Passwords - The Key To Your Identity

We all have passwords to access various aspects of our lives.

You may use the same password for all of your logins so it's easy to remember. Or you may have selected a password based on someone's name or town, or birthday, special day or some other common event.

All of these are poor decisions.

You see, one of the simplest ways to gain access to your information is by logging in as you.

Your identity online is determined by your username and password. If a hacker has those two items, they can essentially be you - online.

How can hackers obtain your login and password?

Through the use of either a "brute force attack" or a dictionary attack hackers can obtain your password.

A brute force attack attempts to try every possible password. Some brute force attacks programs are Brutus, and THC-Hydra. These programs will dynamically attempt all possible passwords as it generates them. They don't work with lists of possibilities, you can feed it various parameters like all numeric, all upper-case alpha, combination of upper and lower case alpha, and it then proceeds to launch it's own login attempts on the target.

In a dictionary attack, extensive lists of possible passwords are generated ahead of time. These lists are then launched against the target. Only the combinations in the dictionary are attempted.

However, the dictionaries used typically contain:

• Words in various languages
• Names of people
• Places
• Commonly used passwords

Many times people wonder how the hackers get a list of commonly used passwords. They get those by cracking someone's password. They know that if one person uses that password, others may as well.

Cyber criminals have programs that will generate large lists of passwords.

You might be thinking, how long would it take them to create millions or billions of usernames and passwords that will have one matching your password?

That depends on two main things, the length and complexity of your password and the speed of the hacker's computer. Assuming the hacker has a reasonably fast PC (ie., dual processor) here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it's just a matter of time before the computer runs through all the possibilities - or gets shut down trying.

A password of all numbers and 8 characters in length will contain 100 million possible combinations and take only 10 seconds to generate.

If your password is all letters, either all upper or all lower case, it will contain 200 billion possible combinations and take only 5.8 hours to generate. The time to generate all 53 trillion possible combinations of a password comprised of mixed upper case and lower case letters grows to 62 days. When your password has 8 characters of upper case, lower case and numbers the possible combinations grows to 218 trillion and the time required to generate the list grows to 253 days.

When you create a password with upper case, lower case letters, numbers and special characters, your list of possible combinations grows to 7.2 quadrillion and will take 23 years just to generate.

Notice the difference in Time to Generate by going from either all upper or all lower case characters (5.8 hours), to using mixed upper case, lower case, numbers and special characters; ie., ~!@#$%^&*() (23 years).

Remember, these times are just for a single, dual processor computer, and these results assume you aren't using any common words in the dictionary. If a number of remotely controlled computers (read hacked) were put to work on it to generate the lists, they'd finish about 1,000 times faster.

Remote Access - A Necessary Evil??

Small businesses often use some type of remote access technology. It might be something like pcAnywhere, gotomypc, VNC or even Microsoft's Remote Desktop Connection or Terminal Services. All of these access methods require a login screen accessible from outside your network.

Hackers scan the Internet looking for login screens or open ports. An open port can be an indication that a specific program is waiting for a connection.

For instance, if you're running pcAnywhere you probably have port 5631 open. If you're using VNC you might have port 5900 open and if you're using Microsoft's Remote Desktop Connection or Terminal Services you may have port 3389 open.

When an attacker finds a login screen or an open port they know they can use either their brute force tools or their dictionary of commonly used usernames and passwords.

How do they get the usernames (login names)? If the attacker really wants to get in, they can visit your web site and get a list of all the people listed. From there they can use tools to create a list of common combinations of first name and last name to create possible login names.

Knowing that login names are typically the same as the beginning of a person's email address, they can quite easily harvest all the email addresses from your company and then use those as starting points for login names. They'll usually try admin and administrator first. If they can obtain the password for these accounts, they have succeeded in hacking into your computers.

So, how would a hacker use this process to actually breach your personal security? Simple. Follow my logic:

• First they would scan the Internet, with automated tools, looking for login screens
• As login screens are found, a separate tool would determine what software is running that login screen
• The hacker would launch a dictionary attack that would try possibly millions of user names and password combinations
• Any password that is 8 characters in length and comprised of all numbers, or all upper case letters, or all lower case letters would be in their list of attempted passwords
• As a valid login and password combination is found, it's stored in a list along with the IP address of the successful breach and the hacker moves on to the next victim
• To make money, they could sell this list of successful username and password combinations to cyber thieves
• Cyber thieves will connect to those computers and check the browser cache for websites the victim frequents
• Knowing that many users use the same password for all or many of their logins, they try the same password on the websites stolen from the browser cache
• As the cyber thief finds bank, credit card or merchandise websites where the password works, they will either steal money or buy merchandise, or sell the information to a next level cyber criminal who will "capitalize" on the purchased data

No Free Advice? Here's Some

It's understandable that you need to choose passwords that are memorable however, if you're going to do that how about using something that no one is ever going to guess AND doesn't contain any common word or phrase in it?

Here are some password tips:

• 1. Randomly substitute numbers or special characters for letters that look similar. The letter "o" becomes the number 0 or the letter "a" becomes @ or the letter 't' becomes "+" and randomly throw in capital letters (i.e. Oceans11 becomes 0C3@n$_E1eV3n)
• 2. Use a phrase that's memorable to you, just do not use someone's name. Every name plus every word in the dictionary will quickly be discovered under a simple brute force attack. We've seen dictionaries used by hackers that contain over 6 million words.
• 3. You really should have a different username / password combination for each site you frequent. Remember, the technique is to break into anything you access just to figure out your standard password then compromise everything else. This doesn't work if you don't use the same password everywhere.
• 4. Since it can be difficult to remember a ton of passwords, you may want to consider a password manager like Roboform. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key.
• 5. Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is. http://www.microsoft.com/protect/yourself/password/checker.mspx

Every Password Is Important

Another thing to keep in mind is that some of the passwords you think matter least actually matter most.

For example, some people think that the password to their e-mail account isn't important because they don't get anything sensitive there. Well, that e-mail box is probably connected to your online banking account. If an attacker can compromise your email account they can then go to the Bank's Web site and tell them you've forgotten your password and they should have it e-mailed to your email account. Now, what were you saying about it not being important?

Frequently people reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device.

Of course, they've never bothered to change the default password on that device, so an attacker could scan your firewall, decide what type of router or firewall you have and then do a Google search on that device name and manufacturer to obtain the default password - after which time they will own you! Many firewalls and routers use the all numeric serial number of the device as the default password. You may think this is safe, as who will know the serial number of your device? By referencing the information above, you now know how fast they can obtain access to your router or firewall.

Select and change your passwords according to the suggestions above and you'll be much, much safer online.

All this advice is free - but could be worth saving your identity.