In the wake of recent account compromises, including Associated Press and the rampant breaches orchestrated by the "Syrian Electronic Army", Twitter have recently released 2FA (2 Factor Authentication), which is a most welcome addition to bolster users' security. It is not, however, the be-all and end-all: users are still responsible for choosing strong, hard-to-guess passwords. If your password is compromised, control of your account may be lost to malicious actors.

While it's true that, given enough time and resources, all passwords are crackable regardless of their complexity – a pass-string of 200 random characters is ultimately just as vulnerable to brute forcing as a password containing just one character – the aim of a complex pass-string  is to make an attack temporally infeasible. Let’s first take a look at the total number of possible combinations for a given base of elements:

This table encompasses repeating characters and is subject to lexicality (ordering).

Of course, the first row contains all possible words in the English language, up to 8 characters. This may seem an unattainable number of combinations, but with modern GPUs (Graphics Processing Units) able to calculate hashes at a rate of up to 772 MH/s (772 million hashes per second) , the first row would be exhausted in around 270 seconds, or about 4.5 minutes.

A user is unlikely to choose 8 arbitrary characters when creating a password that will be used on a daily basis; a typical string is likely to have some semantic content, such as a dictionary word (and various mutations thereof). Knowing this, crackers have produced many aids for this type of attack, including dictionary files and Rainbow tables – similar to dictionary files, but containing pre-computed hashes and the plaintext equivalent.

To give an example of how quickly weak passwords can be cracked, we set up a test using a simple Python script and Backtrack 5’s Hydra combined with a moderate GPU, and targeted a test SMTP account:

Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-05-23 07:08:12

……

login: ******   password: dave123

[VERBOSE] using SMTP LOGIN AUTH mechanism

1 of 1 target successfully completed, 1 valid password found

Hydra finished at 2013-05-23 07:08:51

<finished>

The password contained only 36 possible chars: lower case a-z & 0-9, and was cracked in 39 seconds.

While major sites will have (or should have) authentication attempt throttling, it’s not uncommon for minor sites to allow unlimited attempts to access an account, which, coupled with password reuse, is a huge problem.

Users I have spoken to told me they use different passwords for different sites in almost all cases. When quizzed further, I found they typically used the same base string with some simple mutations, for example:

password
Password
Passw0rd
passw0rd!1
pa$5w0rd!1

Knowing the base string, and with a very simple substitution (1337, symbols etc.) algorithm, we can crack these accounts in mere seconds. It’s trivial for an attacker to automate this process, meaning accounts on some forgotten, compromised server can be obtained, leading to accounts with the same user name being attacked and possibly compromised.

As Twitter will attest, using secure, hard to guess pass-strings and varying user names (not always possible)  are an absolute must for anybody who uses systems, applications, or sites accessible to others. Remember, it’s not just the internet that has people after your credentials; rogue employees and disgruntled exes, to name but two, are on the lookout for your details. 

To ensure accounts are as secure as possible, it’s advisable to:

1. Use strong, hard to guess, non-dictionary pass-strings. If the app doesn't allow you to use a mix of alphanumeric and special characters, you may not want the owner to have your details.
2. Never, ever reuse passwords. It’s also good practice to not reuse passwords with simple substitutions.
3. Ensure old accounts are deactivated where possible. Although you cannot trust a database would be purged of credentials, it’s certainly a start.
4. Think before signing up to a site or service; always read their security policy.
5. Be vigilant! Phishing is an easy-win for cyber criminals, so don’t give them an easy ride – sites and services will (or should) _never_ ask for your password via email.

Abiding by these rules will help make passwords as secure as they can be.

LinkedIn is investigating reports that approximately 6.4 million user passwords have been posted on the Web. While the breach is still unconfirmed by LinkedIn (as of the time that we wrote this blog), they have acknowledged on their Twitter feed that their investigations have begun.

If you're a LinkedIn user, Websense® Security Labs™ recommends that you change your password immediately to help prevent your password from falling into the wrong hands.

After retrieving the password files that are being distributed on forums in the .ru TLD space, it appears that the passwords are hashed. However, based on samples seen by us, it has not been computationally difficult to translate them into clear text. Our initial investigations reveal that a password of "linkedin" features heavily.

It is uncertain how the hackers retrieved the stolen passwords; however, the passwords that users are finding in the hashed files do appear to be real.  We have identified the locations of several such password files and have classified those locations as Hacking.

So you may be asking how this list of stolen passwords can be used by a hacker?

The most potentially damaging combination would be using the corresponding username in conjunction with the stolen password. With this combination, you can imagine how a hacker may access an individual's LinkedIn account.

Once access to LinkedIn is obtained, or any social network for that matter, it could be possible to send direct messages to contacts within the network or to potentially auto-post on related social networks, thus harming the reputation of the individual or the business they may represent.

Now that hackers have a long list of potential passwords used, brute force attacks could become easier to conduct as a result of having this intelligence.

Even if these reports remain unconfirmed, it is definitely a good time to adopt sound practices around password security to help protect against malicious activity.

