Tag: password security

Protecting Yourself Online with Strong Passwords

The concept of having a password for any system is similar to a key for home. The key for home is essential in order to lock and protect personal belongings from others who are not authenticated or desired to enter home. Today, due to globalization and Internet revolution, a person may have several online properties or accounts that are as important as properties physically existing at home. Those may be e-mails, portal, website subscriptions, network servers, databases, online banking accounts, credit cards, etc. Strong passwords for these helps in having a secure and strong lock just like lock to home.

Most people, who are new to the online world, have lack of knowledge on setting up a strong password for their online accounts. But the increasing cyber crime can easily trace the passwords. And the results can be as terrible as the attack on Microsoft’s Hotmail and other web-based email services. A recent survey on these missing passwords revealed that many of the accounts had easy-to-guess passwords and the most frequently used password among these was “123456”.

Some general methods that attackers use for identifying a victim’s password include:

  • Guessing—The attacker tries to log on using the user’s account repeatedly by guessing probable or expected words and phrases like their children’s names, their birth city, and local sports teams.
  • Online Dictionary Attack—The attacker utilizes an automated program, which consists of a text file of many words. The program frequently tries to log on to the target system by testing a different word present in the text file on each attempt.
  • Offline Dictionary Attack— It is similar to the online dictionary attack, the attacker extracts a copy of the file in which the hashed or encrypted copy of user accounts and passwords are saved and runs an automated program to find out what password is used for each account. This type of attack can be finished very quickly if the attacker gains a copy of the password file.
  • Offline Brute Force Attack—This is a modified form of the dictionary attacks, and designed to discover passwords, which are not present or available in the text file used in those attacks. Even though a brute (very strong) force attack can be tried online, because of network bandwidth and latency they are generally attempted offline utilizing a copy of the target system’s password file. In a brute force attack, the attacker utilizes an automated program, which produces hashes or encrypted values for all possible passwords and analyzes them with the values in the password file.

Microsoft suggests that the use of strong passwords can slow or sometimes break the various attack methods. This shows the importance of having a strong password.

Creating a Strong password:

Passwords are case-sensitive and may be as long as 127 characters. A strong password:

  • Should never consist of user name.
  • Should be minimum of eight characters long.
  • Should compulsorily include both lower case and uppercase alphabets (minimum one from each group is suggested).
  • Should consist of minimum one number (0 to 9).
  • Should consist of at least one symbol. (Eg: *, ^, $, #)

A string, which has all the above characteristics, is known as strong password. A complex password should not be something, which is difficult to remember. Forgetting a strong or complex password, which is difficult to remember, is as harmful as getting attacked by a weak password.

The password created must be easier to remember but difficult for anybody to guess. It can also be a favorite phrase or quotation or mixture of two words. Substitutes for alphabets can also be used to satisfy the above criteria for a strong password. For example ‘a’ in password can be substituted with ‘@’, similarly ‘i’ can be replaced with ‘!’; and ‘o’ with ‘0’ or ‘()’.

It is a good practice if password is changed periodically like monthly or quarterly.

Most Dangerous Activities to Avoid Online

The Internet today is filled with huge amount of malware activities and one small mistake can make you fall prey to them. These mistakes often end up in infection of the PC or exploit online accounts (bank accounts, credit cards, etc.) of the user. The activities you need to avoid online are as follows:

Not dealing seriously with passwords
Everyone knows that passwords are important. Yet most of them fail to create or maintain them properly. It might be because of the ignorance on the importance or on how to maintain them properly. Whatever may be the reason, the most common blunders to avoid while dealing with passwords are:

  • Creating easy-to-crack passwords
    Hackers use ultra password cracking technologies. Not creating longer and complex passwords, is actually equal to helping the hackers crack in to your account.
  • Easy to guess password recovery options
    Many websites use security questions to help people recover their password in case they lose it. Using simple questions like birth date, pet’s name which are either easy to guess or are visible openly on your social networking account, is another major blunder to avoid while dealing with passwords online.
  • Using the same password for multiple online accounts
    Same passwords for all online accounts are as safe as the weakest passwords. If one password is cracked or stolen, the chances for hacker to procure other online accounts of the user are high.

Getting lured into fascinating or controversial news
Malware authors know that people naturally are more interested in fascinating news or controversial rumors, and plan new attacks that are targeted specifically towards this crowd. This is called SEO poisoning. It’s estimated that more than 10 percent of search results for Google’s highest-ranked web sites are malicious sites.

