Advanced Computer Security and Password Theory – Updated
Every few months, one or another major site for articles on technology will tell you that something as obvious as running with scissors is a bad idea and then go into great detail with instructions about how to not run with scissors. For example, being looked directly in the eye and being told not to use the word password (or abcdef or 123456) as a password in a tone that makes such advice sound as if it’s wisdom from the Mount is stunningly difficult to listen to.
You will never get banal advice from me. Just blunt advice that I will try to make interesting to read. I’d rather give you something to think about. After that, it’s up to you.
Is password a Bad Password?
Generally, yes, but sometimes it’s OK.
Assume you have no Facebook experience and you decide to open an account under a fake name just to look around. You expect to forget about the fake account in a couple of weeks and open a real one later or completely lose interest. You’re not sure which yet. What’s a good user name or password? In my case long ago, I was one of several hundred Facebook users named Slam Dunk, (I thought I was being original at the time) and my password probably was password or a something similar. I didn’t care enough about the account to put effort into thinking up a good one or trying to remember it.
The moral, don’t sweat the password (or user id) if you don’t care about the asset being protected. The most important thing is not forgetting it, especially if you used a fake or disposable email address on the application. I can’t tell you how many low value accounts I’ve opened and later couldn’t get back into because I tried to be clever and forgot how I signed up. Today, I hide in the crowd by using the same extremely common fake user ids and a password I don’t care may be written down in plain sight.
Also, you might not want to use your favorite clever and secret password for a junk account or a normal account. If you have millions of dollars on deposit at an on line brokerage, you might consider using a unique password there. It seems a little risky to use the same password to protect your life savings that you use for the account you sign into when your newspaper is late or you want to request a vacation delivery hold. Just because they say they encrypt passwords at the newspaper, how do you know that for a fact?
Getting Past the Front Gate
The gatekeeper has three tools to make sure the right people get in. Each can be used individually or in combination. They are:
- Something you know – such as a password, a mother’s maiden name, or if the secret picture is the correct one
- Something you have – such as a usb drive, a mobile phone number, or a computer certificate
- Something you are – such as a fingerprint
If you’re setting up your own security, then the password is only one tool in your toolbox. If you’re using someone else’s front door and playground, then you’re limited by their creativity and definition of liability. When you opened your account, the web site probably stated they have no liability of any kind for any issues that may arise and you, by clicking OK or just by continuing, stated you’re good with that. The law might have a different idea and ultimately bail you out somewhat, but your agreement with wild west rules won’t help your cause if the worst case happens.
So you might want to consider ranking the importance of your on line accounts, starting with junk accounts at the bottom and really important ones at the top. As the potential cost of loss rises, so should the thoughtfulness level applied to account security.
Just about all online internet accounts work at the Something you know level.You know a password, the name of a first pet, and if the picture of the bird or something else is the one you selected to make sure you’re not on a spoof site.
Google, Microsoft, and others include the Something you have level by sometimes requiring you to enter codes they phone or text you as additional validation.
… now for a brief interlude … a few updates …
Getting Past the Front Gate – Part 2 [Update May 18, 2015]
Just worrying about passwords is old school now. In fact, they’re not the ‘front gate’ any more. Your router is. Just about everybody is scanning you, probably even now as you read this. An open source program called ZMap can scan the entire IPv4 name space in a few minutes. Download a copy. Use it for good or not. It’s your choice. You and anyone else who downloads it can search for vulnerabilities or do scholarly research or both. All you need is some know how and a good internet connection. Anyone who finds a vulnerability may exploit it, warn you about it, or just say “that’s nice” and feel smug about it.
I’m a newcomer to the knowing just how common and pervasive scanning the internet has become. My router logs noticed Chinese hackers and the like and, recently, researchers from a noted university poking around. Somewhat shocked, I assumed that students were using university equipment to hack the internet. I sent some emails and was politely mocked for being shocked. I was told I should have known by one polite mocker. The students turned out to be nosy researchers who were just poking around because they could. Basically, the response was “He didn’t know he was being scanned. Ha Ha. What a jerk. I thought everyone knew that.” But a little less snarky.
Anyone who gets past the router can be even more clever and take over your computer. Your router is the new front gate.
