Tuesday, December 4, 2012

Open Sesame

We have two types of information: online and offline. While the latter is secured under lock and key, in safety deposit boxes and in steel cupboards, the former is guarded by a combination of lower case, upper case, digits and special characters. It is safeguarded by ridiculous “safety” features such as questions that range from inquiring the name of your first school or even the name of your mother. Any hacker worth his two cents can easily visit your blog, your social networking page and siphon information to guess the answers. They can masquerade as you and contact customer care services and get them to email precious information to a compromised email account. I was prompted to write this post after reading a spine chilling article on Wired's website; a story of how hackers destroyed Wired's senior writer Mat Honan's online presence: emails, photos, work—nothing was spared.

On reading this article, I was reminded of the Xkcd comic that talked about low entropy passwords. 

The trade off with passwords that contain a crazed combination of digits, characters and cases is that the user can never hope to remember them and they resort to copy-paste. So by coming up with “high entropy” (or greater chaos) passwords, you give users some security but force them to write it down somewhere since their memory fails them: the purpose is already defeated. So this Xkcd comic elaborates on using low entropy words like dictionary words, but chosen at random and with a couple of cases thrown in, so that you can remember the password easily by means of a mnemonic, but the sheer length of the passphrase coupled with convenient casing will take the hackers multiple times the age of the Universe to brute force their way into. Now the key difference here is that you shouldn't use dictionary words or phrases that can be guessed at first. Hacked databases reveal that folks still use their names, birthdays or even a combination of the two as their passwords. The worst offenders are those who use “123456” or “password” as the password!

Next use a website like Gibson Research Corporation's “How Big is your Haystack” page to check how long it would take for a hacker to brute force his/her way in. Remember, you must not use common passwords or easy to guess phrases. Finally, never recycle your passwords across multiple accounts and services. In a world where applications and services require a Facebook password or a Google password, one compromised account gives the keys to the entire kingdom.
So please change your passwords; keep them locked away in your memory; use a virtual keyboard like Onboard to avoid falling prey to keyloggers (Windows users beware!); carry a bootable thumb drive containing Puppy Linux and make sure people don't peep over your shoulders!

Oh yeah... correcthorsebatterystaple would have taken about 7.83 hundred billion centuries to brute force hack even at one hundred trillion guesses per second. That's 55000 times the age of the universe.

1 comment:

Vyaas said...

Matt Honan's anecdotes caused a stain in my seat! A good reminder that our folly is as bad as the 12345er's by today's hacking standards.

An interesting article appeared on the last issue of American Scientist discussing some advancements in the field of secure data transfer AND operation using homomorphic transforms.
http://dft.ba/-37_N