----- Original Message -----
From: Jaswinder Singh
To: undisclosed-recipients:
Sent: Friday, May 27, 2011 8:53 PM
Subject: Slate Article: Fix Your Terrible, Insecure Passwords in Five Minutes
an article from .
Fix Your Terrible, Insecure Passwords in Five Minutes
A foolproof technique to secure your computer, e-mail, and bank account.
By Farhad Manjoo
Posted Friday, July 24, 2009, at 7:05 AM ET
It's tempting to blame the victim. In May, a twenty something French
hacker broke into several Twitter employees' e-mail accounts and stole a trove
of meeting notes, strategy documents, and other confidential scribbles. The
hacker eventually gave the stash to TechCrunch, which has since published notes
from meetings in which Twitter execs discussed their very lofty goals. (The
company wants to be the first Web service to reach 1 billion users.) How'd the
hacker get all this stuff? Like a lot of tech startups, Twitter runs without
paper—much of the company's discussions take place in e-mail and over shared
Google documents. All of these corporate secrets are kept secure with a very
thin wall of protection: the employees' passwords, which the intruder managed
to guess because some people at Twitter used the same passwords for many
differe! nt sites. In other words, Twitter had it coming. The trouble is, so do
the rest of us.
Your passwords aren't very secure. Even if you think they are, they
probably aren't. Do you use the same or similar passwords for several different
important sites? If you don't, pat yourself on the back; if you do, you're not
alone—one recent survey found that half of people online use the same password
for all the sites they visit. Do you change your passwords often? Probably not;
more than 90 percent don't. If one of your accounts falls to a hacker, will he
find enough to get into your other accounts? For a scare, try this: Search your
e-mail for some of your own passwords. You'll probably find a lot of them,
either because you've e-mailed them to yourself or because some Web sites send
along your password when you register or when you tell them you've forgotten
it. If an attacker manages to get into your e-mai! l, he'll have an easy time
accessing your bank account, your social ne tworking sites, and your fantasy
baseball roster. That's exactly what happened at Twitter. (Here's my detailed
explanation of how Twitter got compromised.)
Everyone knows it's bad to use the same password for different sites.
People do it anyway because remembering different passwords is annoying.
Remembering different difficult passwords is even more annoying. Eric Thompson,
the founder of AccessData, a technology forensics company that makes
password-guessing software, says that most passwords follow a pattern. First,
people choose a readable word as a base for the password—not necessarily
something in Webster's but something that is pronounceable in English. Then,
when pressed to add a numeral or symbol to make the password more secure, most
people add a 1 or ! to the end of that word. Thompson's sof! tware, which uses
a "brute force" technique that tries thousands of passwords until it guesses
yours correctly, can easily suss out such common passwords. When it
incorporates your computer's Web history in its algorithm—all your ramblings on
Twitter, Facebook, and elsewhere—Thompson's software can come up with a list of
passwords that is highly likely to include yours. (He doesn't use it for
nefarious ends; AccessData usually guesses passwords under the direction of a
court order, for military purposes, or when companies get locked out of their
own systems—"systems administrator gets hit by a bus on the way to work,"
Thompson says by way of example.)
Security expert Bruce Schneier writes about passwords often, and he
distills Thompson's findings into a few rules: Choose a password that doesn't
contain a readable word. Mix upper and lower case. Use a number or symbol in
the middle of the word,! not on the end. Don't just use 1 or !, and don't use
symbols as repla cements for letters, such as @ for a lowercase
A—password-guessing software can see through that trick. And of course, create
unique passwords for your different sites.
That all sounds difficult and time-consuming. It doesn't have to be. In
Schneier's comment section, I found a foolproof technique to create passwords
that are near-impossible to crack yet easy to remember. Even better, it'll take
just five minutes of your time. Ready?
Start with an original but memorable phrase. For this exercise, let's use
these two sentences: I like to eat bagels at the airport and My first Cadillac
was a real lemon so I bought a Toyota. The phrase can have something to do with
your life or it can be a random collection of words—just make sure it's
something you can remember. That's the key: Because a mnemonic is easy to
remember, you don't have! to write it down anywhere. (If you can't remember it
without writing it down, it's not a good mnemonic.) This reduces the chance
that someone will guess it if he gets into your computer or your e-mail. What's
more, a relatively simple mnemonic can be turned into a fanatically difficult
password.
Which brings us to Step 2: Turn your phrase into an acronym. Be sure to
use some numbers and symbols and capital letters, too. I like to eat bagels at
the airport becomes Ilteb@ta, and My first Cadillac was a real lemon so I
bought a Toyota is M1stCwarlsIbaT.
That's it—you're done. These mnemonic passwords are hard to forget, but
they contain no guessable English words. You can even create pass phrases for
specific sites that are coded with a hint about their purpose. A sentence like
It's 20 degrees in February, so I use Gmail lets you set a new Gmail password
every month and still never forget it: i90diSsIuG for ! September, i30diMsIuG
for March, etc. (These aren't realistic temperatures; they're the month-number
multiplied by 10.)
How many different such passwords do you need? Four or five at most. You
don't have to keep unique passwords for every single site you visit—Thompson
says it's perfectly OK to repeat passwords on sites that don't need to be kept
very secure. For instance, I can use the same password for my accounts at the
New York Times, the New Republic, The New Yorker, and other online magazines,
because it won't hurt me too much if someone breaks into those. (My mnemonic
is, I like to read snooty publications quite often.) You should probably use
different passwords for each your social networking accounts—someone can do
real damage by breaking into your Facebook or Twitter, so you want to keep them
distinct—but you can still come up with a single systematic mnemonic to protect
them: Twitter is my second favorite social networking site, MySpace is my third
favorite soci! al networking site, etc. Reserve your strongest, most distinct
passwords for the few very important services that, if cracked, could do the
most damage—your bank account, your computer, and most of all your e-mail,
which often contains the keys to everything else in your life.
To be sure, this is more of a hassle than what you're doing now—but what
you're doing now is going to come back to bite you. These days, we're all
dishing personal information all the time; you may think that your password is
totally unguessable, but your Facebook makes clear that you're a huge U2 fan
and you graduated from college in 2000. Achtung2000, eh? Just go ahead and make
some new passwords right now. Trust me, you'll feel better.
--------------------------------------------------------------------------
sidebar
Return to article
According to the story he gav! e TechCrunch, the Twitter hacker began
exploiting Gmail's forgotten-password feature to get into one staffer's
personal e-mail. The hacker got a bit lucky here: When he hit the
forgotten-password button, Gmail gave him a hint about the secondary e-mail
address that the employee had entered when he or she had set up the Gmail
account: ******@h******.com. The hacker guessed that this was a Hotmail
address; when he checked Hotmail for some addresses that might belong to the
user, he found they were no longer active. (Hotmail, like a lot of Web e-mail
services, deletes accounts that haven't been accessed in a while.) So the
hacker set up the Hotmail account that Gmail thought belonged to the Twitter
employee. When Gmail sent a password-reset link to the Hotmail address, it went
right into the hacker's hands. (Google has recently added a feature in Gmail
that occasionally prompts users to update their backup e-mail addresses.)
After rifling through the Twitter employee's Gmail in search of
passwords, the hacker noticed that he se! emed to use similar passwords for a
lot of different sites. From there, Twitter fell like a line of dominoes: The
hacker used the passwords he found in the Gmail account to get into the
employee's Google Apps account, which led him to company documents that
contained personal information about other Twitter employees. That information
allowed him to guess those employees' passwords, which gave him even more
personal information, which got him even more passwords, and so on. Eventually
the hacker had access not only to documents floating around inside Twitter but
also to some employees' accounts at Amazon, AT&T, and iTunes. He even got into
the GoDaddy account that managed some of Twitter's domain names.
Farhad Manjoo is Slate's technology columnist and the author of True
Enough: Learning To Live in a Post-Fact Society. You can e-mail him at
farhad.man...@slate.com and follow him on Twitter.
Article URL: http://www.slate.com/id/2223478/
© 2010 Washingtonpost.Newsweek Interactive Co. LLC
Search for old postings at:
http://www.mail-archive.com/accessindia@accessindia.org.in/
To unsubscribe send a message to
accessindia-requ...@accessindia.org.in
with the subject unsubscribe.
To change your subscription to digest mode or make any other changes, please
visit the list home page at
http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