Fortunately, all hacker attempts were blocked by features built into virtually all routers. Stateful Packet Inspection is the first line of defense. NAT is another. Stateful Packet Inspection, also called SPI, essentially allows in traffic that is in response to something you originated. Anything originated elsewhere is blocked. NAT, or Network Address Translation, converts your one outside internet address into a private internal network that is generally not accessible directly from the internet. Your one IP address is multiplexed into a large number of internal addresses and your router keeps track of them. Universal Plug and Play (UPnP) is also built into your router. It opens ports (which are similar in concept to TV channels) that allow access from the internet to a device on your internal network. Generally, you want to keep UPnP turned off and only turn it on briefly when you connect a device to your internal network that needs to be configured, such as a slingbox. Then turn off UPnP when the router recognizes the device and makes allowances for it on the network. If that doesn’t work, port forwarding is required. DD-WRT left those ports open. A different router didn’t, which, come to think about it, was probably the correct way to handle it.
A little Googling introduced me to some sites that tested my home network for open ports. ShieldsUP! tested for UPnP vulnerabilities. YouGetSignal tested to see if some common ports were open. PCFlank allowed me to test even more ports. My router passed every test.
And the researchers … they appeared, to me, to have an ivory tower orientation. They were more interested in scanning and cloistered research projects than applying what they know at the street level. All the knowledge they must have … and I have to resort to Google to figure out if they or their kind did, or could have done, any harm. The moral: I don’t have one. I’m still on a slow burn.
Getting Past the Front Gate – Part 3 [Update: June 16, 2015]
You might be thinking “Whew. I’m safe because all my passwords are stored online with professionals and everything is encrypted.” I’ve got some bad news for you. Even password storage sites accessible on line are hackable. LastPass, a company that offers on line password storage suffered some level of hack. According to their press release, it does not look like anyone stole the crown jewels. Stored passwords are still safe, although the master password to each account might be compromised along with other personally identifiable information. LastPass asks users to please change their master password.
The moral: If you use any on line storage facility for personal information, you have at least TWO front doors to now worry about. Yours, and theirs.
Getting Past the Front Gate – Part 4 [Update: June 29,2016]
A lot has changed on my home network over the past year. I wired the lower level of my home with cat6. The full network is mostly wired instead of mostly wireless. I built the main router using a Supermicro micro-itx fanless PC motherboard with a pre-installed Intel J1900 processor, along with a 120GB SSD and 8GB RAM. The SSD and RAM capacities are overkill but I wanted the device to be useful for other duties if needed.
pfSense was selected to control the router. Snort and pfBlockerNG assist in firewall duties.Weeding out the false positives was an annoyance, but both are pitbulls. It’s not a wireless router. I still use two, however. One wireless router works as a wireless access point. The other is a wireless bridge to get the signal where the wires couldn’t go.
pfSense supports multiple simultaneous OpenVPN servers. One is used for pass-through; this allows me to browse the internet securely via public wi-fi. The other is for bridging into the home network. Security is tight. Both servers require the remote device to have specific certificates installed and the user id must correspond to the specific certificate. The server that bridges requires two passwords.
Once on the local network, I can get into a home file server or use Microsoft Remote Desktop to access a laptop PC I use as a full time media server. TeamViewer also works well in this regard although I prefer access over the local lan exclusively, not via a server somewhere that always keeps the door cracked open a little for easy access. In that case, your security is no better than theirs, assuming your configuration of their software was done correctly and thoughtfully. Hence my preference for using OpenVPN for exclusive access to the local lan. The single gateway is easier to secure. No port forwards are needed, except for the ones maintained automatically by OpenVPN.
Allowing access from the WAN, or from outside the network, without tight controls that you design yourself is just asking for trouble. Even better, OpenVPN is almost stupid simple to configure on pfSense, although you still need to understand OpenVPN and the use of certificates, which can be a little complicated.
Getting Past the Front Gate – Part 5 [Update: April 4, 2017]
Double NAT is usually considered to be a bad thing. It rarely works as well as your imagination said it would and sometimes doesn’t work at all.
One somewhat clever application of double NAT I have play with rather successfully is combining DD-WRT with a commercial VPN on the inside router. When successfully configured, everything connected to the inside router, wired and wireless, goes to the internet via the commercial OpenVPN tunnel. Your traffic on that subnet is (hopefully) hidden from your ISP. The subnet on main network is used for services such as Hulu and everything else that might not work on the inside network. StackSocial re-markets some incredible values on lifetime VPN subscriptions. Each vendor who supports OpenVPN router configurations provides instructions for their particular service. Not all support DD-WRT and some support several different routers. Each vendor offers a varied number of simultaneous connections so shop carefully. Google some reviews.
