» Sun May 13, 2012 1:09 pm Sections:
Day 1: http://www.gamesas.com/topic/1337235-data-privacy-day-day-1/
Day 2: http://www.gamesas.com/topic/1337699-data-privacy-day-day-2/
Day 3: http://www.gamesas.com/topic/1338134-data-privacy-day-day-3/
Day 4: http://www.gamesas.com/topic/1338605-data-privacy-day-day-4/
Day 5: http://www.gamesas.com/topic/1339018-data-privacy-day-day-5/
Day 6: Set up OpenVPN on Windows and Final Remarks
The goal, as always, is to make you more informed about your data and your privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good Password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after this summer, I think we are all familiar with that)
Important definitions for this section:
- Two-factor/multi-factor authentication: The use of two (or more) forms of authentication. They must be different forms, using two items of the same form does not qualify (so two passwords is still considered single-factor authentication). There are three forms of authentication:
- Something you know (Password is most common, followed by a PIN, and in smartphones: a swipe pattern)
- Something you have: A keyfile, ID card, or a token
- Something you are: Anything biometric such as a fingerprint or iris scanner
- Something you know (Password is most common, followed by a PIN, and in smartphones: a swipe pattern)
- Brute-force attack: A hacking attack where the hacker systematically tries every possible combination to gain access to your account
- Dictionary Attack: A hacking attack where the hacker systematically goes through every word in the dictionary, followed by every name, followed by any personal information they know about you
Passwords
Passwords are the most common form of security online, and they aren't going anywhere any time soon. Unfortunately, passwords probably aren't the best form of security for numerous reasons: people can only remember so many good passwords (without using a manager or system, which I will talk about shortly) causing password reuse to be rampant, people can easily fall victim of social engineering (either in the form of spearheaded attacks or phishing), the rules for what you can include in a password are not universal (which causes problems for password creation systems), and they can be captured in transmission. Still, as I mentioned, they aren't going away any time soon and making your passwords good is a very simple thing to do.
Let's start with some questions about your current passwords:
1. Do you use the same password everywhere or almost everywhere?
2. Are your passwords less than 12 characters in length?
3. Do your passwords contain a word from the dictionary or a name properly spelled?
4. Is one (or more) of the following missing from your passwords: a lower-case letter, an upper-case letter, a number, or a special character?
If you answered "Yes" to the above questions, there's a good chance your passwords are weak. If you see your passwords on this list of the http://mashable.com/2011/11/17/worst-internet-passwords/, then even moreso are your passwords weak as they are on every password list out there. Some other lists are http://www.tomshardware.com/news/imperva-rockyou-most-common-passwords,9486.html, http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time, and http://blog.jimmyr.com/Password_anolysis_of_databases_that_were_hacked_28_2009.php (I quite enjoyed the character frequency anolysis, might give you some ideas for characters to use)
So what is wrong with those 4 things?
1. When you use the same password everywhere or almost everywhere, if any site gets hacked or you slip up and give out the password just once, all or almost all your accounts are compromised. -- http://xkcd.com/792/
2. The shorter the password, the easier it is to crack. In some instances, short passwords use weaker hashing algorithms in general than longer ones (for example, Windows XP passwords under 15 characters use LM Hash, which is extremely weak, passwords with 15+ characters use NTLM)
3. Words and names are extremely easy to crack with a modern PC by just doing a dictionary attack. It's all the easier if you have a botnet or supercomputer trying all the possibilities.
4. The more variance in your password, the better. Having at least one of each character type significantly boosts your password strength compared to not. Once you leave alphanumeric passwords, the chances of your password being in a dictionary list, once you get past simple substitution and just appending special characters at the end or beginning, you can even beat many pinpointed attacks such as those that can be created by the http://www.securitytube.net/video/2018
So, just how secure is your current password? http://howsecureismypassword.net/. If you are paranoid (which in this case is NOT a bad thing), you can view the source. It all runs locally and sends nothing back, it even works fine in offline mode. Still a little anxious about entering your password? Just type in something that is similar to your password. So long as you use the same number of each characters it'll return a similar value. Note that the time that how secure is my password tells you is a best-case scenario, so if you have something like 3.2 years, it can probably be done in a few weeks using CUDA and good NVidia GPU.
Further reading: http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/ -- a bit on the old side, but still a great read.
Keeping Track of your Strong Passwords
The problem with creating a bunch of strong passwords is that it's hard to keep track of them. As I mentioned, this is one of the problems with the password system. Thankfully, there are things you can do about it. I personally have over 100 passwords and have no issue entering them in when needed. The trick is to not memorize all your individual passwords (I personally only have maybe 10 passwords committed to memory).
One of the more simple ways to do this is, rather than memorizing your passwords, you memorize an algorithm, or system, to creating them. That way, even if you forget the password, you can easily reverse engineer what the password would be. The password remains strong and only those that know the algorithm can come up with the password. The Mozilla Team created an excellent video on this that you can watch http://support.mozilla.org/en-US/kb/Choosing%20More%20Secure%20Passwords.
There are problems with algorithmic passwords, though, one of them going back to a flaw with the password system as it exists: the rules for what you can have in your password are not uniformly followed by all sites, so your password algorithm may not work for all your sites. In general, I'd say you need at least 4 or 5 algorithms to cover all your sites, assuming all of them allow all characters: a sub-8 character algorithm, a sub-15 character algorithm, a sub-20 character algorithm, and a 20+ character algorithm. This is due to various sites putting limits on password length, a very unwelcomed problem in my book that I wish would go away. The fifth algorithm you may want to implemtn is a separate algorithm for the most important of sites, such as your bank and email. Even so, remembering 5 algorithms is relatively simple to do, especially compared to remembering 30 different passwords (much less, 100 different passwords).
The other option (and it's not an exclusive other option, you can more than easily implement both) is to use a password manager of some kind. There are many out there, but the good ones in my book are: KeePass, LastPass, a physical password list you always keep on you, and an encrypted digital password list. The first two are real password managers, the other two are merely a secured list of passwords. The difference is that a password manager helps simplify entering in your passwords (and that may be an issue with long, complex passwords).
You may be thinking "What's wrong with my browser's password manager?" and the truth is: many things. Firstly the encryption on the password database isn't very strong. It is extremely easy to brute-force the encyption and many tools do it. Or even more simply, just copy those files over to another computer and place them in the application directory for the same web browser, and the browser will be able to use them (unless you enable a master password) and if these are password databases for Google Chrome or Firefox, they are viewable as well (once again, unless a master password is set). Opera is a step up in that it will never show you the passwords, just the username, but the encryption is still weak and plenty of tools will crack it to display all your passwords. I really cannot recommend Chrome's password manager at all as there is NOTHING you can do at the current time to secure it on Windows. If using Chrome, you really do need to use a third-party password manager. Both Firefox and Opera aren't much better off, but if you are going to use them, you do have some options. You may scoff that no one will get physical access to your computer, but they don't need to on Windows machines. A brower's password database is stored in %AppData% which is easily accessible remotely thanks to it being included in Window's default share for user profiles. Even if you disable that, the admin share of C$ will include it (of course now I'm starting to delve into network security, which isn't supposed to be in this topic much).
Firefox's built-in password manager:
First download the https://addons.mozilla.org/en-US/firefox/addon/master-password/ addon and set a master password. A quality meter will tell you how strong it is. Set up an auto-logout time. You will never be prompted for your master password so long as you don't time out, but if you do you'll need to re-enter it again. Either leave it on a short time but only when inactive or set it to a long time (an hour or so) but always times out. Which to choose depends on your browsing habits and how easily you are annoyed.
Opera's built-in password manager:
Opera's password manager is a bit more feature-rich than Firefox's and so is it's master password, which is good since there is no extension for it. Tools -> Preferences -> Advanced -> Security -> Set Master Password... and set your password. Set your timeout interval (right underneath it called "Ask for password") as you feel appropriate. Setting it to "Every time needed", the default setting, will probably drive you mad, an hour is good. Finally make sure to check the box for "Use master password to protect saved passwords". If you don't, the master password only applies to client certificates.
As I said, Firefox and Opera's password manager are only marginally better than Chrome's even with the master password, so a third-party password manager is still best as the encryption is many times better. If you do use them, at least think twice about giving them important passwords for things like your bank account. Please consider one of these good password managers instead.
The Good Password Managers
http://keepass.info/: KeePass 2 is a Password manager for Windows. That said, it is becomming easier and easier to install on Linux and Mac OS X so long as you don't mind Mono being installed as well to the point it is pretty much cross-platform (just no official releases for Mac OS X or Linux are made). Mac OS X users can head http://keepass2.openix.be/ for an installer and Debian/Ubuntu users have it in the http://packages.debian.org/sid/keepass2 or via https://launchpad.net/~jtaylor/+archive/keepass. Alternatively there is http://www.keepassx.org/ which is fully cross-platform, but it only works with 1.0 databases and doesn't work with browser extensions such as KeeFox, ChromeIPass, or PassIFox. You give it a master password, and, optionally, you can create a keyfile (this is known as two-factor authentication. See "Important Definitions" at beginning of post). Now you only need to remember one password and all your passwords are secure.
