Defending The Kingdom

An old and out of use Hotmail account, which I log into every couple of months just to prevent Hotmail from letting my account expire, was hacked in late May. Whoever or whatever (I suspect it was a machine) hacked into my account didn’t do anything terribly malicious. They simply borrowed my address for a month and sent out loads of spam to everyone on my contact list and many more who were not. Sorry! And thanks to the friend who I inadvertently spammed and gave me the heads up about the problem.

What Went Wrong

I have no way of knowing how my account was compromised, but I suspect a brute force attack. Hotmail doesn’t lock accounts or insert any other barrier after a few (or even many) unsuccessful password entry attempts, so a machine could go on happily guessing at least one password per second for as long as it took to find the right one. Unfortunately, I made that process easier by having a password that was all lowercase and lacked special characters. Worse, even though I change most passwords every three or four months, I hadn’t changed that password since I opened the account. It wasn’t a giveaway password – it was 8 digits long and had a combination of letters and numbers – but I could have and should have done more.

Thankfully, the hackers didn’t change the locks while they were making use of my little piece of online real estate, and I was able to log in and reclaim full possession of the account. I set the new password to be extra robust.

Dear Hotmail…

And if anybody from Hotmail stumbles across this post: please consider asking people and machines who get their passwords wrong, say, five times in a row to pass a captcha test. Gmail does it. You should, too.

Suppose you found out that a Russian hacker was selling access to hacked Facebook accounts for a mere $0.025 – $0.045 each, and that the hacker had 1,500,000 accounts to hawk. Should you be worried?

Risk vs. Effort

As it happens, this threat seemed plausible at one point last month. Now it appears that the danger was probably exaggerated (although that’s what the Facebook folks would say, isn’t it?):

Facebook’s assessment of Killros is that he is a low-level player and that he had nowhere near the 1.5 million accounts he advertised. Most likely, he had a few hundred accounts most of which he likely created himself. Through some interesting and impressive forensic work, the Facebook security team identified the real Facebook accounts owned by Kirllos, reset the passwords, and notified the account owners.

But for fun, let’s take the hacker’s advertising at face value. How big of a risk is it to you, the average Facebook account holder? Well, to start with, there are over 400 million Facebook accounts, so the chances that yours is among the 1.5 million currently on sale are less than half of one percent.

I’ve written before that the prices criminals are willing to pay to get your account details are good magnitude of risk indicators. In this case, if the value of each Facebook account is less than 5 cents, criminal buyers must not be expecting much more than the value of their time as a return on hacking into accounts.

You should be much more concerned about your bank account login details getting stolen, as that information apparently sells for about 1% of the account balance. In other words, buyers of this information expect a reasonable payoff in exchange for their investment and the risks they are taking.

So my take on the Facebook news is that it was initially alarming, but probably nothing to get worked up about. Of course, there’s no harm in updating and/or upgrading your Facebook password if you haven’t done so in a while.

Read this list of commonly used passwords and see if you get a little nervous. Double twangs of deserved nervousness if you use the same password for every account.

The post has some solid advice about making and managing great passwords, too.

NatWest, a UK-based bank, has a unique login page that makes it safe to sign into your online bank account even on untrusted computers. The login page makes it impossible to employ the Revised Vesik Method that is ordinarily the best way to beat keyloggers, but it more than compensates with its clever login requirements.

When logging in, the first set of fields ask for just three of the four or more digits that make up your account PIN, and the next set of fields asks for just three of the eight or more characters from your password (you are using eight characters or more for your passwords, right?). The specific characters you need to enter change each time you successfully login.

So suppose a keylogger captures every stroke you enter – are you safe? Yes, since the six digits that a keylogger could scrape are likely to prove useless when the next login page is generated. The new page will ask for different characters, and it won’t regenerate new requirements until those characters are successfully entered. That’s important, because otherwise it might be possible to refresh the page until the desired six digits are requested again.

As safe as other techniques?

You might wonder if the trick of asking for just six digits means that the login procedure is less safe than one that asks for eight. I believe it is, but not in any sense that matters as long as there is a limit to the number of incorrect login attempts that can be made. Like most banks, Natwest hinders password-guessers by temporarily blocking access to online banking after a certain number of failed login attempts

So, how much less safe is NatWest’s request for six digits instead of eight? Well, guessing an eight digit password composed of numbers and varied case letters would see success about 1 in 200 trillion times; guessing a single number from a four digit PIN and then guessing the correct three digits from the same password as before would see success about 1 in 2.4 million times. There is a difference, but it doesn’t really matter if the temporary lockout feature is working properly. In my judgment, the anti-fishing benefits make NatWest’s login procedure safer than login pages that ask for complete passwords.

The one downside is that logging in is inconvenient, since you have to mentally count to the right digit in your password before entering it. Still, Natwest’s login requirements ought to be considered industry best-practices. I hope to see more banks adopt the technique.

If you want a simple way to create, store, and use strong passwords, get Password Safe. You need only remember one password — the master password that grants access to your password database. Making a suitable password is easy, as I’ve written about before.

Slate has an article this month that gives similar advice for making passwords. It’s worth reading for the examples, and I like the suggestion for creating a password that can be altered slightly every few months so frequent password-changers don’t have to memorize a completely new one.