We in the Security Labs would like to offer the following recommendations:

• Change your password regularly.
• Ensure your password is suitably complex both in content and length; using a combination of numeric and alphabetic characters is a wise idea, as is mixing upper and lowercase characters with punctuation marks. Longer passwords are preferable.
• Do not use the same password across multiple services.
• If the website you are connecting to has the option of using the HTTPS protocol, as opposed to HTTP, make use of that.

Cryptography is an interesting topic for security research. Recently a researcher put out a "decode me" challenge, and this blog describes what we did that may help others with more experience in cryptography solve the challenge once and for all.

The first step was to decode a garbled message as shown below. The two "=" signs at the end of this message signify that it might be base64 encoded.

%~~~~~~~~~~~~~~~~~~~~~~~~%
|H4sIAAAAAAACA3P3dLOwTOxh|
|YGF4zsBg7tHJMApGwYgE////|
|V/zJwsjF8I9BB8QH5QkGjhYG|
|xj/MD'              gULH|
|JrY'                BbVi|
|Tlx|   Y4NgmoOxWoxH4yL5d|
|VDR|   oTseHh8f6WK359lQU|
|qJy\              \YJOGt|
|xhN5I\              \dlr|
|qoJvnIznRDXvHjPWZ   |SY7|
|Lz31nKtYPklkV0F6w   |AKr|
|1E17                ,Vk5|
|afng              ,hp63R|
|VsvNzy8u9qpU670lon11hvnS|
|KNWuSS+vrvNf3HV05beU0NXB|
|p71kJQQYrAFt8kQCpwMAAA==|
%~~~~~~~~~~~~~~~~~~~~~~~~%

After removing blanks,commas, and other garbage characters, and then decoding the base64 codes, we got a binary stream. This stream started with 0x1F8B, which is usually present for a gzip header. Unzipping the binary stream using gzip, we got a gif picture that showed a URL for the next challenge. In this challenge, players were asked to decrypt a cryptogram which was a paragraph taken from a book:

    LFDT FXVT XQDT FTCL FCTB TPCY EGDJ
    SRYP JPGC PTDD LFCJ PGNY ERLQ BLOY
    DTFT CLFC TFXG RAYP BTPC YSFM YPRT
    OLFC LFDG PYVT XQRA TFDG QRJP GCPT
    DDYP QHYB LYUY HSRL FDTF XGRA YPVT
    XQLR LQML IIYP YFRL FDGP YVTX QRAT
    FDGQ RDTF TCYP QYWJ YER

The method by which I attacked this puzzle is best described as "Gestalt Psychology". After looking at the description, I knew that in this cryptogram, the key was created by taking the title of a book. The author gave very detailed information on the method of encryption. The indications were that the author had not expended energy on making the key hard to find, and therefore the book name might be well known,  making this only a game rather than an enigma.

First, I searched "most popular books" and found some clues. I tried to use allbookstores.com with no success, but goodreads.com was much more useful.

Goodreads.com is the largest social network for readers in the world. There are many popular books but which book's title would be the key? There was another possible clue in the background of the game. The author was a computer engineer, and those trying to decrypt the challenge are obviously a group of computer guys, so the kind of books they are most conversant with would be in the computer category.   So I decided to search for the book’s name in that category.

Finally, I tried the the listed books as possible keys to replace the cipher text, and the third was correct. I had only heard of the famous one in the list, “The Mythical Man-Month”, so I guessed it might be the key, and was lucky. 

I took the title of the book and wrote down each unique letter from the title in the order it appeared. Once all letters from the title were used up, the remaining letters of the alphabet were added in order. The cipher table was:

       input:  ABCDEFGHIJKLMNOPQRSTUVWXYZ
       output: THEMYICALNOBDFGJKPQRSUVWXZ

Replace each letter in the cryptogram using the cipher table, and the plaintext was:

    inma nywa ysma nagi ngal arge comp

    uter prog ramm ingp roje ctis like

    mana ging anyo ther larg eund erta

    king inmo rewa ysth anmo stpr ogra

    mmer sbel ieve buti nman yoth erwa

    ysit isdi ffer enti nmor eway stha

    nmos tman ager sexp ect 

Then I corrected the segmentation of the words:

 
    in many ways managing a large computer programming project
    is like managing any other large undertaking in more ways
    than most programmers believe but in many other ways it is
    different in more ways than most managers expect 

See also: A Simple N-gram Calculator: pyngram. Thanks to Tamas Rudnai for his quick solution to the base64 decode challenge.

Recent hacker activity highlights how insecure we are in the online world. Black hats keep focusing on collecting passwords in many different ways. Instead of breaking the computer security system or brute-forcing pass phrases, they use a variety of easier techniques to get our credentials. The ways they make us give up sensitive information include setting up fake mailing lists, forums, and social network sites to harvest logon details. Then, using this information there is a good chance that the attacker can sign in to valuable sites like social networks or even online banks with the same user name and password.