… Back to the original article … lots of good stuff follows
How Can I Set Up a Safe Website?
The biggest problem with most sites is the hackers have to guess only one thing to get past the front gate. Your email address is usually your user id. If people don’t already know it, they can get is without a lot of work.
If you have the ability to change your user id, then your account effectively has two passwords. If your user ID is Smith and your password is Jones, simply changing your user ID to Apple and your password to Pie makes things far more difficult for the brute force attacker.
If you’re a programmer or are setting up something with a little flexibility, consider having your user type two passwords. Most hackers, I assume, would rather go somewhere else where they only have to guess one password to have their way. Dual passwords may be cumbersome, but the protection level rises immeasurably. Given the number of successful hacker attacks reported each year, a little inconvenience is a small price to pay for a higher level of security for those naked pictured you put of yourself out on the cloud. If a second password is too far over the top, perhaps a required security question would be a little more agreeable.
Including a ‘maximum number of tries’ field in the user profile limits the number of sign in attempts. Giving the user control over this field, along with a ‘time to wait’ feature would keep the robots away.
Even including an annoying captcha type entry would slow down the bots and drive all but the most dedicated hacker a little nuts.
How Do They Guess My Password?
Sometimes they don’t guess your password. They find out the password of whatever is guarding the front gate. Then it’s party time. The crooks get all the passwords all at the same time. Hopefully, the repository holding all the passwords is encrypted.
Crooks can be clever so I really have no idea of all the techniques they use to get into your private stuff. Go to a search engine and type How To Hack and you’ll find articles, lessons, and risk free, legal places of education that exist to teach you and hone your hacking skills. Like all things, there’s probably an app for it and some YouTube videos.
Sometimes the friend or employee you trusted turns out to be a goofball who tells someone else your secrets and they go after you.
Some websites allow unlimited sign in attempts. Good sites may stop you out after three failed sign in attempts. Others just say ‘Sorry, please try again” until the right password is entered. Access to unlimited attempts allows a perpetrator to perform a dictionary attack. In this case, a computer tries a long list of common passwords, hoping one works.
Some passwords are not actually saved in readable form, but in what’s called a hash. To make a hash, a password is subjected to a security algorithm that translates if from something readable into a long stream of nonsense characters. A small change in normal text can make a big change in the resulting hash. When you change your password, it’s turned into a hash of the password and the hash is what’s saved at the website. Your password never goes across the internet, only a hash of it.
Clever people have noticed that some hashes follow certain patterns and, using extreme effort, they can be worked backward into a readable password. CloudCracker does this for a nominal fee and has caused the PPTP VPN to become risky to use.
How Do I Stay Safe? Consider a Universal Threat Management Gateway
There’s no such thing as absolute safety. The best you can do is be thoughtful and make an effort not to make it easy for the bad guys.
Devices called Unified Threat Management Gateways (UTM Gateways) are starting to be developed for the home market. It’s still a wide open field. The UTM Gateway will almost certainly become the next big thing in home internet protection once the product is better defined for home use. The intention of UTM Gateways is to keep the bad guys from all devices on your network, including those which don’t allow you to install malware protection, such as baby monitors and smart TVs. They also provide a first layer of defense for PCs with malware protection.
UTM Gateways are relatively common for commercial networks. They can be somewhat complicated to set up and operate. They’re the next big thing for home networks. They combine advanced intrusion detection and prevention mechanisms and include anti-virus and spam protection. Some are installed before your router while others replace your router or plug into it. For maximum protection, an annual subscription to protective software is required. The first companies to figure out how to economically assemble effective and easy to use home devices with an affordable annual subscription will become household names.
One of the design problems UTM Gateway manufacturers face is the trade-off between internet speed and traffic scanning. Basically, the faster the speed, the more powerful the UTM device needs to be. The UTM device must scan all traffic that passes through it, preferably both ways. It will keep the bad guys out and prevent your PC from joining in. This requires a lot of processing power to do well, especially if your internet connection is fast. A network with a very fast internet connection and a lot of devices could potentially require a UTM gateway that’s as powerful as an entry level desktop PC, especially if it’s asked to perform a lot of services. Otherwise, the internet connection will slow down to the the maximum capabilities of your firewall.
