, spouses, places of birth, first car, maybe even the first person you kissed if you kept a LiveJournal or Myspace page. They can use these and other extremely common passwords to crack a great deal of passwords based on that information, even when when using substitute characters or interspersing them with special characters and the like. They usually employ complex algorithms based on their research and sets of common passwords before simply trying every possible option.
Given enough time, a computer can go through every single possible combination of characters and break any password. Hopefully hackers don't have this kind of time, but the inevitability of a password being cracked bears a closer examination.
Entropy in this case refers not to the heat death of the universe, but rather the difficulty of cracking a password. There are sites to measure the effective entropy of a password like this one. Don't put in your actual password on any site like that; don't trust a website with your credentials if you don't have to. Instead, use it as a tool to learn how to create a strong password. Although the website doesn't tell you, it's trying to measure the entropy of the password entered. Password entropy is a measure of the estimated number of attempts to find a password through random guessing. It has this formula: L*log2(N), where L is the length of the password and N is the number of possible characters. Increasing L by any whole number is going to be more effective than increasing N by that same number. point being, you should include a number, both cases and a special character, but spend more time increasing the length of the password. The common advice now is to create password phrases, because a memorable phrase will be more effective than a short, random password. The phrase shouldn't be related to something you love or anything to do with your personal life. Facebook knows what you like better than you do.
Examples: SeanConnery(bond)was#1tilCraig (145.9 bits), MountainDewhas54mgCaffeine/floz (158.8 bits), Henryhad6wives,divorced,beheadedandwidowed (217.4 bits)
That last password would take 2217.4 random attempts to guess. There are a lot of things that should happen before that.
What Services can do
There are a few things web administrators have done to foil brute force attacks. Accounts can be locked, requiring a password reset before they can be used. If someone is trying to hack your account and the account is locked, you'd have to contact technical support to unlock your account- every time they tried. The only way to fully stop them is to change your username (and hope they don't acquire the new one).
Limiting access is typically a more effective solution; when accessing a device from a new location, some services require that users authenticate that access from a previously recognised device or answer a security question, effectively increasing the entropy- this can at least slow hackers down. Many of the other, less intrusive solutions administrators use are focused on simply slowing down hackers- and considering how fast computers can operate, that's a good thing. Again, a breach may seem inevitable.
Update Passwords regularly
Once you have a good password, the only other thing to do is assume that you'll be breached eventually, even if it's not your fault. So, create new passwords on a regular basis and instead of cycling them, make fresh passwords. If a password has been used previously, it's safer to assume it was breached and someone, somewhere has it associated with your accounts.
The alternative is to use a password manager. They'll create passwords that use the maximum number of characters and a large character set allowable in a given service, store the credential set and enter it for you when you go to use that service, while only requiring you to remember one password. Of course, if you lose access to that program, you'll be spending an afternoon resetting every password- assuming you can regain access at all. It's certainly alarming to think of what would happen if a hacker got access to the program.
Replacements for Passwords
Passwords are beginning to fall out of favour, despite their current ubiquity. Password entropy hasn't increased much over the years, but computational power has. There are a lot of replacements, like biometric security. Biometric security includes fingerprints, DNA, retinal scans and the like. Biometrics have the benefit of usually being unique, always being on hand and being difficult to forget, but are impossible to change- and it is possible to steal biometric data. They hopefully won't take your fingers, but can simply copy the data of your fingerprint and enter it digitally. By itself, biometric security is fairly worthless.
The best solution is a combination of solutions. The combination of biometric and password authentication has a much larger entropy than either alone. Biometrics require hardware, however, which is inconvenient. Other two-step verification systems already exist, fortunately.
A good two-step verification will involve either a dongle that can be attached to a key chain or a program installed on a secure device like a phone. The server is synced with the device or program at the point where the system authorises it. After that, the program will algorithmically generate a code (usually around 10 characters) based on the time. That's not much entropy, but because the codes are valid for only a short period of time, it's very difficult to guess the code in that period of time and if both the code and the password are unknown, it should be impossible. It is possible to reverse engineer the algorithm with enough data from the program, so it's important to keep the device free of malware and keep the device safe.
Other new solutions include NFC (Near Field Communication), which is basically swiping your phone through a scanner. The benefit of this is that the amount of data and increase in entropy is limited only by the hardware involved; the downside is that it requires your phone, a scanner and can doubtless be spoofed, particularly if a hacker can crack your phone. There are similar technologies based on QR codes and cameras. They're both basically hardware implementations of two-step verification.
While many suggest adopting new technologies in lieu of passwords, most likely they'll be two-step verification. Also to be considered is the cost of these new measures; almost everything proposed currently costs more money, so unless a sizeable number of services settle on a de facto standard, it's unlikely that small online services will use anything hardware based. Hopefully, a better solution will arrive, but in the meantime, come up with some good phrases and turn on two-step verification wherever possible.