Last week we got a call from one of Lavie’s cousins. She and her husband had suddenly began getting phone calls from concerned friends as well as strange “undeliverable” email notices.
Mysteriously, at least one email had been sent from their on-line email account to all the recipients in their contacts in batches of ten or so. Some folks had told them their own security apps had alerted when they tried to follow the link in the email.
It was pretty apparent to the couple that “something” was amiss with their PC but exactly what, they weren’t sure. They had already downloaded a second anti-virus tool and scanned their system with nothing found. They decided to call me to see if I could help them. I recommended they change the password and any security challenge questions immediately which they did, then arranged for a house-call the following day.
I already had a clue on what probably occurred, but went though my full checklist of items as I assessed the system. No rouge processes, no unexpected auto-start items. Additional security scans came through with flying colors.
Then I turned my attention to their email account. This particular email provider (unfortunately) doesn’t provide any IP-based user sign-in event logging like some other main-stream web-mail providers do. That would have provided golden information.
- Last account activity - Gmail Help
- Check if Your Gmail Account is Hacked with Activity Monitor - MakeUseOf
- Yahoo! Enables Monitoring of Login Activity for Better Account Protection - YDN Blog
What we did have is one overlooked original email in the “Sent” folder showing a mail time of 8:15 PM Wed night. Neither of the couple reported being logged in on the system (or the email) at that time so it seemed fairly certain that is when the event occurred.
I mailed that to myself to look into the URL more later.
They use IE 9 and the system was fully patched. Flash and Java were outdated, but not too bad.
Based on my survey and additional questioning, it appears to me that someone had “hacked” their account using some kind of brute-force attack on their account, quickly they had composed at least one email containing a single URL to everyone in their address book. I couldn’t find any evidence of a persistent threat on their system, and based on their feedback, I doubted a cross-site-scripting vulnerability had occurred.
Turns out hacking email accounts and appropriating them (even “non-maliciously”) for spamming is big business and a common event for many web-citizens.
- Hacked! - The Atlantic - James Fallows has a fantastic cautionary tale about the loss of an email account to a hack-attack.
- How Can I Find Out Why My Email Account Just Spammed My Friends and Family? - Lifehacker post has some tips on trying to get a handle on the aftermath cleanup.
This couple -- it turns out -- had been using a very weak password so it fell probably pretty fast.
Turns out weak passwords remain a common plague.
ISC Diary | Analysis of the Stratfor Password List is another clear warning of this danger.
Steve Ragan posted a simply amazing Report: Analysis of the Stratfor Password List which has crazy fascinating data on passwords and just how weak most of them were, along with his own password cracking work to show just how easy these fall. See also: Researchers find many weak Stratfor passwords -Naked Security.
A brief Sony password analysis - Troy Hunt’s Blog
Your Top 20 Most Common Passwords - Tom’s Hardware
And just over the weekend there was this: Zappos customer info is breached. Change your password now! [Updated] - TechBlog via Chron.com
What is one to do? This maybe?
If you want a quick way to assess the complexity/strength of the passwords you may have stored in your web-browser or some Windows applications, check out the Password Security Scanner freeware tool by NirSoft.
Some highly recommended online locations to check your current password strength against are:
- Password Checker: Using Strong Passwords - Microsoft Security
- How Secure Is My Password? - website
- Password Strength Checker - The Password Meter
- Test Your Password - website
- Strength Test - Rumkin.com
Coming up with a truly secure and complex password can be a major task for some folks. And the web has no dearth of fantastic advice on the subject of what defines a strong password and how to create one.
- Ten Things To Do to Secure an Important Person's Computer (or even Ashton's or a Kardashian's) - Scott Hanselman
- Ultra High Security Password Generator - GRC
- Password Haystacks: How Well Hidden is Your Needle? - GRC
- Flexible One-Time Password MetaSystem - GRC
- Password Advice - Bruce Schneier’s Schneier on Security blog
- Secure Passwords Keep You Safer - Wired Security Matters post
And just today, Lifehacker released a super-cool mega-graphic on password selection
Use This Infographic to Pick a Good, Strong Password - Lifehacker
Troy Hunt did a series of great, in-depth posts on password selection and science that are must-reads. I’m liking Troy’s writing and analysis and his blog has been added to my RSS must-read feed list.
- The science of password selection - Troy Hunt’s Blog
- I’m sorry, but were you actually trying to remember your comical passwords? - Troy Hunt’s Blog
- Bad passwords are not fun and good entropy is always important: demystifying security fallacies - Troy Hunt’s Blog
- The 3 reasons you’re forced into creating weak passwords - Troy Hunt’s Blog
- Who’s who of bad password practices – banks, airlines and more - Troy Hunt’s Blog
- The only secure password is the one you can’t remember - Troy Hunt’s Blog
Those last two points are my takeways, that nothing is more frustrating that internal application or external website password policies that are weak by design and force me to use a short password. And that the best password is one so damn complex there is no way I can remember it, even under duress.
I prefer to use the longest password the site/application will accept based on character count. (By the way…seriously guys, place your password policy and field limits up front to make this easy to figure out!)
How do I come up with one? I use two tools, a portable password manager application that stores the passwords in an encrypted container and a utility to generate randomized gobbly-gook passwords. In fact, many of the first item include the second item as a built in feature.
I linked to some of the GRC random password generators earlier but these other free portable password generation tools are great:
- Password Guru - CEZEO Software generates complex and secure passwords with rule filters for length and special characters.
- Password Generator - Gaijin Software - can generate up to 1000 passwords at once with advanced rule filters. Also includes a password checker to test password strength.
- Password GeneratorXP - I’ve been using an ealier version of this app for a very long time. Latest version is 1.5 updated in December 2011. Can generate random passwords up to 99 characters long! Rules allow character inclusion/exclusion and supports special symbols. Super app.
- PWGen - Open-Source Password Generator for Windows using AES and SHA-2 crytography methods. Can support passwords with up to a crazy 20,000 length, can be fed a wordlist includes file if you prefer, can exclude “ambiguous” characters (like o and 0, l and 1, etc.). It can create up to 1,000,000 passwords at a time based on your rule patterns, or a single password instantly. The included manual file is great reading regarding password security in general and not just the program operation itself.
- PassworG - Free password generator software - pretty simple to use but strong password generator that might be easier for some folks to use.
So how do you manage these complex passwords?
- KeePass Password Safe (or) KeePass Password Safe Portable is my personal preference. It has a ton of features, is free and portable, and has a lot of options for organizing the stored records. It is the cat’s meow.
- Password Safe is a similar password keeper that comes highly recommended. The interface might be just a bit more easy for some folks to take to as opposed to KeePass.
- Era Password manager is a nice password keeper tool again a bit simpler in interface but powerful under the hood if you go looking deeper.
- Password Corral by Cygnus Productions is pretty nice.
- Password Gorilla - See this Using Password Gorilla page for an overview.
Pick at least one tool from each category and learn to use them, then use them always.
And for those of you who say “Claus, put all my wicked crazy passwords (from PWGen) in an encrypted database password manager (KeePass) and stick them on my USB drive for fast access? What if I loose it?”
I suppose you could create a TrueCrypt encrypted file, then put the encrypted KeePass data base inside it…
Just be sure you select a different crazy complex random password for each of them.
And put them in another password manager for safekeeping in case you forget.