change your passwords

lulzsec (Anonymous v2) are a bunch of twats and have released 62,000 email and password combinations, which they are encouraging people to use to try to log into social networks and online retailers. It’s thought the passwords are from the website ‘writerspace’, but it’s not known for sure.

This demonstrates why you should use different passwords for everything. But it’s not really practical so no one does it. Instead, a better idea is to have different passwords for different classes of websites:

1) Your email
2) Professionally run websites that matter to you
3) Shitty websites that don’t matter much

You can add more categories as appropriate, but the basic point is that you rank sites by two factors: how likely they are to get hacked, and how bad it would be for you if they did get hacked. You make sure that you don’t use a password in one rank that could be used in a more important rank.

Your email password should be *strong* and *unique*. Never ever ever ever ever ever duplicate your email password. Your email is central to everything. If your email is hacked, they get everything. Every single account you own can be hijacked because most of them use access to the email account as proof of identity.

Professional websites are sites like Amazon, Facebook, online banking, etc. The point of this category is that the sites are run by people who know what they’re doing and who have a reputation to maintain, and they are very unlikely to let a bunch of 17 year olds into their password table. They are also sites who offer a goldmine should they successfully be hacked, and as such are probably getting attacked very frequently, but are still holding up fine.

Shitty websites are small community run sites or shady sites operating on a small profit margin and want to keep their operation as lean as possible. This is most of the internet: online gaming sites, communities, adult sites, dating sites, etc. They’re mostly small setups and don’t have a big budget to spend on code reviews and security testing. It also has to include anything that probably hasn’t had any serious hack attempts yet: even if the site seems professional, if they’re not presenting much incentive to be attacked then you can’t really say they’re secure; it’s just never been tested. Despite this, these sites *do* present attractive targets for the new wave of chaotic hackers because although a hacker might not get much from a successful attack, they get a *success* which implies a news story and attention. Don’t trust them.


A very quick note on password selection:
A strong password is at least 15 characters long. A strong-ish password is 12. 8 is your absolute minimum if you care about what it’s protecting. It should be mixed case, alphanumeric, and include symbols. DON’T just add numbers to the end, that’s not secure, wordlist generators will automatically try this. It should not be a straightforward corruption of a word, e.g. don’t choose ‘password’ then corrupt it to ‘p@$$w0rd’, because word generators can do substitutions too. Corrupting it to p_@aSw0rd is infinitely better because it’s now unpredictably mis-spelt, but be more creative. Glue words together, use phrases from literature, film, songs, etc. Make up words by gluing together syllables.

If you have trouble remembering them then you can write them down, but a better idea is to use a password manager. On Windows you can use KeePass (haven’t used it but it’s supposed to be pretty good), on Linux/KDE you can use KWallet, which will integrate with Chrome if you run Chrome with --password-store=detect. These programs are very cool; they store all your passwords in a small database, and then they encrypt the database with a master password. So all you need to remember is the master password. Just make sure you back up the password database.

Password strength is important because of the attacks available when a site is hacked. If a site is hacked and the password table leaked, the passwords will probably be in an encrypted form (and if they’re not, the programmer should be shot). This is expected and it’s still a ‘success’ for a hacker because they know they’ll probably decrypt about 60% of the passwords quite easily. If your password is complex, yours won’t be one of them.

Bonus unix trick for generating secure passwords:

$ head -c 16 /dev/urandom | md5sum

I like blogging

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: