Texting is a form of the spoken word, not writing. If you look at it in terms of how it is used, etc. The spoken word is generally ephemeral, for comm...
August 3, 2014
Childhood Memories, Coincidences and a Dog named for a Monkee
May 6, 2012
The twitterverse erupted today when a popular talk show host expressed his disdain at the prospect of Idris Elba, a black actor of modest following, w...
Black James Bond?
December 24, 2014
How bad guys get your passwords.
May 5, 2012
The bad guys can get your password several ways.
(1) They can simply get it from you. This sounds unlikely, but there are all sorts of ways this can happen. If you write it down, they can see it, or steal it. There are many scams whereby they can trick you into giving it up. They might call you and pretend to be your own office or ISP security department and ask you. There has been some news recently about prospective employers asking for social media passwords as a condition of employment. When it involves human to human interaction, the process is called "Social Engineering". Recently there was an email that claimed to be from Yahoo Mail's security department, asking you to click a link and log into their security page. If you do, they have your password. This is called Phishing. Other techniques include getting it from your PC by installing some sort of malware on it. So the lesson here is do not write it down, or if you must, keep it under lock and key at all times, and do not ever give it out to anyone, no matter what, and finally keep your machine malware free.
(2) Perhaps they can deduce it from personal information they know about you. I have a dear friend who once used to use his wife's name as a password. Other people use children's names, pet names and so on. The plot of the movie “War Games” hinged on a deceased son's name used as the password.
(3) They can guess it. This is a brute force solution, but if you can guess fast enough and often enough, you can guess any password. However all passwords are not random, and many common words are used as passwords. The bad guys trade huge lists of known passwords, passwords that are known to have been used somewhere, anywhere. They guess these first before going to purely random guessing.
A moderately sophisticated online "guesser" might guess a thousand guesses per second. A very sophisticated user with a very, very sophisticated PC computer might be able to guess 100 billion guesses per second. This is about the upper limit of PC based hardware, but Supercomputer class hardware can do a lot more. An NSA level supercomputer might be able to crank out 100 trillion guesses a second.
If the bad guys have a dictionary of ten million known passwords, they can obviously guess the entire list in a very short time. If your password is in the bad guy's dictionary, no matter how secure it appears, it is toast. So the object lesson is to never use anything that might be found in a dictionary.
Once they have guessed every password in their dictionary, then it becomes a matter of random guessing. That is where the quality of your password really comes into play. The tenth most common password used on the Internet is 'thomas' according to one survey. I keyed on this one because it is my middle name. Clearly, it would be one of the first guesses any bad guy would take, so it is utterly useless as a password. But if approached as a purely random guess, it would take our bad guy with a really fast PC only .00321 seconds to guess it.
We need to make it less easy to guess.
Using standard tricks of mixing case and inserting symbols can help. "Th0ma5" takes our bad guy over a half-second to guess it. Better but not enough.
Longer is better, so let's add something to it. Simply splitting it and adding a period in the middle, "Th0.ma5" now takes over 11 minutes to crack. Much better, but still not very good. Adding another period and a couple of random letters in the middle, such as "Th0.ba.ma5" increases the crack time to 19 years.
Nineteen years sounds good, but compute power is increasing rapidly. We want more security than that. Let's add some more "stuff" to it. Let's add the date the password was created. Or maybe the date we want to change it. Or someone's birthday we want to remember. So "Th0.ba.ma5" becomes "Th0.03.ba.27.ma5.2012". It is still easy to remember, being made up of (1) my middle name, (2) a 2 letter random combination, and (3) a date. Only instead of a 19 year crack time, it is now One Billion Trillion Centuries. That is not only a long time, it is long enough that even in a hundred years of Moore's law, it still will be uncrackable with cheap hardware. Even the NSA's most powerful Supercomputer should require a Million Trillion Centuries.
With this approach, I have a password that is all but unbreakable, malware and phishing excluded, and it is something I might actually remember.
It is still important to watch out for malware and phishing attacks, and such, but by following my guidance, your password will not likely be lost to a simple crack.
UPDATE: The news is awash about someone “hacking” the Presidential Candidate's email account and hijacking his Hotmail service. I do not have all the details as yet, but the gist seems to be that he was able to gain access by guessing the answer to one of the security questions provided for resetting lost passwords. These security questions usually ask you something like mother's maiden name, or something similar, often something which someone who knew you well might guess. In this case, the security question was “What is the name of your favorite dog?”. Given that the candidate's dog has been in the news, one might make a reasonable guess of it.
This illustrates a key risk of online accounts, a key exposure whereby someone might gain unauthorized access. They assume that people will forget passwords. My position is that one should be making passwords that you won't forget. Since they assume people will forget passwords, they provide for someone to gain access by answering “secret questions”, which usually are not so secret. Guess the right answer, and you can gain access to most anyone's online account.
My solution is, as I said, don't forget the password in the first place. Do not give useful answers to the security questions, or if you must, do something that is complete nonsense. If you must give them your mother's maiden name, for example, give a name that is anything else, preferably something very obscure. Also, never give them your real date of birth. Create a fictitious birth date you can remember. I advise deciding on a “security birth date” that is different than your real birth date.
Managing this “ancillary information” that can be used to gain access to online accounts is as important as managing passwords themselves. Give careful thought to the information allowed, and do not forget it.