Failing to update Microsoft Windows OS / Java / Adobe Reader / Adobe Flash
Updates are provided for software in order to patch-up security vulnerabilities in them. Especially, Windows, Java, Adobe Reader, Adobe Flash remain the most exploited software applications due to their vulnerabilities. Failing to update these leaves the PC potentially vulnerable for malware attacks.

Opening an email attachment / Clicking on a link in an email – from someone you don’t know
According to a recent report released by Symantec, spam now accounts for 78.6% of all email traffic in US and 75.7% of all email traffic, globally. Opening email attachments from unknown user may deploy malware into your PC. A link on a spam email may direct you to a spoofed website.

Checking the “Remember Me” box in public PCs
This option saves cookies and login details of the user in the browser, until he signs-out manually. Thus, if the user checks back into the site later anytime, he doesn’t require to provide login details again, to access his account.

However, while using public PCs, enabling this option is equal to providing your login details to the any user of that PC, who can check back at any time and access your account.

Leaving Facebook privacy settings unchecked
Facebook is recently in the news for hacking of its CEO’s fan page. The most popular social networking site, Facebook, has many users who are not aware of its security features or privacy settings. Your personal information will be available for everyone to see if you leave privacy settings unchecked on Facebook.

Using BitTorrent sites to download copyrighted content
Downloading illegal software from BitTorrent sites can expose your computer to Trojans and Spyware.

Playing free online games
There are many malicious websites online that lure users by providing free online games. Don’t play online games on unreliable websites. Also be cautious when asked to download free games.

Connecting to unknown wireless networks
Many people log into unknown (private) wireless networks at public places like airports and hotels. These networks can be potentially harmful. Always be sure that you are logging into known (private) wireless networks only.

These are the most dangerous online activities. Proper awareness and efficient precautions are required to stay away from committing those mistakes and stay safe and secure online.


Top Blunders to Avoid While Dealing with Passwords

Your online accounts stay safer as long as your passwords are stronger and secure. However, creating stronger passwords is not enough in today’s scenario where id theft is most prevalent. Handling of passwords is equally important as of creating strong passwords. The following are few blunders made by consumers in 2010, reported in a study from Internet security firm Webroot.

  • Sharing or putting passwords in feasible reach of friends, acquaintances, etc. In 2010, 14% of the id thefts were committed by the people who were well-known to the victims.
  • Using same password in multiple sites or multiple accounts. Another recent research study from University of Cambridge, reported that the password reuse rate among the stolen login information from two different websites, rootkit.com and gawker.com, with identical email addresses was around 31%. If a hacker manages to steal a user’s login info and password, there’s as much as a one-in-two chance that he can procure access to other secured accounts of the user.
  • Not using special characters in passwords, which makes it easy to crack through.
  • The answer to the security question (which people use when they forget their password) like birth date, pet’s name, is available openly in a social networking site.
  • Not using secure connections while accessing sensitive information in unfamiliar computers or WiFi at public places. Over 86% were reported doing this blunder.
  • Writing down the passwords and hiding them somewhere like a desk drawer.

These were few of the top mistakes committed by users while dealing with their passwords. If you find yourself committing in any of the above, its high time to correct it.

Open Source Utility for Enhanced Password Security

With the increase of online banking, online e-mail, online purchases, etc., there is a need for increased password security. If you are like many people who use the same password for most sites, you are in trouble if your password gets hacked. You need to make your passwords complex and tough to crack and create a separate password for each account. Once you create a different complex password for each site , the problem is how to remember these passwords. The last thing you want to do is write the passwords down on a paper or notebook and carry them in your wallet/purse.

KeePass is an open source utility that works on almost any platform, including your smartphone ( Clients available for Windows, Ubuntu, Linux, MacOS X, J2ME (Cell Phones), Blackberry, Windows Mobile and more). You can store your passwords in a password protected and encrypted database and use the passwords when needed. It will even generate a complex password for you. KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithms to encrypt its password databases. There are many plugins available that will allow things like filling forms, onscreen keyboard, etc.

Click here for more information on Keepas.

Keepas Demo Screenshot
Keepas Demo Screenshot

Source: http://vjalagam.blogspot.com/2009/09/keepass-opensource-password-safe.html