Monthly Archives: January 2014

What do you mean my password is not secure?

Almost all of the applications we use have one big thing in common:  they all use a username and password combination.  A common theme we see is the re-use of usernames across multiple sites and many sites don’t even consider a username as sensitive information.  The password, however, is supposed to be the key to protecting your accounts.

SplashData recently published their findings for the top 25 worst Passwords of 2013.  They created this list based on the password breaches that have occurred over the year.  In a small twist, “123456” has taken the number one spot away from “password”.  To a security professionally, both of these passwords are very bad.  Is that what the common computer user thinks?

Many users think that a password should be something that only they would know.   For example, the name of your dog from 40 years ago that no one else would know.   Maybe they just choose a word that means something to them, that no one else understand.   The problem with this way of thinking is that it is not how attackers are trying to guess passwords.  We have all seen the movies where the attacker looks around the victim’s office and guesses the password based on photos on the desk.  In most situations, however, an attacker is not targeting a specific individual and manually trying to guess the individual’s password.   Rather, attackers use tools to automate the process and then conduct mass attacks across the Internet.  These tools take in dictionaries, lists of common words or passwords, and then try each one in succession. As you can see, there isn’t anything in that process that relates to what the user might be interested in.

Another common belief is that substituting numbers or symbols for letters in words are going to make it more difficult to crack.  As stated in the previous example, attackers use automation to perform this task and the tools they use are sophisticated enough to swap potential characters.

The best thing for a password is to make it longer.  The longer it is, the longer it takes to attempt cracking it.  I personally use pass phrases for my passwords when I can.  Something that is more than a word or two words combined together, but a sentence that is at least fifteen (15) characters in length.  This becomes harder to crack for automated tools because the combination of characters has increased greatly.  Of course, in the event that your long password is still something simple, it could still be a problem.

One of the limiting factors that we commonly see is sites that don’t support long enough passwords.   Many sites require a number a character and a special character, yet then limit the length to 8 characters.  This could be because they don’t understand password security, or they are limited by some back-end systems.

A big concern that many users have is trying to remember a different password for all of their applications or web sites.  This usually leads to re-using passwords across multiple sites, which is a bad practice.  One option, which I personally use, is to use a password manager.  That is an application that helps manage your passwords for you.  There are many different options for password managers, so it is important to understand the options on each one before making a decision.  Many of them allow syncing between devices, and storing all the data on their servers on the Internet.  Something that each user has to decide is whether or not that info should be saved on the Internet.

In addition to passwords, I also use a password manager for managing the secret “security” questions for the forgot password screen.  This too helps me put in values that can be more difficult to brute force, yet easy for me to access.

Something we are seeing on many sites is the ability for multi-factor authentication.  A great example is Google’s accounts where you enter in a username and password and then have to enter in a unique code that changes every minute.  The code is delivered via the Google Authenticator App that is installed on your mobile device.  This additional security feature does not mean we can choose weaker passwords, but is an extra line of defense if our password does get stolen.  If your application supports this feature, be sure to enable it.  Everyone can start better protection today simply by updating simple passwords to a longer passphrase.  If you have had a password compromised, immediately change the password to stop any attackers from accessing that account.

The general Internet user should start understanding how passwords are stolen or guessed by attackers.  Once that concept is understood, we can then start thinking about how to create better passwords that will be more difficult to break.

James Jardine is a Principle Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware on Twitter or visit the Secure Ideas – Professionally Evil site for services provided.

What Do YOU Think About Privacy?

“What do you think about privacy?” That’s the question I asked my wife last week. We had just received an email from Target explaining that our personal data was stolen along with 70 million other customers in their latest breach.  The week before we had received notification from our bank that both of our cards… Continue Reading

Webcast: Vulnerabilities in Your Medical Practice: Security Testing for Healthcare

Later this month I will be presenting a free webcast:  “Vulnerabilities in Your Medical Practice: Security Testing for Healthcare”.  I’ll be talking about the HIPAA Security Rule, the potential impact at the practice level and actions that can be taken to comply with these requirements and protect your data. The webcast is scheduled for the… Continue Reading

HealthCare.gov: Basic Security Failures and IT Bloopers

Secure Ideas has tested hundreds, if not thousands, of applications over the years we have been in business.  Based on this experience, along with our public classes and presentations around application security, Dave Kennedy of TrustedSec asked me to review the details of security flaws within HealthCare.gov.  As part of this review, Dave provided a… Continue Reading

Scary Web Services: Part 2

This post may seem timely in light of the recent Snapchat compromise.  Although Snapchat’s breach appears to be due to some poor assumptions around an “internal” Snapchat API, it is not the type of traditional web service that I was thinking about when I was planning this post.  This said, Snapchat’s API is still technically… Continue Reading

SamuraiWTF Training with Charlotte ISSA

Charlotte ISSA will be hosting a two-day Samurai-WTF (Web Testing Framework) course led by myself (Jason Gillam of Secure Ideas) January 21st and 22nd.  Students will learn the latest Samurai-WTF open source tools and the latest manual techniques to perform an end-to-end penetration test. After a quick overview of pen testing methodology, the instructors will… Continue Reading

Intercepting DNS

Intercepting DNS

Recently during a penetration test, I discovered a Linksys WRT54G wireless router that had been installed on a customer’s network. Surprisingly, this device was accessible from the Internet with default credentials. Watching the client list, I noticed several clients connecting on & off throughout the day. We all know that this is bad, but how… Continue Reading