Top Secrets About Your Passwords

Recent hacker activity highlights how insecure we are in the online world. Black hats keep focusing on collecting passwords in many different ways. Instead of breaking the computer security system or brute-forcing pass phrases, they use a variety of easier techniques to get our credentials. The ways they make us give up sensitive information include setting up fake mailing lists, forums, and social network sites to harvest logon details. Then, using this information there is a good chance that the attacker can sign in to valuable sites like social networks or even online banks with the same user name and password.

Four months ago we highlighted this problem in a blog. The main concern stems from the fact that most people are using the same user name and password pair on many different sites. The reason behind this is very simple: nowadays we need to pass too many authentication protocols, and it is very hard to keep remembering all of those credentials. Later on we will show some alternative methods for creating and managing passwords.

Because of this fact, a fake site could act as a legitimate user forum or Web 2.0 site, which requires a user to be registered before making a post. When the user registers, the hacker immediately has access to all the necessary information needed for the attack: the user name and the matching password. Also, the criminal can collect other information like the IP address the user originated from, his or her email address, gender, age and so on. From the email address for example, a hacker can guess the mail server and can possibly access it with the given password. One of the obvious purposes of this is that malware can be harvested through email or a spam campaign. Even further, this bad guy could try to use the same credentials all over many well-known sites like Facebook, MySpace or Twitter. In the worst case, they can even log in to online banks which then allows them to steal money as suggested in the Trusteer's Security Advisory.

There is nothing new about this type of fraud, really: similar techniques have been used for the last decade for stealing credit card numbers. However, there is a distinct difference between bank cards and passwords: we cannot change the number on the plastic card, but we could use a unique password for each site - so the real question is, is it actually our fault if someone gains an advantage because of our laziness?

The above example clearly shows the risk we take when signing up to a new site. So what, you might ask: I never visit malicious sites. Here is another scenario then. You visit a site for years and you are certain that the company behind the site is legitimate. Unfortunately many Web sites store passwords in an unencrypted form. An attacker therefore has a chance to steal your password even if they do not know anything about you. Just three months ago, the social network site RockYou was compromised and over32 million user accounts were stolen as they were stored in clear text. These passwords could be used on other sites as well, thanks to the bad habit we have of using the same password.

Phish and chips

The figures show how high the value of the problem is, and this is only a small part of the overall picture. Another favorite technique is the phishing campaign, which Websense has seen in high volume for years. This is another well-known technique to trick unaware users into giving away their secrets. This could be done by sending an email that seems to be from a legitimate company or organization. The fake contents vary, and sometimes it it really difficult to spot the difference between the valid and the phishing mail, even for an experienced user. It can be a malicious link that looks normal, suggesting that the user should log in to the site; or asking for a password reset due to various issues; it can also be an attachment that contains a password stealing trojan. If there is an email in your inbox asking for a password, a big red flashing light should remind you about the danger - this is possibly a phishing scam and you should delete the email without even reading it. But if you are expecting that email (for example because you explicitly asked your favorite site to reset your password) then you should not click on any link in the message, but rather copy and paste the link from the message into your browser.

Secrecy of the secret word

There are many methods out there advising you how to generate a secure password for yourself. Some of them are even fun to apply, like picking your favorite cartoon characters and mixing them together, or taking all the first letters of each word from a sentence that you can remember.

Nice, but are these really secure? To answer to this question we need to raise a couple of other questions: did not we just mention that we must use individual keys for every single site we sign in to? Have not we said that we should change passwords every so often on each of these sites? Then how can we remember tens or hundreds of these cartoon figures or favorite sentences that we used for the generation method?

One possible solution is to use password patterns. This means that we use basically the same pass phrase for every single site, but we insert some alteration into it each time. For example, if the secret word is "MyP@ssw0rd", we could use "MyP@ssG00gl$w0rd" and "MyP@ssY$h00w0rd" for Google and Yahoo respectively. It looks different, it's easy to remember, and it seems to solve the problem of using the same passwords on different sites. However, it is quite easy to guess the static and dynamic part of the password, so it does not really harden the authentication. We need to look for another way of generating secure passwords and also something that is possible to remember in the future. There is a type of software that can offer both of these, called password manager.

There are many solutions available for generating and storing our credentials. If you search for the phrase "password manager" on the Internet, you will see a huge selection of these. These tools can remove both of the heaviest weights from our shoulders: in a split second, we can have a new and secure password, and also it can be stored in a safely encrypted file. All you need then is to remember one master pass phrase that allows you to access the rest of your passwords. Look at it this way: passwords are just like keys, and a password manager is like a key box. You still need one key that opens up the box, but then you can access all of the keys that you store in it.

Choosing the right tool

Before you select your password manager, check what it offers. First of all, there are two main types you have to choose from: online password managers and local ones. A local one can be used without Internet access, and the secret file is stored on your local hard drive or USB stick. Alternatively, an online version puts all your credentials into a remote server, therefore you are no longer relying on the safety of your local storage. Also, you can access the same online password storage from another place or computer.

There are many discussions about which one is safer. One side says that with an online version you have less control over whoever is accessing your database, and also there is a chance that a hacker could gain illegal access to the password database. Meanwhile, the other side says there is a bigger chance that your laptop will be stolen than an online security site will be compromised. A stolen laptop therefore presents a higher risk with the stored passwords, they say, not to mention the threat of password-stealing trojans. Instead making a judgment on these arguments, we only would like to stress that whatever method you choose is most probably much safer than using weak and/or the same passwords on all forums and Web 2.0 sites.

Many thanks to Ivan Sabo for sharing his idea about this subject.

Security Researcher: Tamas Rudnai