Posts

Weak passwords and their drawbacks

The topic of password strength is an important one, especially since passwords are used everywhere these days. When creating a password, it is generally a good idea to make it at least 8 characters and use numbers throughout it. Using symbols will make it even stronger. Let’s go over some reasons why weak passwords are bad and talk about common methods that are used to crack them.

The first and most obvious reason that weak passwords are bad is they are easy to crack. One of the most commonly used methods for cracking weak passwords is called a dictionary attack. This is when someone takes a huge list of words and runs each word against your password to see if it can be revealed. There are many “custom” dictionaries floating around the internet specifically for this purpose. To the attacker, the benefit of a dictionary attack is it’s incredibly fast and will usually reveal most weak passwords with no numbers or symbols. A major drawback of dictionary attacks is they rely on the password being weak and using a word that’s in the list (usually an English word). Therefore, it is important to not use an English word that may be in a dictionary as your password. Many of the custom dictionaries have been modified so they will catch words like “passwd” and other words with numbers attached to the end. Sometimes, patterns of numbers like “123456” are included.

If you use the same password for most everything you use, you’ll want to pay attention to this point. If you’re using a weak password and someone attempts to crack it using a dictionary attack, there’s a relatively good chance that they will succeed. If that’s the case, attackers will try the credentials they just stole from you on other sites as well. It’s fairly common for people to use the same password for multiple services. Now, not only has someone gained your information for one site, but for many sites. By using a weak password in combination with reusing it at other places, you’re effectively compromising many of your accounts.

Let’s take an example of someone using a stronger password with numbers and symbols, but only 4 characters in length. There is another method of cracking passwords that’s called a brute-force attempt. This method will try to guess the password in question using every combination of letters, numbers, and symbols possible. The major drawback to brute-force attacks is that they can take an incredibly long time, and are sometimes impractical due to this reason. Brute-force attacks take considerably more time for each additional character a password has. So you can imagine that a password that’s 4 characters in length wouldn’t take nearly as long to crack as a password that’s 10 characters or more.

As you can see, it’s not just using numbers, symbols, and a mix of capital and lowercase letters that makes a password strong. The password’s length contributes an enormous amount to its strength. Also, keep in mind that sometimes brute-force attacks are combined with dictionary attacks to improve speed and efficiency. Sometimes this is effective, sometimes it’s not. It really all comes down to the password in question.

Think twice when using public or unsecured Wi-Fi

Public Wi-Fi has always been an insecure environment, but it’s gotten much worse lately. Not too long ago, there was a Firefox add-on released called Firesheep. It works by capturing or “sniffing” packets on the network you’re connected to. It will look for any connections to the sites it recognizes. If a user logs in to one of those sites, it will capture the cookie that the site sends to the user’s computer after their login has been authenticated. Note that once the user has been authenticated, many of these sites will no longer use an HTTPS connection, and will use the cookie that was sent after logging in to allow that specific user to access to other parts of the site. Once Firesheep has that cookie, an icon will show up in the add-on’s window indicating what site and user it has hijacked. All the attacker needs to do after that is double click on the icon that appeared and he will then be logged in as you on the corresponding site.

The creator said its purpose is to make sites like Flickr, Twitter, Facebook, and Google aware of their security flaws so they will fix them. The best thing sites like these can do to mitigate Firesheep is utilize SSL (HTTPS) everywhere, not just when you login. It is uncertain whether these companies are going to implement that or not. One of the worst things about this add-on is that it makes session hijacking or “hacking” easy enough for anyone to do. Before Firesheep, the same kind of session hijacking attacks were possible and were frequently exploited, but it required a good amount of knowledge and an understanding of networking, sessions, and various protocols.

There are workarounds currently out there. There’s a Firefox add-on called HTTPS Everywhere and another called Force-TLS that will help, but I would personally recommend to not use any social networking, banking, or other sensitive websites over public hotspots. If you really know what you’re doing, one of the better alternatives is to set up a proxy server and set your laptop to use that proxy server for internet access via an SSH tunnel.