How secure is your password?

Anyone who has any kind of electronic account has a password.  But what is that password protecting?  For most people they have passwords protecting their private and financial information.  If you work on a computer at all for your job you hopefully have a password to access your computer.  That password is probably protecting much more than just your information, but also your employers information as well.

Just how secure are your passwords?  Strangely most people still do not take their password security seriously.  Once you have your accounts accessed, money stolen or just your reputation tarnished because someone used one of your accounts to do bad stuff, you will take password security much more seriously.

We all have heard of those that put their passwords on their monitors or on the bottom of the keyboard.  Hopefully that is not you!  There are some simple ways to keep passwords very secure and easy to remember.

Before I get into some quick ways to make your password secure I want to talk about the 2 methods that are used together to crack your password.

Most modern password crackers use a dictionary and the brute force method.  The dictionary has the most common words used in passwords and will use the dictionary to generate many variations of the words in the dictionary.  They also do some of the most common modifications to the dictionary words.

For example, lets say your password is cutePuppy1.  The password crackers probably already have the words cute and puppy in them.  In the process they will try every word and word combination and will try just about every variation of cutepuppy, for example: Cutepuppy, CutePuppy, cut3Puppy, Cut3Puppy, etc.  In addition they will add modifiers like 1, 2 to the end of the combinations.

Seems like there would be millions upon millions of combinations right?  Yes there are but you have to remember that a computer can do many millions of checks per second.  And with a good dictionary the process takes no time at all.

If the dictionary cannot get a match then comes the brute force attack where it starts with a-z then aa-zz then aaa-zzz and so on until it finds a match.  So how long would it take to break the cutepuppy password?  About 56 seconds.  By changing the P in Puppy to capital it takes 7.8 hours and the 1 on the end takes it to 3 1/2 months.

So now that you understand the methods to break a password, how can you make your password more secure?  First, use no words that are in a dictionary.  I am sure you have always heard not to use your kids names, birthday, your address, etc.  Let's expand that to any word in the dictionary.

I understand that makes it hard to remember passwords because the password looks like rubbish.  Here are some techniques you can use to make them easy to remember:

  • Use acronyms, for example, I like the song from The Police called "Every Little Thing She Does Is Magic".  So the base password would be "eltsdim".  Add some modifiers to that like "!3ltsdiM!".  Just remember the longer the better.
  • Use a Pattern.  For example, a simple pattern would be 1qaz2wsx#EDC which is the first 3 columns on the keyboard with the 3rd column being in shift mode.  You could fo every other column, start at the 3rd column, etc.  Mix it up.  Just try to keep a good mix of upper and lowecase, numbers and special characters.  My first pattern example would take 1.7 thousand centuries to bruce force.
  • Use a password mangement program like LastPass or 1Password.  These tools not only keep track of your passwords for you, they will also generate long and secure passwords.

 Now that I have given you some ways to make an easy to remember and secure password, let me show you how you can check how good your password really is.  First, remember no dictionary words.  Go to https://www.grc.com/haystack.htm and put in your new password.  Look at the "Offline Fast Attack Scenerio" for the amount of time it would take the average brute force attack.

I mentioned 2 password management programs above, here are the links to them as well:

https://lastpass.com/
https://agilebits.com/onepassword

I have used both and both are great.  I am currently using lastpass with a yubico as an additional level of protection.

Please comment and ask questions if you have any, I love the feedback.

 

Crisis Financial Malware Spreads Via VMs

The Crisis financial malware that was recently found can spread using the capabilities in VMWare.

The malware is also known as Morcut or the malicious rootkit.  Morcut is spread via an installer that is disguised as an Adobe Flash Player installer.  It was first found by Kaspersky last month who found it attacking Macintosh OS X computers.  The installer which is a Java archive (JAR) called Maljaba by AV vendor Symantec.  The archive looks like is has been signed by VeriSign.  The Java archive also has the ability to infect Windows macines that have the Crisis rootkit.

The Java Archive has two programs, one for OSX and one for Windows.  The proper executable is dropped on the machine based upon which operating system it is running.  The executable that is dropped on an infected machine  open a back door into the infected computer.

The Crisis malware includes some Windows only features and proagation techniques.  On Windows systems the threat makes a copy of itself and an autorun.inf file to an attached removeable disk (USB thumb drive, etc).

Another method it uses is to install itself onto a VMWare virtual machine.  And the last method could be the most scary of them all, it tries to install itself onto windows mobile deivces.

There are many pieces of malware that will not run if they are running on a VM machine but this is the first one I have heard of that tries to distribute itself via VM's.  According to research from Symantec, the malware does not jump into VM's via some security hole or flaw in VMWare, instead it writes directly to the files that make up the VM image.

As I learn more I will keep this post updated.