Tuesday, November 12, 2013

Rhymes with Assword

   Here we go again with more password-related problems.  You can't make this stuff up.  Well, you can but the truth is stranger.

   By now, most people have heard about the Adobe website breach.  I won't go into too many details but you can read Adobe's summary here, and here is a detailed review by Sophos.

   And, after I wrote this post I see that the This Week In Tech (TWIT) show on the great Twit TV network did a show of the same name (go to 1:56:20 in the show). Great minds think alike!  If you read the Sophos report you will see that someone used the phrase "rhymes with assword" as their password hint.

   There are a few key points to review:
  • A new record!  This breach has now set the new record for largest number of compromised accounts, 152,000,000, beating previous noteworthy large breaches including those from Sony, TJX and Heartland.
  • What was my password?  A website owner should never be able to tell you what your password is.  This is because, as security geeks know, the only value that should be stored is a one-way hash of the password.  One way means that you can't "unhash" and get the original password.  Encrypted things can be decrypted.  Organizations should not store encrypted passwords.  If a website can give you your password, for instance if you click the "forgot password" link, then they are either just storing encrypted passwords or storing them in the clear... either way is bad.  Unfortunately, as the Sophos article explains, Adobe appears to be encrypted passwords.
  • Bad choices.  People are still making incredibly poor password choices.  Hackers don't even need to break into servers with passwords like these.  See the list of the top 100 passwords used on Adobe's site here.
  • Gimme a hint.  The idea of a password hint is that seeing it should remind you of what password choice you made.  I think it's a concept that has outlived its usefulness but, at worst, the hint should not completely give the password away to a casual observer.  The Sophos article also shows some very poor hint choices.
   If you're not sure if you had an account with Adobe, LastPass has set up a page where you can test if your email address was in Adobe's hacked database.

   The Sophos article does a great job of explaining the geeky details of what Adobe did wrong here (hint: it's a long article because they did so many things wrong!).

   But, as always, I like solutions so I'd like to jump to a discussion of what we can learn from this and how we can protect ourselves.
  1. Choose good passwords.  That means not just 8 characters, but longer... much longer.  And the more it looks like nonsense, the better.
  2. Different passwords for different sites.  Each online account should use a unique password.  Of course, doing these first two things will make your passwords very difficult to memorize, so...
  3. Use a password vault.  I've written about this many times before.  Do it.
  4. Use care with "secret" questions.  I've perhaps not spent enough time on this issue, so let me expand on it.
   Sometimes you can choose what question or hint to you want to answer, and sometimes not.  In any case, you don't want to choose questions that other people will either know the answer to or can easily look up.  The issue is that an attacker can just skip the whole password thing, click on the "forgot my password" link, see what question is offered and then try to look up the answer on Facebook or other resource.  This is sometimes called the Sarah Palin hack because this is how someone broke into her Yahoo! email during the 2008 US presidential race.

   But regardless of whether you choose the question from a list, make up the question, or are just asked to provide a hint, there is no reason you have to give a correct answer to the question!  You just need to be able to provide that info if needed.  My suggestion is that you provide made-up answers to the questions and put those answers in your password vault.  Of course, you won't need them because you won't be forgetting your passwords because you're using a password vault!

   One last tip... this is perhaps a bit more advanced, but protect your email account with 2-factor authentication.  I provide more info on this here.  Basically, many accounts tie back to your email.  If someone can break in there, they may be able to change other online passwords without your knowledge.  It's your last line of defense.

   Were you affected by the Adobe breach?  If so, in addition to changing your Adobe password, make sure that password isn't used anywhere else.

   Do you have any tips to add to my list?

No comments:

Post a Comment