Hardly a day goes by without a news report somewhere about hackers breaking into one system or another. The biggest single factor that most of these breakins have in common is that the system or network was protected with a weak password.
[I] Jun 11 4:22:52 [188.8.131.52:49523][ID]SMTP Server: AUTH failed, username postmaster, password Password1
[I] Jun 11 4:22:54 [184.108.40.206:49949][ID]SMTP Server: AUTH failed, username postmaster, password p@ssw0rd
[I] Jun 11 4:22:58 [220.127.116.11:50433][ID]SMTP Server: AUTH failed, username postmaster, password password
[I] Jun 11 4:23:02 [18.104.22.168:50836][ID]SMTP Server: AUTH failed, username postmaster, password password123
[I] Jun 11 4:23:05 [22.214.171.124:51042][ID]SMTP Server: AUTH failed, username postmaster, password support
[I] Jun 11 4:23:10 [126.96.36.199:51480][ID]SMTP Server: AUTH failed, username postmaster, password qwerty
[I] Jun 11 4:23:12 [188.8.131.52:51703][ID]SMTP Server: AUTH failed, username postmaster, password qwerty1
[I] Jun 11 4:23:31 [184.108.40.206:53388][ID]SMTP Server: AUTH failed, username postmaster, password changeme
Shown above is a short log snippet from a few days ago. All of these failed login attempts happened in less than 45 seconds. They originated in Indonesia. Our log files are full of similar attempts from Russia, China, Vietnam, and other countries as well.
“Postmaster” is a common mailbox name, which is why the hacker chose this name. As you can see, they ran through a series of very simple password variants. You’d probably be surprised at how many folks actually use “password” or some variation for their password.
The bad guys don’t type these attempts in. They use computers to work through all the possible password combinations. Because a lot of people use words for their passwords, the bad guys will work their way through a dictionary list, hence the origin of the term “dictionary attack”.
While no system is likely to survive a concerted attack by a government with unlimited computing resources, you CAN protect yourself from the garden variety attacks like the one shown above. How? It’s actually quite simple:
Make your password both long and hard to guess, while still easy to remember. Using the first letter of a phrase will work, provided that is obscure enough.
MTFBWY is likely a poor choice as Star Wars has made the phrase commonplace. At six characters, it is also too short.
Sbc,CD.Awgootj? would be a better one. (From Stan Freberg’s “United States of America” when Columbus asks the indian chief for directions to the nearest bank: Sorry, banks closed, Columbus Day. Are we going out on that joke?)
Take a memorably phrase from your favorite classic movie, play, or Bible verse and toss in a couple of special characters and you’ve got something that you can remember and that is strong enough to protect you from most of the bad guys. (Hint: If you are going to pick a Bible verse, don’t pick one of the commonly quoted ones.)
Pet names are very popular as passwords. They are also very poor choices as they are easily guessed. This is especially true if you plaster pictures of your pets all over facebook. “Rover” is a bad password. “IlR,wgh@tWPSPCA!” would be a much better one, and it is just as easy to remember the phrase “I love Rover, we got him at the West Pasco SPCA!” as it would be to remember the dog’s name.
The longer the password, the better. A password phrase of five or six characters is going to be fairly easy to crack with a brute force attack. One of a dozen characters will take MUCH longer to hack.
You will also want to change your passwords periodically. Both Quickbooks and several of the e-commerce sites I regularly use prompt me to change my passwords every three months.
Needless to say, don’t use the same password for everything. If you have a different password for each place that needs a password, having one compromised won’t give the bad guys everything.
Where do you need a password?
Unless you’ve got family members you want to restrict from the computer, you probably don’t need a login password on a desktop machine. If you carry your notebook around with you, you probably DO want a password on it. Keep in mind that password reset disks are readily available and, if someone steals your computer, they won’t have much trouble getting into it. (Note: You should consider encrypting the drives on business machines with sensitive data, especially notebooks.)
You SHOULD have a decent password on your email account and any online accounts you have. This includes bank accounts, facebook, and your website.
Why you need a strong password for online banking ought to be obvious.
Most people don’t think about facebook though. I’ve lost track of the number of facebook friends who have had their accounts hacked. These hacks can range from annoying to full boat embarrassing.
Ditto email accounts. When your friends get an email from you inviting them to view some link that you didn’t really send, they are going to blame you when their computer gets hacked. Additionally, facebook, banks, and other accounts often have a password reset feature that sends the reset instructions to your email account. If your email account is compromised, then everything else is also at risk.
A hacked website can do more to damage a company’s reputation than pretty much anything else, especially if the website collects credit card or other personal information.
There are some password management programs available. I haven’t used any of them as they strike me as just a means of putting all of your proverbial eggs in one basket.
Likewise, don’t save your passwords in your browser. While this may be “okay” for low value passwords, it is an absolute “NEVER” for passwords to sensitive websites, such as your bank.
One final thought: Do NOT write down all your passwords and tape them to your computer. That pretty much defeats the whole purpose.
Good luck and stay safe. Feel free to give me a call at 727-847-2424 or drop me an email if you have any questions.
Rob Marlowe, Senior Geek