IT | Security

Open Season on Passwords

By: Absolute Editorial Team | 12/2/2013

Over the weekend, I finally received notification from Adobe that my ID and "encrypted" password had been compromised in an incident back at the beginning of October. (Not to pile on Adobe here, but if you haven't heard, the "encrypted" passwords were encrypted very poorly. Password cracking experts have had a field day analyzing the data. Sophos has a neat visualization of the poor quality of encryption used by Adobe on the passwords.)

I learned my lesson on passwords used for publicly-accessible websites some time ago, when Sony, LinkedIn, and other large websites lost huge volumes of passwords. I wasn't using a very complex password generation scheme at the time, and while (to my knowledge) my passwords from any one site were not used to access other sites, I needed to get serious about my password protocol.

Even if a web site using using current best-practice complex hashing of user's passwords, password crackers have become extremely proficient at attacking password information. As explained in this Ars Technica article, even popular passphrase generation techniques have become easy for password crackers to attack. The New York Times has a great article containing advice from experts Jeremiah Grossman and Paul Kocher -- advice that I have largely adopted, and some of which I echo here:

Don't use words from a dictionary. Even if you combine words to make a long passphrase, your password would fall easily to modern attacks.

Never use the same password across different sites. If one site falls to an attack, assume that password has been compromised. If that password were used on multiple sites (such as for your banking, Dropbox, Gmail, etc.), an attacker that has successfully compromised the password will be able to access all your accounts on all those different sites.

Enable two-factor authentication. Many sites allow authentication using both a password and a second mechanism, such as a text message to your cell phone. Google has a handy two-factor authentication app for smart phones.

Consider a password manager app. Jeremiah and Paul hesitate to recommend a password manager application (Jeremiah uses encrypted disk image files to hold passwords), but I would not be able to manage my passwords without one. I personally use variants of Password Safe, an application originally designed by Bruce Schneier. Oh, and as Jeremiah Grossman found out the hard way -- be very careful when you change the master password to your password stash, or you may lose access to all your secret passwords.

Beware the "security questions" used for backup access to websites. It's not hard to figure out things like maiden names, birthplaces, hometowns, and elementary school names. There aren't very many favorite colors. If you use rational answers to these questions, a determined attacker will be able to successfully defeat these security questions. It's a hassle, but make up nonsense answers (with meaning only to you) for security questions.

Be very wary of links and documents in email messages. Phishing attacks have gone from poorly-spelled and worded "you email passwords has expiried" messages to very sophisticated, targeted spear-fishing attacks. Even if an email appears to come from your bank, don't click on the links -- copy and paste the link from the email to your browser.