“Why do I have to change my password every 3 months? It’s so unnecessary, who would want to get into my account?”

“Why is ‘123456’ not a good password? It is easy to remember!”

“Why all these capital letters and numbers and stuff mixed up in passwords? It is so difficult to remember them!”

“My password is ‘password’, nobody will guess that!”

Believe it or not, these are the sorts of comments that we encounter almost on a daily basis at the FHSCUA Help Desk. You would think that these would come from highschool children, but these are Medical student undergraduates, and one comment (I won’t say which one) came from a department head!

The aim of this article is to help you better understand the security of your own passwords and how to boost that security, and it centres around the premise that if I asked you the following question, what the answer would be?

“If you invited me to try and crack your password – you know the one that you use over and over for everything, how many guesses would it take before I got it?”

Here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 8 digits of your ID number.
3. 12345678.
4. “password”
5. Your city, or university, rugby team name. (Sun123456, Bloubulle1 sound familiar?)
6. Date of birth – yours, your partner’s or your child’s.
7. “wagwoord”
8. “letmein”
9. “qwertyuiop”
10. Your girlfriend or boyfriend’s name (a favourite amongst students)

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers have developed a whole range of tools to get at your personal data. And the main obstacle standing between your information remaining safe, or leaking out, is the password you choose. (Ludicrous but true, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work network probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all I have to do now is to use the “bruteforce” software on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache.

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of my hacking computer, and the speed of my Internet connection.

For instance, adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that, how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. There is also a free, open-source program, KeePass that works very well, while others swear by the cross-platform, browser-based LastPass.)
7. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

Some extracts from John Pozadzides’ Onemanblog

1: There are only 200-300 hardcore spammers worldwide.

They account for the overwhelming majority of junk e-mail. This idea is a staple of mainstream media. But I’ve never encountered anyone able to source this stat—and I’ve asked. DMA head Bob Wientzen cites it often. On a recent panel discussion, he was asked where the figure came from. He replied just that week he’d “talked with the FBI.” This neither answers the question nor addresses the fact he and others have bandied the figure about for years.

My guess is the assertion had its genesis in the ROKSO list of known spam operations. These are spammers who have been booted from ISPs three times or more. Although the list doubtless includes plenty of nasty characters, ROKSO’s methodology hasn’t changed in years. Meanwhile, spammers’ techniques are increasingly sophisticated and elusive. If the figure isn’t wholly untrue, it’s certainly unproven.

2: Most spam comes from outside the U.S.

Maybe it does, maybe it doesn’t. So what? Where spam comes from is of significantly less interest than where it originates. Europeans claim most spam is American. Americans point to Asia, Eastern Europe, and Latin America. It’s reminiscent of Germans dubbing a certain malady “the French disease,” while the French called it “the English disease.” Speaking of English—as long as it’s the broadly spoken international language and the lingua franca of large, wealthy nations, rest assured English-language spam will proliferate, wherever it comes from.

3. Spam legislation can end the problem.

No, it won’t (see no. 2, above). But a federal law can help lay a foundation of rhyme, reason, and consistency. International cooperation will help even more. New technology is also essential. There really is no silver bullet.

4. The definition of spam is…

Congress hasn’t enacted federal spam legislation, in part because a definition hasn’t been reached. Anti-spam absolutists will tell you spam is e-mail from anyone unknown to the recipient (even a friend of a friend). The Direct Marketing Association (DMA) has defined spam as “only porn and scams, sent fraudulently.” (This definition makes a federal law superfluous; these are already covered by legislation.)

Spam will be defined. And redefined. The Supreme Court hasn’t been able to nail the definition of “obscenity” for the past 50 years. As Justice Stewart so infamously said, “I know it when I see it.”

5. Legitimate marketers don’t spam.

Oh, yes they do. This is true only for those whose definition of spam is the egocentric “e-mail sent by others, not by us.” Former ClickZ contributor Nick Usborne coined the term “white-collar spam” in a recent New York Times interview to describe the phenomenon.

Like Mafia capos, white-collar spammers tend to engage henchmen (list outfits, renegade affiliates) to do the dirty work. White-collar spam is why the awful new California law takes pains to indemnify advertisers, not just senders. As Sen. Murray said, “We’re going after Disney, and we’re going after Viagra [Pfizer].” Current and former “legitimate” spammers (many are DMA members) include Kraft Foods, Palm, AT&T, and countless major banks and lenders.

6. Opt-in is a sufficient spam deterrent.

No, it isn’t. Opt-in can cover marketers’ and publishers’ rear ends under state spam laws if they can produce records of opt-in date, time, and IP address. Soon, some clever attorney will think this through to the next step. Anyone who knows your address can opt you in to a single opt-in mailing list (happens to us at ClickZ all the time). Black Hat developers write bots that can opt you in again and again—ad infinitum, literally. One day, someone will prove in a court of law she couldn’t possibly have opted in on a particular date and time from a Fargo, ND, IP address. Double confirmed opt-in is the way to go.

7. Never opt out.

The public’s heard this so often, they accept it as gospel. A recent Bigfoot Interactive study found 58 percent of respondents believe unsubscribing from unwanted e-mail actually results in more unwanted e-mail. Bad as the spam problem is, sometimes good judgment and common sense can prevail. Educated (not just alarmed) consumers are less inclined to report as spammers known and trusted senders just to get off their lists.

(Ed. This is a very debatable and reckless point, and my experience – not what I have been told – tells me that using the opt-out options in most “automated spam” is a one-way trip to futility. If you report legitimate lists as spam just because you are too lazy to “opt-out”, the risk of this having an effect on the “poor” list will be minimal compared to a world-wide spam bot network getting hold of your “opt-out” details for further abuse, is higher!)

8. Microsoft is committed to helping end the spam epidemic.

Its executives are certainly committed to saying they are. These days, Bill Gates is front and center: testifying before the Senate; penning a Wall Street Journal editorial; putting millions up in bounty for spammer arrests; building a Web page for consumers; and forming an Anti-Spam Technology & Strategy Group, “fighting spam from all angles—technology, enforcement, education, legislation and industry self-regulation.”

When I meet members of that group, I always ask the same question. Every version of the Windows OS that shipped prior to XP’s release last year is configured—by default—as an open relay. Millions have been upgraded to broadband. Ergo, most PCs on planet Earth emit a siren call to spammers: “Use me! Abuse me!” Why won’t Microsoft tell its millions of registered customers how to close the open relay?

I usually get a stunned, rather slack-jawed reaction to the query, but never an answer. Yet their boss told the Senate to “capture all bad actors involved in sending unlawful spam, including those who knowingly assist in the transmission of unlawful spam.”

9. A do-not-e-mail database will stop you from getting spam.

Bovine Faecal Excrement!. Do-not-call works because relative to e-mail addresses, there are very few phone numbers (most belong to families and businesses, not to individuals). And every phone number is tied to a name and address. The average Web user has three e-mail addresses, not necessarily tied to any personal identification. These can be acquired and discarded as casually as Kleenex. Many services promote “disposable” e-mail addresses. Once shucked, there’s nothing to stop an address from being used by someone else. As the Federal Trade Commission will tell you, there’s no way this can work under present circumstances. E-mail isn’t the telephone.

10. Spam can take down the whole Internet.

No, say the experts at the Internet Engineering Task Force. But spam can take down your business or ISP. A hacker can cripple a network with an e-mail-distributed DoS attack—or a worm or virus. Servers overload or crash. Networks clog with traffic. Spam doesn’t “break” the Internet, but it can make it seem that way.

by Rebecca Lieb