RSS LinkedIn Google Plus

Call us: 0800 014 9884

Fun with passwords

Matthew Pettitt is an expert in computer security issues. He was recently placed in the top 12 of the UK Cyber Security Challenge entrants, having competed against 4000 others for this distinction.

Most people nowadays have dozens of accounts for different online sites and services. Every site you visit seems to demand another account, and for each account you need a password. Surely it can’t hurt to reuse a password?

Wrong!

For example, Andrew has accounts with his online banking service (userid ANDY897829), a popular microblogging service (@andrew), a small forum site for collectors of vintage coffee grinders (username CoffeeAndy), and an online bookstore (username Andrew). He’s also got an online email service, where he has the email address andrew@example.com.

He uses the same password for the microblogging service, the forum and the bookstore, but decides to pick a completely different password for his banking and email services.

Everything seems fine, until one day he visits the forum to find a message saying that the user database has been stolen (these were nice hackers – generally, sites don’t find out until their users start having problems), and that he should change his login password. It’s a bit inconvenient, but he changes his password, and thinks nothing more of the incident.

Until his next bank statement arrives, anyway. At that point, Andrew notices a number of orders from the online bookstore which he doesn’t remember making are listed on it.

What happened?

  1. The forum’s passwords weren’t encrypted, or, just as good, from the hackers point of view, were encrypted with reversible encryption
  2. The forum database contained his email address – this is fairly standard, and not a problem in itself, but meant that the hackers could do a search on the popular microblogging site for a user with that password, and link CoffeeAndy with @andrew
  3. They then logged into his microblogging account, using the password from the forum database – at this point, the attack would have been stopped if he’d used different passwords for each account
  4. At this point, they still don’t know about his bookshop or banking accounts, so they looked through his direct messages. At some point in the past, just before Christmas, Andrew had sent a link to his wishlist on the online bookstore to a friend: http://bookshop.example.com/wishlist/Andrew
  5. Now the hackers have his bookshop username. They log in, using the same password, and change the email address on the account, then start spending, using the “one click” purchase option – it asks for a password, but not for bank card details. They are careful only to order downloadable items – the one click option doesn’t let them change the delivery address – but that includes music, ebooks, downloadable films, software, gift vouchers…
  6. Once they’re done, they change the email address back, so Andrew never knows that they’ve been into his account, until his bank statement arrives

The important thing to note with this is that the bank login details are never compromised. There is no benefit to the hackers to attempt getting into the online banking system, most of which are multi-factor protected anyway (so you need a password, and some other code, either based on a “secret phrase”, or a code generator, which gives out codes based on the current time which are only valid for a short while).

It also doesn’t matter that the accounts have different usernames, as most people connect accounts, either consciously (“Find friends on these services! Just enter your username now!”) or through other means (such as posting links to your posts on a forum, posting the same status message to multiple services, sending links to one service using another).

The whole attack relied on a single password being used – it became the weak link in the chain. It didn’t help that the forum used bad password storage, but given unique passwords for each service, it wouldn’t have mattered.

How can you pick secure passwords?

  • Use a short phrase you can remember, possibly related to the site. Andrew could use “arabica_is_number_1″ for his coffee forum, “7_coffeetable_books” for his bookshop, “short_sweet_160″ for his microblog. By chaining multiple words together, the attack area for brute force attacks is increased massively, and because the phrases relate to the sites, are easier to remember than random strings.
  • Use a base password, and a way of adding site uniqueness to it that is secret. Andrew could use “c0ff33″ as his base password, then create “cf0ofrfu3m3″ by interleaving “forum” with it, “cb0ofofk3s3hop” by interleaving “bookshop” and “cm0ifcfr3o3blog” by interleaving “microblog”. It would be even better to have a more complex base password, or a different interleave pattern, such as interleaving backwards, or putting pairs of letters together. The idea is that you only have to remember one password and one method, which is a lot easier than remembering lots of fully unique passwords.
  • Use a password safe. Programs such as KeePass let you store passwords in a password protected file. You remember the password to the file, and can access all the other passwords, copy them to your clipboard, paste them into password fields, and never have to deal with them. They can also generate really complicated passwords (e.g. “TR%:,AJ?8a8-]S78h’*V”) which are virtually impossible to brute force. They have the downside that you can’t access your accounts if you don’t have your password file and the software, or if you forget the master password, but if you pick your password safe software carefully, you should be able to find a single password file format that works on all your computers and on your mobile phone: keep one file in sync, and you can work anywhere.
    It’s even safe to email this file, as long as the master password is kept secure, since it’s encrypted – KeePass uses the AES cipher, which is certified for use for “Top Secret” information in the USA, for example.
Written by Matthew Pettitt

Yahoo urges Firefox users to switch from Google Wednesday 25th of March, 2015by Dan Moores Firefox users who have manually set Google as their default search engine are now confronted with the following message: "Yahoo is the preferred search engine for Firefox. Switch now."

More on this story »
james_riches_swap

March UK search market: Google halts Bing’s recent rise Wednesday 8th of April, 2015by James Riches Google’s UK search market share rose for the first time in five months during March. Elsewhere, Google announced some key developments and lots of us searched for Jeremy Clarkson news.

More on this story »

Bing implements one small change and one big change Tuesday 14th of April, 2015by Dan Moores Over the past week, Bing has implemented two changes. One appears to be directly influenced by Google, while the other demonstrates independent thinking and creativity.

More on this story »
theEword - 1 day ago

Interested in #creativecontent? We've got just the #job for you > http://t.co/XW7eCZoWbD http://t.co/Ar2q2qR10K

Reply Retweet Favourite
theEword - 2 days ago

Feeling bamboozled by digital marketing? We bust those pesky myths and reveal the truth > http://t.co/No07wPoxAv http://t.co/G8lrQ5hyPg

Reply Retweet Favourite
theEword - 2 days ago

We'll be hosting a Q&A as part of our event with #Google. To be apart of this send your questions to #GoogletheEword http://t.co/9RVrMnlc4g

Reply Retweet Favourite
theEword - 2 days ago

We're looking someone talented and charismatic to be our relationship manager. Is that you? > http://t.co/e1f4lDnehU http://t.co/iaxlLyLpAe

Reply Retweet Favourite
theEword - 3 days ago

Where better to get your Google questions answered than from Google themselves? #GoogletheEword http://t.co/QNF8zPrqVL

Reply Retweet Favourite

Content and the Customer: the journey Friday 6th of March, 2015by Sian English From acquisition to conversion, content plays a vital role. But have you given much thought to how that role evolves during the customer's journey? Here are the different stages your customers go through with your content.

More on this story »

Light a Fire with Hems de Winter Thursday 19th of March, 2015by Andy Williams Hems de Winter, CEO of de Winter PR, joined Light a Fire for an in-depth chat at BoConcept’s showroom on Great Ancoats Street, discussing his life and career.

More on this story »

Five tips: how to write clear web copy Thursday 2nd of April, 2015by Dan Moores A lot of web copy is unclear and needlessly complicated. It can actually damage your sales because it helps no-one. Here are five ways to make your web copy clear and engaging.

More on this story »

Who loves theEword

Who loves theEword Who loves theEword