The terrible sinking feeling of being hacked. It’s a virtual home break-in. Finding your digital unmentionables cast across the floor of the web. @CNN I’m sure are feeling that right now. Their twitter feed was hijacked by #SEA (Syrian Electronic Army) last night.
— Roberto Baldwin (@strngwys) January 23, 2014
The word hacked has become diluted and was never strongly defined in the first place.
We’re talking about someone getting access or information who shouldn’t. The best description I’ve heard when making a parallel to the physical world is trespassing versus theft. The idea of digital theft is tricky. To steal a car you are depriving the person you stole from the use of their car. If you steal a digital thing you make a copy, if you trespass virtually you make a mess – @CNN can still use their twitter account for instance but lots of people have seen what #SEA posted. Most of the time a hack is more closely aligned to vandalism.
While it’s not clear how the hack occurred it’s a reminder to us all to be protected as best we can.
Passwords can be the weak point. Still today many of us use gates of steel like password1 to protect our valuables. We do this because it’s hard to remember the hundreds of passphrases we use everyday.
The first thing to remember is to use a strong password.
What is a strong password?
It’s probably not what you think. No one can remember 100 random strings of letters and numbers. And you don’t need to.
The strength of a password comes down to entropy. How long would it take for a hacker with a dictionary file and good knowledge of people’s password behaviour (eg. putting a number at the end) to crack it. 8 random letters, numbers and symbols might seem to beat this – there’s no df67sib7usei1pbfp3456;osdb in the dictionary. Well no, a brute force attack won’t have any trouble.
Brute force attacks basically try every combination of letters, numbers and symbols until it gets it right. A good website will limit the number of attempts so a brute force attack won’t work there. What could happen is like in 2012 when LinkedIn was hacked. Your password is saved at the other end so when you type it in they know you got it right. The other end will keep it in a secure way, but if these security measures are beaten a brute force attack on the list of email addresses and passwords is there for the taking. If your password was sufficiently complex it will be one of the last ones to be cracked or may not get cracked at all.
A strong password is a long unique password.
A web comic XKCD said it best. Letters are better than numbers or symbols. There are 26 letters, only 10 numbers & 10 common symbols. 26 is a bigger number so there are more combinations possible.
The other very important thing is being unique. If your Twitter password is hacked and it’s the same one you use for internet banking you’re in trouble. Likewise, the dictionary files hackers use are not what you might expect. The file contains all words, common misspellings, leet speak, song lyrics, movie/tv quotes, pop culture passwords (trustno1), and everything else you thought was tricky.
XKCD recommend using 4 common words. This will be easy for you to remember and hard to crack because of the many combinations possible for each character.
There’s also services that collect and serve your passwords. They generate strong passwords with letters, numbers and symbols but you can also select your own Correcthorsebatterystaple type password. You’ll never have to remember it again, but if you need to you can.
The benefit of these services is more than just a way to store your passwords. When you type your password on a http website it’s not secure between your keyboard and the secure database behind the website. It’s a different story on a https website though. These services mean you don’t type your password in so key-logging software can’t collect what you’ve typed and some sniffing methods are prevented.
Before services like 1password when I was working on a network with programmers who liked to test out their skills I used manual techniques to prevent their key-logging. I’d type some of my password then some wrong characters then delete them then type the right word. The keys that are logged are keys that make visible output, so backspace doesn’t get logged. This way I could curate a false record on their log. Security by obscurity – which isn’t best practice but it worked.
Key points for passwords
- Easy to remember
- Use secure computers/services