Subscribe now!

Add to Technorati Favorites

Enter your email address:

Delivered by FeedBurner



Add to Google



INDEX

Ad-Aware
Amazon
Audacity
Audio
Backup
Books
Del.icio.us
Dilbert
eBay
Email
Encryption
Facebook
Firefox
Flickr
Gmail
Google
Google Earth
Google Reader
Greasemonkey
Internet
Joost
Maps
Microsoft
Microsoft Word
Music
Passwords
Photoshop
PC tips
Picasa
Podcasting
Productivity
RSS
Security
Skype
Software
Tools
USB
Windows
Yahoo
YouTube



Giveaway of the Day
Password sniffers
Friday, June 22, 2007
I've just had to spend the last hour changing all my passwords and encrypting them into my TrueCrypt vault, after multiple attempts were made by persons unknown to gain access to my email account, my bank account and my web hosting account. I've also had to stop using my public email address for all the various online services that I use, since using my public email address for signing in gives a potential hacker one foot in the door. If they know the email address then all they need is the password. But if I keep the sign-in email address secret then they have to find that out too which makes things a lot harder for them. Not impossible of course but one extra hoop for them to jump through.

I found out about the hacking attempts this evening when I logged onto my email and discovered emails from the various services saying there had been unsuccessful log-on attempts. Paypal in particular is very good about sending out these kinds of notifications. Knowing that I didn't have any password problems (plus I had been out of the house for the previous couple of hours), I knew that I had been the target of a hacker, or as I call them, "password sniffers". I also have other names for them but I'm trying to keep this blog suitable for all ages.

So the first thing I did was review my passwords and looking at them, I realised that they weren't really that secure. OK, I'm not stupid enough to use "PASSWORD" or "MARK" but at the same time, a determined dictionary brute-force attack would have got the passwords in the end. That's when I realised that I needed to secure the various online services with long unbreakable password strings. This includes :

  • Letters - both upper-case and lower-case
  • Numbers
  • Special characters such as @ ! " # + ?
  • A minimum 20 characters long but if you must make it shorter than that, no less than 15 characters long.
  • No connection whatsoever to any personal detail of your life - so no birthdays, pet names, street names, names of your first sweetheart, anything like that. Keep the password totally impersonal.
  • Changing the passwords every 30 days.

So a good password would be something like !$!@yStP5x@u1P!QD2!5

If you have to type the passwords in a text file or word document then make sure you have some kind of encryption scheme in place so the password file can't be cracked. Truecrypt is excellent but a more simple solution would be Locknote.

If anybody hacks a password like !$!@yStP5x@u1P!QD2!5 then they deserve a job at the National Security Agency.


Labels: , ,

posted by Mark @ 1:03 AM  
0 Comments:
Post a Comment
<< Home
 
Google




Firefox 2



Windows Secrets Newsletter

F03 ZoneAlarm logo

Previous Post
Archives
Recommended Blogs
Camelot Online & Mark O'Neill 2006-2007