As mentioned there are various plugins for browser integration with KeePass to make entering passwords even simpler than it already is. This includes https://addons.mozilla.org/en-US/firefox/addon/keefox/ (probably the best integration, but Windows-only), https://addons.mozilla.org/en-US/firefox/addon/passifox/ (not as good as KeeFox in my opinion, but works on Mac OS X and Linux as well as Windows), and https://chrome.google.com/webstore/detail/ompiailgknfdndiefoaoiligalphfdae (which is the Google Chrome/Chromium option and also works on Mac OS X and Linux as well as Windows). Of course KeePass works with all browsers and pretty much all applications through an auto-type feature + a keyboard shortcut (default: Left-Ctrl+Alt+A but easily changable to your preference) so you don't have to worry about a plugin if you don't want to. There is also a portable version available, so you can run it on the go from any Windows computer.
Finally, in the modern world where smart phones are of great importance, there are programs compatible with KeePass available on all major smartphone platforms: https://market.android.com/details?id=com.android.keepass&hl=en for Android, http://7pass.wordpress.com/ for Windows Phone 7, and either http://itunes.apple.com/app/id451661808 (free) or http://itunes.apple.com/us/app/mykeepass/id353354895?mt=8 ($0.99) on iOS.
Pros: Open Source, you control it, portable, highly secure, will tell you the strength of your passwords, can generate random passwords, works with pretty much any program. Works on Android/WP7/iPhone too.
Cons: The auto-type feature takes a little getting used to, while it works with any pretty much program the overall integration suffers to allow this (Except in Firefox/Chrome where KeeFox/PassIFox/ChromeIPass creates seamless integration).
http://lastpass.com/: LastPass is a cloud-based password manager that works in all major browsers and the browser version is cross-platform. There is a desktop version for application passwords and whatnot, but it currently only works on Windows and requires a Premium (paid) account. It also does not appear to have a keyboard shortcut auto-type feature like KeePass. You can find more information about the Desktop version for applications on their http://helpdesk.lastpass.com/upgrading-to-premium/lastpass-for-applications/. Likewise for smartphone use, you need a Premium (paid) account; apps for all major smartphone platforms exist. Offline access to your passwords is possible through a cross-platform program called LastPass Pocket and is available with a free account. They also offer One-time Passwords for use on untrusted computers that instantly expire (which reduces the risk of your master password being compromised).
Pros: always with you so long as you have Internet Access, instantly syncs, highly integrated, audits your passwords, can generate random passwords, one-time passwords, very secure (before you ask: It's been verified that LastPass NEVER gets your encryption key -- http://tinisles.blogspot.com/2010/01/should-you-trust-lastpasscom.html)
Cons: You must trust that they will stay around, if your Master LastPass password is compromised, all your passwords are compromised*
*Note: LastPass Premium offers two-factor authentication (http://helpdesk.lastpass.com/security-options/sesame-multifactor-authentication-with-a-usb-thumb-drive/). The Free version has http://helpdesk.lastpass.com/security-options/grid-multifactor-authentication/, which I don't quite consider unique enough of "something you have" to be two-factor authentication, as if someone knows what your card looks like, they can access your account without actually having your card, but still a significant security boost. One-time Passwords also lower the risk of your master password being compromised.
Keeping a list always on you: Obviously no software is involved, you just simply keep a list on you at all times, say in your wallet (or anywhere else, so long as you always remember to keep it on you). This method, while once frowned upon, has been gaining popularity in recent years among security experts*. Why? Because it is always on you, so you know it is safe. If it isn't on you, then you know it is time to change all your passwords. For extra security you can do a trick to the list that only you know. For example: inject a random number in every password at a specific spot (or in a pattern that you know). If the list falls into the wrong hands, they can't tell those numbers aren't part of the actual password and as such cannot use your passwords right away or at all. This gives you more than enough time to verify you didn't just leave the list at home and to change your passwords to something secure again.
Pros: Pretty secure, you are instantly aware if your password database is compromised since it is always on your persons. Always with you in all circumstances
Cons: You must diligently keep it always on you for the security aspect, obviously if you do no trick and lose the list, all your passwords are potentially compromised, likewise it is obviously 100% manual.