To the bad, UTM devices can not scan encrypted traffic. Putting the virus detector on one won’t work very well if HTTPS is used in the file transfer. They can’t read the encrypted traffic any better than the bad guys. They excel at address blocking. pfSense, and probably others, use lists of malicious addresses and other various clues to keep the bad guys out and prevent someone in the house from unintentionally reaching out to them.
UTM Gateways generally require subscription services to keep current with the latest threats. Some blocklists and other resources are free. Others are not. Snort and suricata provide intrusion detection and intrusion protection services. They are subscription based. Snort offers free signatures if you’re willing to accept ones that are 30 days old (not too bad, really). A paid annual subscription for an individual, as opposed to an enterprise, is $30/yr (not too bad, really). A business level subscription is costly.
Unfortunately, they’re not set and forget type devices. The home network administrator must frequently investigate why connections that used to happen without concern just stopped working. While it’s possible you were just saved from an assault, it’s also likely you have to fix a false positive. For example, a software update that occurs normally may be interpreted as an attack on your network. You will have to go to the UTM interface, find the blocked IP address page, figure out which entry corresponds to the blocked software update, unblock it, and tell the gateway to ignore that IP address in this context forever-more. It’s a nuisance, especially if a family member is nagging you about why they can’t use the internet until you figure out how to unblock them, or if you should, but it’s also next-level protection.
As with everything, there are debates about the usefulness of placing anti-virus protection on a UTM gateway. Lots of people believe it’s a great idea. Others say it gives a sense of false security since a virus arriving encrypted via HTTPS will probably be undetectable. Ad-blockers at the router level can impair useful sites and require network administration to resolve, yet some block lists with ad detection help with the household Android traffic.
Once UTM gateway manufacturers figure out the false positive issue and make it easy to resolve them, everyone will have a home security device connected to their home internet. This will probably not happen soon. An educated and motivated home network administrator is required for this level of protection. Sorry. Even then you still have some risk, just much less.
Some people build their own home routers and install software that performs both routing and firewall protection. Sophos, pfSense, Untangle, and IPFire offer open source or free versions of their router software. Basically, you install the router software on a new or spare PC and that becomes your new router – firewall – UTM gateway. The PC requires special equipment, such as network cards that provide at least two network connections (one for in, and one or more for out). Some network cards work better than others. Enthusiasts believe that Intel based network interfaces work best. USB 3.0 oriented network ports are said to not work in this configuration, just in case you thought about turning an old laptop into a new router. Some enthusiasts might try to put the software router in a virtual machine and use virtual network cards for the physical connection.
None of the software router / firewalls are especially easy to use, but none are impossible to figure out either. All offer professional, commercial quality routing and protection. Like anything, you sit down and figure it out. User forums and PDF documentation are available for assistance. YouTube is also valuable. Be aware that many users consider the one they know is the best and the others couldn’t catch a cold.
After you install one, your current wireless router becomes your wireless access point.
For now …
You can make a burglar go somewhere else by making your house look like too much work and risk. A storm door provides a layer that could make a burglar look for a house without one. Leaving the lights on or having a porch camera or two, functional or not, makes you look less attractive unless you have something they really want.
On the internet, everyone looks alike. There’s no such thing as a barking dog. Everyone is homogenized into one faceless, featureless, mass. Everyone is free game. It’s up to you to harden your defenses and maintain your privacy.
Making your important passwords complicated helps.
First, keep your user id a secret. Passwords are only 1/2 of the equation. Even the correct password is useless if the user id is unknown.
Secondly, a password that’s too complicated to remember is a bad password.
If possible, make sure you have some means to recover your password if what you’re accessing is going to ruin your life if you can’t get back in.
Some helpful people have created web sites that tell you the strength of your password, or prospective password.
How Secure Is My Password will tell you how many seconds, hours, or years a determined hacker will take to crack your password.
The Password Meter is pretty good.
Intel provides a password evaluator.
Microsoft’s advice is worth reading. Take a phrase known to you and mix it up a bit. The phrase will be easier to remember. Mix it up using a substitution pattern that feels comfortable. Microsoft forgot to mention special characters, such as @, &, and $.
What About Fingerprint Readers?
You can change your user-id. You can change your password. You can’t change your fingerprint. If someone managers to copy it onto something that works like a finger, it might open the kingdom’s doors. Google provides several hacks.
Yes. Now that you understand the importance of passwords, you need a little insight into how to protect them. Like almost everything else, you have to put in a little effort to do it well. You are potentially at risk from anyone who can gain access to your computer. This includes Cousin Roy or Aunt Minnie, both of whom don’t like you very much. It also includes hacking entrepreneurs worldwide who want a little extra folding money and see you as a means to an end. Two big helpers are password managers and internet security software.
A variety of password managers and encryption programs are available via download. Some are free and others are not. A search engine can quickly call up a list of titles and opinions about which is best. I prefer free over not free, but I’m not you. The downside risk of using a password manager is that a motivated sneak is only one password away from breaking into the candy store. My blunt advice is, if you choose to use a password manager or encryption program is:
- Deny knowing about them to anyone who asks
- Deny using them if someone believes you know of them
- Looking a little stupid can be strategically useful from time to time.
- Don’t tell anyone which one you use, if any
- Encrypt, encrypt, encrypt
- Don’t make your encrypted passwords accessible over the internet. Better yet, store the file off line on a flash drive.
- Change your important passwords regularly, don’t sweat the junk accounts
- An encrypted drive is useful but even they have limitations. Backing up a drive when it’s open for use can create an un-encrypted backup.
- An encrypted drive that’s open for use is open for everyone. Un-encrypted passwords on an encrypted drive that’s unlocked are just text file.
A normal password just to sign on is helpful, but easily gotten past if someone can gain complete control of your computer and remove the hard drive. This is not true for drives encrypted with Microsoft’s Bitlocker. A stolen drive that’s encrypted with Bitlocker is said to be quite secure providing the computer wasn’t / isn’t turned on and active at the time of the theft.
A good anti-virus and /or Internet Security Software that’s highly rated by people who test such things is essential. A search engine and a phrase such as best internet security will get you started. This will, hopefully, prevent a Trojan horse program from spilling your secrets by identifying it at the time of download.
Something to protect you from keystroke logging should be considered. Lists of current anti-loggers are available on the internet. Zemana and QFX Software offer free versions. This will help you prevent password discovery from the inside if a keystroke logger get installed.
Sandboxie provides you with a sandbox environment for your browser and whatever else you choose to run sandboxed. Free and paid versions are available. Sandboxie is not totally user friendly and can be a little quirky, but the publisher is dedicated to making the software work well. You can tell Sandboxie to delete or erase a sandbox after the last program it in closes. Thus, any gremlins accidentally downloaded and not copied over into the main computer disappear automatically. If you put the sandbox in a ram disk, you have even fewer worries since it automatically disappears every time you shut off your PC. If malware infects your sandbox while browsing, don’t worry. It will vanish and so will the problems it caused when you delete the sandbox.
If you use a VPN, avoid PPTP encryption. This is a common protocol and is usually the one used by free DDNS oriented home VPN servers. PPTP can be hacked by someone with moderate technical skills and a little determination. SSL is still considered safe but it takes a little skill on your own part to implement. Subscribing to a VPN service can make browsing via public WiFi a much safer experience and is generally easy to implement.
Daily use of free CCleaner is also useful. This program cleans out a lot of the muck and flotsam each web session automatically writes to your PC in addition to removing a lot of the junk that accumulates during normal operation.
I don’t mean to scare you but …….
My home network is scanned from all over the world, 100s of times a day.Nonstop. So is yours. I see their daily attempts in my various router logs. I have no idea what they want, but I personally assume they are up to no good. Some claim to be ‘security researchers’. I have no idea what that means. To best protect yourself, keep as few ports open towards the internet as possible. None if possible or practical in your situation. Protect the open ones with encryption certificates, passwords, and user ids known only to you. If someone Googles your IP address, the search results might point directly to a door a device of yours created on your home network.Google is amazing in how well it finds places to go on the internet. (This also implies someone with no bad intent can accidentally attempt entry to an exposed device if Google finds it and it’s not protected properly.) Turn ‘off’ the ability to remotely log into your home router unless you really really need that capability. SPI and NAT can’t protect you if a port is left open. You need to take the initiative from there. Keep all firmware updated as directed by the people you got it from.
Change the default password on your router. Change the default user id if you can and disable ‘admin’ or whatever it’s called afterward, if you can.
The hard drive on your old PC knows a lot about you. Just about everyone knows that ‘delete’ really doesn’t delete very much and that formatting a hard drive just makes it easy to ignore the data that still remains on the drive. You can use software to erase partition contents, but are you really sure it erased the data completely? Well, if you encrypt the hard drive and then erase it, there’s little to read even if a clever soul un-formats the drive or un-deletes what is found. Here’s more about that.
Feel free to add more ideas in the comments.