Tuesday, August 19, 2014
Saturday, February 9, 2013
Ineffective password policies
Here are some examples of password policies that are either too restrictive or too weak to be effective.
Here is a very weak password policy from CareerBliss.com:
What makes this weak, is the required length is too short and the exclusion of any special characters. The only way to make this password less crackable is sheer length. Unfortunately, the most probable scenario will be that people will use one of the most common passwords(abc123, trustno1, etc.)
I find it comical that the above password policy is just forcing users to add a numeral to the #1 common password! So the number one is 'password' and because of the crack team of security experts out there forcing people to use 'At least one number' the latest addition to the top 25 list is 'password1' Brilliant!
And then there is CareerBuilder, with the requirements of 8-15 characters, and 3 of the following 4: upper, lower, numeric and symbol. Which can be met with 'Password1'. I expect that to make the list next year.
Splash Data's Top 25 list (http://splashdata.com/press/PR121023.htm)
Here is the 2012 list:
Here is a very weak password policy from CareerBliss.com:
What makes this weak, is the required length is too short and the exclusion of any special characters. The only way to make this password less crackable is sheer length. Unfortunately, the most probable scenario will be that people will use one of the most common passwords(abc123, trustno1, etc.)
I find it comical that the above password policy is just forcing users to add a numeral to the #1 common password! So the number one is 'password' and because of the crack team of security experts out there forcing people to use 'At least one number' the latest addition to the top 25 list is 'password1' Brilliant!
And then there is CareerBuilder, with the requirements of 8-15 characters, and 3 of the following 4: upper, lower, numeric and symbol. Which can be met with 'Password1'. I expect that to make the list next year.
Splash Data's Top 25 list (http://splashdata.com/press/PR121023.htm)
Here is the 2012 list:
- password (unchanged)
- 123456 (unchanged)
- 12345678 (unchanged)
- abc123 (up 1)
- qwerty (down 1)
- monkey (unchanged)
- letmein (up 1)
- dragon (up 2)
- 111111 (up 3)
- baseball (up 1)
- iloveyou (up 2)
- trustno1 (down 3)
- 1234567 (down 6)
- sunshine (up 1)
- master (down 1)
- 123123 (up 4)
- welcome (new)
- shadow (up 1)
- ashley (down 3)
- football (up 5)
- Jesus (new)
- michael (up 2)
- ninja (new)
- mustang (new)
- password1 (new)
LinkedIn Summary - 3rd person
Don't write your LinkedIn summary in the 3rd person. Just don't do it. At best it reads like you are too busy to write one yourself and had your assistant do it, and at worst it just makes you sound like a pompous jackass.
You could go the over-the-top route and just write a bombastic self-deprecating 3rd person summary, but in my opinion they are very hard to pull off. When Sam Zell was bringing in his management team at Tribune, several had these type announcements, or 'press releases' I think is what they called them. The first time you saw it, you were amused. By the third one, it just felt like a two paragraph dick joke. But a lot of those guys were shock jocks, so it made sense for them I guess. I advise against it.
Further reading:
7 Reasons to Put Your LinkedIn Profile in 1st Person And Not 3rd Person
Executives: Don’t Make These 4 LinkedIn Mistakes
You could go the over-the-top route and just write a bombastic self-deprecating 3rd person summary, but in my opinion they are very hard to pull off. When Sam Zell was bringing in his management team at Tribune, several had these type announcements, or 'press releases' I think is what they called them. The first time you saw it, you were amused. By the third one, it just felt like a two paragraph dick joke. But a lot of those guys were shock jocks, so it made sense for them I guess. I advise against it.
Further reading:
7 Reasons to Put Your LinkedIn Profile in 1st Person And Not 3rd Person
Executives: Don’t Make These 4 LinkedIn Mistakes
Thursday, January 31, 2013
qotd
“Progress means getting nearer to the place you want to be. And if you
have taken a wrong turning, then to go forward does not get you any
nearer. If you are on the wrong road, progress means doing an about-turn
and walking back to the right road; and in that case the man who turns
back soonest is the most progressive man.”
—C. S. Lewis
(Note: This is a quote from his work 'Mere Christianity' and I had some hesitation in using it, but it is a good quote and stands on it's own merit.)
—C. S. Lewis
(Note: This is a quote from his work 'Mere Christianity' and I had some hesitation in using it, but it is a good quote and stands on it's own merit.)
Wednesday, January 9, 2013
Password best practices
So I am creating this post for friends and family as a guide to help them create better passwords and help them better protect their important data. If any of this is not clear or needs some editing, let me know. I'll save the hardcore technical details for other posts for the curious.
Passwords
Lets start with passwords. I am not going to lecture on reusing passwords since I do it all the time. It would be nice if we could create a new password for every website, but it is impossible in 2013 without using a password manager, and with all the networked devices(phones, media boxes, etc.) it means we have to remember a few without the help of one. I just checked Firefox and I have over 250 logins and passwords. So you are inevitably going to reuse passwords. Password reuse is probably responsible for the second most breaches, just behind guessing bad passwords. In a perfect world you would never reuse passwords, and choose a unique and random one for every account. But last I checked this is pretty far from a perfect world we are living in.
The downside to reuse is if a bad person(aka hacker) were to compromise a database of usernames/passwords, and yours is in there and easily cracked, they can try all the common sites and will gain access to a bunch of your accounts. So keep in mind, you are going to have to go through and periodically change all these too. Unless you use a much longer and less crackable password. So lets work on developing an easy to use system of creating passwords.
So first what you should do is separate your passwords into two categories, one for 'who cares' and one for 'uh-oh, my life is ruined!' The 'who cares' category will be for sites like Yelp, Starbucks, etc. If someone were to gain control of your accounts, it would be a pain and embarrassing, but life would go on. Now for the other category, such sites as your bank/credit card, email and sad as it seems, Facebook, this could be a very unfortunate thing. So what you want to do is come up with a way to create a unique but memorable password system.
The point of this is, that it is better to have a longer password that you can remember than it is a shorter cryptic one you are prone to forget. But because most people are forced by password policy to create something with uppercase, lowercase, numerals, symbols, etc. they usually pick something shorter and less meaningful, the bare minimum to comply with the policy. What I want to do here is show you how to create memorable passwords that are also very secure.
Lets say for the sites that aren't really important, you come up with a stock password, and for this example I am going to use 'LiveFresh.BajaFresh1' I have a Baja Fresh cup next to me, which has that saying, and I added the 1 and upper case letters so you won't typically run afoul of site's password policy requirements(upper, lowercase, digit, some other character.) You could also do 'LiveFresh@BajaFresh1982' or something along those lines. Now you could reuse that one on all your non-financial sites.
And now for the critical and financial sites, you are going to want a method or system, not just one password. So as in the above example, I am going to use an object that is nearby, 'MacBookPro@' and this time personalize this for each site. So lets say I have an account at Bank of America, I am going to use the password 'MacBookPro@BofA1990' and for an account at Citibank, 'MacBookPro@Citi2002' You can add the personalization as you see fit, but these are much better than B0fA123+ or whatever else you will forget easily. You may run into some real strict sites that won't allow you to use dictionary based words, so you could easily just leave out a couple of vowels or whatever gets you around that. And some policies actually restrict the maximum characters to 15 or 12. You will have to work around those by shortening, but only do it for those sites! A longer password is a more secure password.
Check your passwords here: https://www.grc.com/haystack.htm
Separate Browser Profiles
Now one thing I do as an added security measure, is I use multiple FireFox profiles depending on what I am doing. I have one profile for each bank account and then a few others depending on what I am doing. I have a NSFW profile which has no personally identifiable information(well, nothing real anyway.) for those times when you have to click on some URL shortened link from an untrusted source(ie, bit.ly, tinyurl, etc.) This way if you do end up somewhere that does something unfortunate to your browser, you could just delete the profile and start over. It also keeps your banking info pretty safe from that type of exploit. If you have a profile that you only go to Chase with, you can be pretty sure that you aren't going to get Malware and no one is going to grab your saved passwords via some exploit.
Also, bookmark this site: https://www.virustotal.com/#url
If you ever get a shortened URL and are unsure whether it is safe, check it first. You can also check files on your computer with them.
MISC
Some other general tips(that I will expand into it's own post eventually):
Don't use any one device or service for your only copy of unreproducible content. For instance, if you have pictures of your child, do not keep them stored in one place! I'm not even going to let you decide how to do this...go get a removable hard drive. Now copy all your pictures and documents you created on to this hard drive. Ok that is a good start. Have family near by? Good, drive over and drop that drive off and have them hang on to it. If you can afford it, buy two of the same drive and keep one you use and the other one offsite(family or friend's house is fine, just password protect it.) And update it at least every 6 months!
This is what I do, I don't expect everyone to follow this, but it would be a good idea if you could find some middle ground. I have two sets of removable drives, I call A and B. The A set I have 3 identical drives, and the B set I have 2. For the A set, I have one drive in a safe deposit box, one in a fire proof safe and the third is on my desk. Every quarter(3 months), I sync up the two drives I have at home. I then take one to the bank, and swap it. Once I get home, I sync up the last drive. So theoretically, Jan 01 all drives are the same, with one being offsite. Worst case scenario, March 29th the house burns down and I lose both drives(fire proof safe does not mean media will survive.) But I still have the one at the bank. The same goes for the B set too...except I only have two drives and that set is for long term archive storage. I generally don't even swap it from the bank unless I have some big changes. The other reason I have multiple drives is because the drives I use (Western Digital) use hardware encryption, and if you have a failure of the encryption module, you can not use a data recovery service.
I also have Time Machine backups and we download all our photos to both my laptop and my wife's. So at any given time, there should be a total of 7 copies of our photos and documents. Other than the sunk cost of our laptops, this backup system is less than $800. I dare you to find an offsite system that keeps 7 copies all encrypted, and is entirely manageable by the less technical family members. I used to have rsync set up and scripts all over with Linux RAID systems, but if I were to get run over by a bus, my wife would need some serious help to manage that.
I really wish I didn't know anyone who has lost data, but I do. Do me a favor, and if you read this and still aren't sure what to do, just contact me and we can work something out that will protect you.
Monday, December 17, 2012
R. Buckminster Fuller
Humanity is acquiring all the right technology for all the wrong reasons. --R. Buckminster Fuller
Thursday, December 13, 2012
Subscribe to:
Posts (Atom)