*http://en.wikipedia.org/wiki/Bruce_Schneier on writing down your passwords(http://www.schneier.com/crypto-gram-0105.html#8):
1. Passwords. You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash. Don't let Web browsers store passwords for you. Don't transmit passwords (or PINs) in unencrypted e-mail and Web forms. Assume that all PINs can be easily broken, and plan accordingly.
Encrypted Digital Password List: To some, a digital password list would be preferred to a normal one. There are risks to leaving your passwords just in plain text on your computer through (some malware looks for things like passwords.txt and whatnot and uploades them to some far-off place), so encryption is a must. The advantage of a digital list is it's easy to back up, lowering the risk of you losing it as well as allow you to synchronize the file onto multiple computers (though it begs the question: why not just use a password manager?). A simple and effective cross-platform encryption program is http://www.truecrypt.org/. TrueCrypt is an on-the-fly encryption tool and allows you to create encrypted file containers in which you can store your password list.
Pros: Extremely secure. Truecrypt in particular offers many options for creating your encrypted file container (including a hidden volume).
Cons: Obviously not integrated at all with any application, so you must do everything manually. Must use a third-party program to synchronize the file across computers.
Some Mac OS X-specific Password Managers:
https://agilebits.com/onepassword -- It's also available on Windows, iOS, and Android, but I'd only recommend it if you don't want to deal with KeePass 2 with Mono and Mac OS X is your primary OS. It's free only for 20 or fewer passwords, otherwise you have to pay, and it's on the expensive side ($50 for one license for one desktop platform, $70 for a license for both desktop platforms, $100 for 5 licenses for both desktop platforms). Still, it's very user-friendly on Mac OS X.
Keychain -- Keychain is the default password manager for Mac OS X, but it's not without flaws that have come up over the years (usually patched though). It can be integrated with both http://newmacuser.com/usernames-and-passwords-from-the-keychain-in-safari/, Google Chrome (uses it by default), and https://addons.mozilla.org/en-us/firefox/addon/keychain-services-integration/, but it's not easily synchronized across your computers and definitely not cross-platform or portable.
Passwords - the remaining stuff
First: To note, there are other methods for creating secure passwords. Popular ones include using phrases from a book or song, and recently just stringing together 4 random funny words, popularized by an http://xkcd.com/936/. If these methods work for you, that's great, but personally I see them as relying too much on human memory, which is too easily fallible. There's no way I'd be able to keep track of all 100+ of my passwords by using different strings of 4 random words or remembering which phrases from a book go with which sites. I see these methods, in the long run, as encouraging password reuse. Password reuse is the enemy to be stopped at all costs, as password databases get compromised, and once you start repeating password -- no matter how strong, you run the risk of multiple accounts being compromised from a single password leak. Still, if you only have a handful of passwords, these methods can create strong passwords provided you can remember them.
At this point your passwords are nice and complex, secure, and easy to remember/access, but that is not all there is to say on password security. Remember those password hints and pesky security questions you set up for most services? Those can be an Achilles heel to your accounts if you are not careful.
For password hints there are a few things you can do: You can do away with them completely, typing in gibberish when forced to have one (what I currently do), or you can use things you know you know to help you remember the pattern you use for your passwords. Along the lines of http://www.youtube.com/watch?v=nFz_7HttWa0 - It means absolutely nothing to anyone but you. In all cases you should be careful here and any hint you give should use word associations or have a meaning that only you would understand relying on your personality or life.
Security questions are similarly a dangerous thing, much more dangerous than password hints as they can reset your password. Weak questions mean your strong password is worthless. If you are confident in your passwords to the point you are certain they will never be forgotten, once again you can make these complete gibberish so they are impossible to break into. Security questions have two pitfalls: 1. They are susceptible to social engineering since they are questions about you. Make sure you NEVER post your answers to your security question anywhere ESPECIALLY social network sites like Facebook and Myspace. If you do that, then all your security efforts go down the drain. 2. is security questions are often just a word or name, making them HIGHLY susceptible to dictionary attacks if the security questions don't have a lock-out. To combat this make your answers always at least two words, and maybe throw in a special character at the end or the beginning that is your "trick" for them. One thing growing in popularity that does a good job to combat both, is to create a pattern to your security questions that does not answer them and only you know -- (http://www.zephoria.org/thoughts/archives/2007/11/15/algorithms_for.html). My advice is to do that, but also make sure to include a special character or two.
If you follow through with everything, your passwords will be very secure and any backdoors effectively shut to anyone but you.
). Also, LM Hash isn't used by default in any modern OS so isn't really a valid reason.
) would take 2 decillion years to crack. I could probably go even further as memorizing one really long password is easy, I just can't remember any more.