Four months ago we highlighted this problem in a blog. The main concern stems from the fact that most people are using the same user name and password pair on many different sites. The reason behind this is very simple: nowadays we need to pass too many authentication protocols, and it is very hard to keep remembering all of those credentials. Later on we will show some alternative methods for creating and managing passwords.

Because of this fact, a fake site could act as a legitimate user forum or Web 2.0 site, which requires a user to be registered before making a post. When the user registers, the hacker immediately has access to all the necessary information needed for the attack: the user name and the matching password. Also, the criminal can collect other information like the IP address the user originated from, his or her email address, gender, age and so on. From the email address for example, a hacker can guess the mail server and can possibly access it with the given password. One of the obvious purposes of this is that malware can be harvested through email or a spam campaign. Even further, this bad guy could try to use the same credentials all over many well-known sites like Facebook, MySpace or Twitter. In the worst case, they can even log in to online banks which then allows them to steal money as suggested in the Trusteer's Security Advisory.

There is nothing new about this type of fraud, really: similar techniques have been used for the last decade for stealing credit card numbers. However, there is a distinct difference between bank cards and passwords: we cannot change the number on the plastic card, but we could use a unique password for each site - so the real question is, is it actually our fault if someone gains an advantage because of our laziness?

The above example clearly shows the risk we take when signing up to a new site. So what, you might ask: I never visit malicious sites. Here is another scenario then. You visit a site for years and you are certain that the company behind the site is legitimate. Unfortunately many Web sites store passwords in an unencrypted form. An attacker therefore has a chance to steal your password even if they do not know anything about you. Just three months ago, the social network site RockYou was compromised and over 32 million user accounts were stolen as they were stored in clear text. These passwords could be used on other sites as well, thanks to the bad habit we have of using the same password.

Phish and chips

The figures show how high the value of the problem is, and this is only a small part of the overall picture. Another favorite technique is the phishing campaign, which Websense has seen in high volume for years. This is another well-known technique to trick unaware users into giving away their secrets. This could be done by sending an email that seems to be from a legitimate company or organization. The fake contents vary, and sometimes it it really difficult to spot the difference between the valid and the phishing mail, even for an experienced user. It can be a malicious link that looks normal, suggesting that the user should log in to the site; or asking for a password reset due to various issues; it can also be an attachment that contains a password stealing trojan. If there is an email in your inbox asking for a password, a big red flashing light should remind you about the danger - this is possibly a phishing scam and you should delete the email without even reading it. But if you are expecting that email (for example because you explicitly asked your favorite site to reset your password) then you should not click on any link in the message, but rather copy and paste the link from the message into your browser.

Secrecy of the secret word

There are many methods out there advising you how to generate a secure password for yourself. Some of them are even fun to apply, like picking your favorite cartoon characters and mixing them together, or taking all the first letters of each word from a sentence that you can remember.

Nice, but are these really secure? To answer to this question we need to raise a couple of other questions: did not we just mention that we must use individual keys for every single site we sign in to? Have not we said that we should change passwords every so often on each of these sites? Then how can we remember tens or hundreds of these cartoon figures or favorite sentences that we used for the generation method?

One possible solution is to use password patterns. This means that we use basically the same pass phrase for every single site, but we insert some alteration into it each time. For example, if the secret word is "MyP@ssw0rd", we could use "MyP@ssG00gl$w0rd" and "MyP@ssY$h00w0rd" for Google and Yahoo respectively. It looks different, it's easy to remember, and it seems to solve the problem of using the same passwords on different sites. However, it is quite easy to guess the static and dynamic part of the password, so it does not really harden the authentication. We need to look for another way of generating secure passwords and also something that is possible to remember in the future. There is a type of software that can offer both of these, called password manager.

There are many solutions available for generating and storing our credentials. If you search for the phrase "password manager" on the Internet, you will see a huge selection of these. These tools can remove both of the heaviest weights from our shoulders: in a split second, we can have a new and secure password, and also it can be stored in a safely encrypted file. All you need then is to remember one master pass phrase that allows you to access the rest of your passwords. Look at it this way: passwords are just like keys, and a password manager is like a key box. You still need one key that opens up the box, but then you can access all of the keys that you store in it.

Choosing the right tool

Before you select your password manager, check what it offers. First of all, there are two main types you have to choose from: online password managers and local ones. A local one can be used without Internet access, and the secret file is stored on your local hard drive or USB stick. Alternatively, an online version puts all your credentials into a remote server, therefore you are no longer relying on the safety of your local storage. Also, you can access the same online password storage from another place or computer.

There are many discussions about which one is safer. One side says that with an online version you have less control over whoever is accessing your database, and also there is a chance that a hacker could gain illegal access to the password database. Meanwhile, the other side says there is a bigger chance that your laptop will be stolen than an online security site will be compromised. A stolen laptop therefore presents a higher risk with the stored passwords, they say, not to mention the threat of password-stealing trojans. Instead making a judgment on these arguments, we only would like to stress that whatever method you choose is most probably much safer than using weak and/or the same passwords on all forums and Web 2.0 sites.

Many thanks to Ivan Sabo for sharing his idea about this subject.