Monday, January 16, 2012

The Password is…

Last week we got a call from one of Lavie’s cousins. She and her husband had suddenly began getting phone calls from concerned friends as well as strange “undeliverable” email notices.

Mysteriously, at least one email had been sent from their on-line email account to all the recipients in their contacts in batches of ten or so.  Some folks had told them their own security apps had alerted when they tried to follow the link in the email.

It was pretty apparent to the couple that “something” was amiss with their PC but exactly what, they weren’t sure. They had already downloaded a second anti-virus tool and scanned their system with nothing found. They decided to call me to see if I could help them. I recommended they change the password and any security challenge questions immediately which they did, then arranged for a house-call the following day.

I already had a clue on what probably occurred, but went though my full checklist of items as I assessed the system. No rouge processes, no unexpected auto-start items. Additional security scans came through with flying colors.

Then I turned my attention to their email account.  This particular email provider (unfortunately) doesn’t provide any IP-based user sign-in event logging like some other main-stream web-mail providers do. That would have provided golden information.

What we did have is one overlooked original email in the “Sent” folder showing a mail time of 8:15 PM Wed night.  Neither of the couple reported being logged in on the system (or the email) at that time so it seemed fairly certain that is when the event occurred.

I mailed that to myself to look into the URL more later.

They use IE 9 and the system was fully patched. Flash and Java were outdated, but not too bad.

Based on my survey and additional questioning, it appears to me that someone had “hacked” their account using some kind of brute-force attack on their account, quickly they had composed at least one email containing a single URL to everyone in their address book.  I couldn’t find any evidence of a persistent threat on their system, and based on their feedback, I doubted a cross-site-scripting vulnerability had occurred.

For the really curious, here is a link to the urlQuery (free online URL scanner) findings from that particular URL I found: urlQuery scan result. Turns out that particular link leads to a compromised (?) website serving up fake AV scanner malware via some JavaScript code.  That is why some recipients of the email were likely getting alerts when they visited the site. Sneaky.

Turns out hacking email accounts and appropriating them (even “non-maliciously”) for spamming is big business and a common event for many web-citizens.

This couple -- it turns out -- had been using a very weak password so it fell probably pretty fast.

Turns out weak passwords remain a common plague.

ISC Diary | Analysis of the Stratfor Password List is another clear warning of this danger.

Steve Ragan posted a simply amazing Report: Analysis of the Stratfor Password List which has crazy fascinating data on passwords and just how weak most of them were, along with his own password cracking work to show just how easy these fall.  See also: Researchers find many weak Stratfor passwords -Naked Security.

A brief Sony password analysis - Troy Hunt’s Blog

Your Top 20 Most Common Passwords - Tom’s Hardware

And just over the weekend there was this: Zappos customer info is breached. Change your password now! [Updated] - TechBlog via

What is one to do? This maybe?


xkcd: Password Strength (see also xkcd: Password Reuse)

If you want a quick way to assess the complexity/strength of the passwords you may have stored in your web-browser or some Windows applications, check out the Password Security Scanner freeware tool by NirSoft.

Some highly recommended online locations to check your current password strength against are:

Coming up with a truly secure and complex password can be a major task for some folks. And the web has no dearth of fantastic advice on the subject of what defines a strong password and how to create one.

From SophosLabs via YouTube

And just today, Lifehacker released a super-cool mega-graphic on password selection

Use This Infographic to Pick a Good, Strong Password - Lifehacker

Troy Hunt did a series of great, in-depth posts on password selection and science that are must-reads. I’m liking Troy’s writing and analysis and his blog has been added to my RSS must-read feed list.

Those last two points are my takeways, that nothing is more frustrating that internal application or external website password policies that are weak by design and force me to use a short password. And that the best password is one so damn complex there is no way I can remember it, even under duress.

I prefer to use the longest password the site/application will accept based on character count. (By the way…seriously guys, place your password policy and field limits up front to make this easy to figure out!)

How do I come up with one? I use two tools, a portable password manager application that stores the passwords in an encrypted container and a utility to generate randomized gobbly-gook passwords. In fact, many of the first item include the second item as a built in feature.

I linked to some of the GRC random password generators earlier but these other free portable password generation tools are great:

  • Password Guru - CEZEO Software generates complex and secure passwords with rule filters for length and special characters.
  • Password Generator - Gaijin Software - can generate up to 1000 passwords at once with advanced rule filters. Also includes a password checker to test password strength.
  • Password GeneratorXP - I’ve been using an ealier version of this app for a very long time. Latest version is 1.5 updated in December 2011.  Can generate random passwords up to 99 characters long! Rules allow character inclusion/exclusion and supports special symbols. Super app.
  • PWGen - Open-Source Password Generator for Windows using AES and SHA-2 crytography methods. Can support passwords with up to a crazy 20,000 length, can be fed a wordlist includes file if you prefer, can exclude “ambiguous” characters (like o and 0, l and 1, etc.). It can create up to 1,000,000 passwords at a time based on your rule patterns, or a single password instantly. The included manual file is great reading regarding password security in general and not just the program operation itself.
  • PassworG - Free password generator software - pretty simple to use but strong password generator that might be easier for some folks to use.

So how do you manage these complex passwords?

Pick at least one tool from each category and learn to use them, then use them always.

And for those of you who say “Claus, put all my wicked crazy passwords (from PWGen) in an encrypted database password manager (KeePass) and stick them on my USB drive for fast access? What if I loose it?”

I suppose you could create a TrueCrypt encrypted file, then put the encrypted KeePass data base inside it…

Just be sure you select a different crazy complex random password for each of them.

And put them in another password manager for safekeeping in case you forget.


--Claus V.

No comments: