Everything you ever wanted to know about passwords but were too afraid to ask.

password 123

Question : Why are passwords like underpants?

Answer : Because you should change them often, keep them private and never share them with anyone.

Keeper Security, the makers of a password manager completed a security survey in 2017 which revealed that most of us have passwords that are far from secure, the most popular password is “123456” – below is a list of the 50 most common passwords in sue today.

50 most common passwords

Some people append numbers to the end of their password to try and make them more secure – here are the most common numbers added to passwords in use today.

most common numbers at the end of passwords

As you can imagine the bad guys have large word lists that they can use to guess your password and these word lists contain common keyboard patterns – see the animated image below highlighting the 20 most common keyboard patterns used as passwords.

common password patterns

If you are choosing a fruit, color, animal or verb try to avoid the most common ones listed below.

 

common passwords

The dating site Ashley Madison was hacked on July 2005 with all the data of 36 million people being stolen and made public – I was shocked to see they are still in business after such a massive attack – on the home page of their new website it says “We know you value your privacy, and we do to” – I guess they must will have learned a lot about security/privacy after the attack!

ashley madison hacked

 

There is even a website that allows you to check to see if an email address is in the stolen 36 million account – check it out at https://ashley.cynic.al  [Keep in mind that the site had 1,000’s of fake profiles – so not everyone was having an affair!]

You are probably thinking I am just a wee guy or run a small and I will never be the target of an attack – well you are sadly wrong, since the bad guys go after the soft targets and remember many of the attacks are automated so you are simply one of 100′ of million of people being attacked. So to be safe make sure you have good strong passwords, an anti-virus toolkit running on your machine, a firewall (switch on) and are making regular backups – as boring as backups are they are the single most important thing you can do to help you recover from a fire, flood, theft or nasty malware attack.

 

you have been hacked

Even if you have done your best and kept all your software up to date and protected yourself as much as possible the chances are you have still been hacked! Someone once told me there are two types of people in the world ‘Those that have been hacked, and those that don’t know they have been hacked” Is it really that bad, actually it is probably worse – let me explain. All those high profile companies who hear about getting hacked e.g. Experian, Yahoo,  Adobe, Ebay, LinkedIn etc.. what do you think happens to the data – well it gets uploaded to the dark web and sold and then eventually given away for free – I recently downloaded the entire LinkedIn username/password database from the dark web and found my password there! So what can we do about it, firstly you’ll want to know if your usernames/passwords have been uploaded to the dark web – and if so you should change them immediately. Thankfully Troy Hunt [https://www.troyhunt.com] (an Australian security expert who used to work for Microsoft) scans the dark web for us and provides a wonderful service on his famous Have I been Pwned Website (https://haveibeenpwned.com) – you simply type in your email address and he will tell you if the bad guys have your details – my username/password was included in 14 different data breaches. There is also an invaluable free ‘Notify Me’ service where he will email you when he finds your email on a new hacked. There are other sites offering similar services e.g. Breach Alarm [https://breachalarm.com]

how long

Question: Are long passwords harder to guess?

Answer : They sure are

See the chart below showing roughly how long it takes to guess (using brute force) passwords that are between 7 characters and 12 characters long.

 

long passwords

The problem is that long passwords can be hard to remember so some people turn to rather clever methods to remember long passwords e.g.

 

Choose a memorable sentence and turn it into a password

e.g. “We like to feed swans on a Sunday”

The password could be wltfsoas

To make things trickier to crack add mixed upper and lower case letters e.g. WltfsoaS

To make it even harder to guess add numbers and non-alpha characters

The password could be WltfsoaS%62

Now 11 chartacters long with upper case, lower case, numbers and non-alpha characters, in theory this will take over a decade to crack!

Password Managers

password managers

Password Managers are programs that allow you to store and retrieve (and sometime create) complex passwords usually form an encrypted database.

Password Managers typically require its users to create and remember one ‘master’ password to unlock access to the database containing all your passwords.

They are certainly worth investigating the most well known password managers include:

1Password – https://1password.com

Dashlane – https://www.dashlane.com

Keepass – http://keepass.info

Lastpass – https://www.lastpass.com

My1Login – https://www.my1login.com

Do your home work though I remember reading the news about the password manager Onelogin being hacked!

http://www.bbc.com/news/technology-40118699 

 

onelogin hacked

Here are two useful websites that will tell you how strong (or weak) your password is by telling you how long it will take to brute force the password in seconds, minutes, hours, weeks, months, years, decade, centuries. [You’re looking for centuries]

https://www.my1login.com/resources/password-strength-test 

and

https://howsecureismypassword.net 

I once setup a commercial pass recovery company i.e. we broke passwords – there are 8 main methods that we used – shown below:

  • Brute Force Attack [The bigger the processor the faster the attack, often we networked pc’s together into a distributed network attack]

 

  • Back Door [We knew many backdoors as does your government]

 

  • Dictionary Attack [We had a gigantic set of word lists e.g. french legal dictionaries, german medical dictionaries, song lyrics – if the word existed in real life we found it]

 

  • Key Logger Attack [If we could get a key logger running on someones P{C we were usually successful]

 

  • Social Engineering [Often just called them up and asked for their password in a very round about way]

 

  • Malware [Very naughty]

 

  • Shoulder Surfing [Often worked if got a chance]

 

  • Guess [Last resort, often failed!]

 

Multi Factor Authentication

This is quite a mouthful for using multiple methods of protection. The standard 3 factor authentication is usually

  1. Something you HAVE (Smart card, USB dongle, Phone, RFID badge) and
  2. Something you KNOW (Password, PIN, security question) and
  3. Something you ARE (e.g. fingerprint, Iris, Face) and

 

2 factor

Most of the major social media platforms support 2 factor authentication e.g. Facebook, Twitter, Instagram, YouTube, LinkedIn and Google+

 

There are a number of websites that will generate ‘random’ passwords for you of varying lengths – these are known as online password generators, I just spotted 2 of them do not have digital certificates – how naughty.

http://passwordsgenerator.net

http://passwordsgenerator.net/plus

https://lastpass.com/generatepassword.php

 

Storing Passwords

padlock

If your business has to store customer password then please make sure that you do NOT store them in plain text – they should at least be encrypted and preferably not stored at all!

 

General advice when storing customer passwords:

  • Do not store customer password in plain text. “secret123”

 

  • Best to encrypt the password. “$%_$F”£!@2_£!*(!”£”

 

  • Even better to hash them.

 

hashed passwords

Hash algorithms are one way functions. They turn any amount of data into a fixed-length “fingerprint” that cannot be reversed. They also have the property that if the input changes by even a tiny bit, the resulting hash is completely different (see the example above). This is great for protecting passwords, because we want to store passwords in a form that protects them even if the password file itself is compromised, but at the same time, we need to be able to verify that a user’s password is correct. This is how ATM bank passwords are stored i.e. they are hashed, so if you phone your bank even they do not know your password, all they can do is remove it and ask you to create another one.

plain text offenders

There is a wonderful website called Plain Text Offenders that names and shames companies (some very well known ones in the list) that email out passwords to users in plain text. http://plaintextoffenders.com If you get reported here there and tidy up your act you can make it on to the slightly less embarrassing ‘reformed offenders list’

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

All about Bitcoin – well not quite.

It all started in October 2008 when a white paper was published by someone calling him/her self Satoshi Nakamoto. The paper was titled “Bitcoin: A Peer-to-Peer Electronic Cash System” and Satoshi was clearly hard at work as the financial crisis of 2008 started to unfold he was developing the first bitcoin software which was presented to the world on January 3rd 2009. Satoshi registered the domain bitcoin.org and communicated with developers for a while until vanishing in mid 2010 – he has never been heard of since. If you are reading this Sataoshi we would love to hear from you 🙂

Inside the very first block on the bitcoin blockchain he left a message – “‘The Times 3 January 2009 Chancellor on brink of second bailout for banks” Some say that by leaving this text message inside the ‘Genesis Block’ he was leaving a clue i.e. he was in fact British and not Japanese – at Dandruff and Sandals we do not care whether you eat Pork Pies or Sushi – we just want to meet you.

 

bitcoin picture

 

Here are some really useful (and one not so useful) Cryptocurrency websites:

 

 

coinmarketcap logo

Coin Market Cap –  This site list over 1,500 cryptocurrencies showing their current price, market capitalisation, volume in circulation, change in value over time and symbol.

 

coinbase logo

Coinbase – One of the best and largest cryptocurrency exchanges, it allows you to buy and sell 4 different cryptocurrencies i.e. Bitcoin (BTC) , BitcoinCash (BCH), Ethereum (ETH)and Litecoin (LTC) as well as supporting two factor authentication – always a good idea.

 

crypto tips

The famous Heidi Chakos YouTube Channel – She is intelligent and beautiful – kind of like a modern digital bond girl. Her videos are educational – you’ll learn so much.

 

andreas antonopolous

The super smart Andreas M. Antonopoulos YouTube Channel- Not quite as beautiful as Heidi Chakos but all the same his videos are truly inspiring and worth watching again and again and again.

 

crypto kitties

Crypto Kitties – Crypto madness – for those who loves cats and have too much money!