The backdoor problem

There’s a well known truism in the security community that says that a system’s security is only as good as the backup entry method employed. That’s as true on the web as elsewhere. People forget or lose their passwords, they want to be able to get back into their accounts, and many websites give them the chance to do so by offering entry through a “backdoor”. The backdoor is meant to recognize and grant entry to the true account owner by asking “security questions” for which only he would know the answer.

The problem is that most security question answers, if generated as intentioned, typically make poor passwords. You can have the strongest primary password in the world, but if you use your mother’s maiden name as the answer to the security question a website offers, then you can forget about the strength of your primary password. Your effective password might as well be your mother’s maiden name, since knowledge of that will get you into the website as sure as knowledge of the primary password will.

You should keep that in mind when creating answers to security questions. Instead of providing the actual answers, I recommend creating real passwords as answers to these (i.e., your mother’s maiden name could be entered as “d9IgzUe33s”), then keeping track of these additional passwords in a program built for the job (I’ve discussed such programs before).

The fortress problem

Now that you’ve gussied up the backdoor, strengthening it with a stronger password requirement, you may run into the problem that backdoors were invented to solve: what if you suddenly find yourself locked out of your fortress? What if you lose both passwords? If you are using a password management tool, what if your password database gets corrupted? What if you accidentally erase an entry in your database (this is scarily easy to do)? What if your hard disk crashes and you lose your database?

The answer is that you need to create backup systems for yourself. These backups need to be in two forms:

  1. If you use a password manager, create backups of your password database. After creating a new entry, store a copy of the database on a USB flash drive or send a copy to a family member’s email address. As long as the database itself is password protected, you needn’t worry about making copies and leaving them lying around or giving possession to others. In fact, the more copies you make and the easier they are to find, the better.
  2. If you use a password manager, you need to protect against the possibility that you forget the master password that unlocks the database. If you’ve used this method, that should never happen. But sometimes bad things do happen, and you should plan for that. A low-tech method would be to write down your database password and store it in your wallet. That is safer and more sensible than many people suspect. A second option would be to write down your master password and store it in a safety deposit box at your bank. The latter option has the advantage of finally sealing up that backdoor to be both safe and useful – if you lose your safety deposit box key, for example, you can regain access to it by proving your identity to your bank, something that should be extremely difficult to do for an imposter but relatively easy for the true account holder to do.

Read more about passwords

Password length: go longer?

Time marches on, computing power grows stronger, hackers get cleverer. Every now and again we need to review what we once thought was “safe enough”. Today, the time has come to review what ought to be considered a safe password length.

Pragmatic security and powerful bots

This blog has always taken the pragmatic route to security, recognizing that there will always be a tradeoff between security and time and money. In other words, don’t worry about being 100% safe — instead, focus on being safer than average.

What does that mean for password length? Consider this: computing time is so cheap today that it’s not inconceivable that every one of our email accounts has a bot trying to access it about once per second, every day, 365 days per year.

Still feel safe with the password you’re using right now? Personally, I’m starting to feel queezy, but let’s look at the problem carefully.

Is eight still enough?

I used to recommend an eight digit password. Is that still enough? The Microsoft Password Checker, a tool I’ve recommended before, does not seem to think so. If you type, for example, “t8Uh10xI” into the checker, it tells you that you’ve made a weak password. Is that the case?

To answer that, suppose you found one of those bots that is, in all likelihood, pounding at the gates to your email account. Feeling generous, you give the bot a bit of information. “Look,” you say, “my password is eight digits, so don’t bother guessing passwords of any other length. And I use numbers, uppercase characters, and lowercase characters. I don’t use any special characters.”

Now, how scared should you be?

Well, you’ve made the bots job a bit easier, but let’s take a look at the math. The key statistic is the number of possible permutations of passwords you could have made using those parameters. To find out how many permutations there are, and therefore how many different passwords the bot would have to try, we need to compute the following:

Permutations = (26+26+10)^8

That is, there are 62 ways to pick the first digit of your password (26 uppercase letters, 26 lowercase letters, and 10 numerical digits), 62 ways to pick the second, 62 to pick the third, and so on — eight times.

The solution is that there are 218,340,105,584,896 possible eight character permutations. That’s 218.3 trillion. Supposing that a bot can try one password per second, it would be able to try 31,536,000 in a year. In just under 7 million years, it could try all the possible permutations.

So the answer has to be “yes, eight is still enough”.

On the other hand, if you’re using a software tool like PasswordSafe, the cost of upgrading your passwords to be a bit longer is so low that it’s difficult to think of a reason not to do so. Personally, I’ve begun to use 15 to 30 digit passwords for some applications because it increases my safety without increasing my costs appreciably. But I still feel secure knowing that the master password that unlocks my PasswordSafe database is less than ten characters long. If I lose my PasswordSafe database on the subway again (yes, this has happened once already), I won’t worry.

Read more about passwords

Protecting and tracking stolen hardware

Phones and laptops are easily lost or stolen, and I would urge you to use one or both of the following to protect yourself in the event that it happens to you:

  1. Encrypt your personal files. If you choose to do just one of the two things on this list, choose this one.TrueCrypt is a good, non-scary encryption utility.
  2. Install tracking software. LoJack and Prey were both mentioned in a recent Economist article, and they seem like reasonably good options.

The Economist article tells the story of a laptop getting stolen and then tracked down without police assistance:

Tales of stolen phones and laptops being successfully retrieved are the exception to the rule. One widely publicised case (perhaps because it was so rare) concerned a Canadian web consultant, who had a bag containing his laptop, mobile phone, health card and copies of his birth certificate lifted while on a business trip to New York. Fortunately, the owner had taken the precaution of installing an open-source tracking tool called Prey on his MacBook Pro beforehand.

Several days later, back in Ottawa, the owner got a message from his stolen laptop, saying it was being used in a restaurant in the Soho district of Manhattan. The tracking software not only sent the location details, but also transmitted screen-shots of what was running on the laptop at the time. It even turned on the user-facing camera and transmitted video of the user to the owner 500 miles away.

In this case, the owner was luckier than most. He had some 12,000 followers on Twitter to call upon for help. Meanwhile, the thief made the mistake of logging onto Skype with his real name. The laptop owner saw all this happening before his eyes and tweeted the details to his followers. He also called the New York police and asked, to no avail, for help. The missing laptop and other items were recovered only when a friend, aided by a Twitter follower in New York, rushed to the restaurant and confronted the staff with the evidence. The stolen laptop was handed over without a struggle.

Being able to track your laptop is a great idea in theory, but if the police aren’t willing to do the potentially dangerous work of confronting the criminal, I suspect the software will be useless to most people. That’s why encrypting your data is priority number one, and installing tracking software is nice to have but not something to rely on.

Read more about offline security

Anti-virus programs that are viruses

After buying a new computer last week, I was undergoing the usual process of uninstalling programs that the manufacturer thought would be useful to me but that I don’t care for. One of these was McAfee’s Internet Security suite. Perhaps it does a fine job of protecting computers if you give it the chance, but a few things bothered me:

  1. I was pestered several times per day to register the product. The options presented were along the lines of “Yes, register now” or “Remind me later”. Like a clingly salesperson, McAfee would not take “No” for an answer.
  2. The program refused to uninstall using the standard Windows uninstall mechanism. A few Google searches suggests that my experience is not exceptional.
  3. At least some users who manage to remove McAfee from their machines find that the company leaves behind poison pills in an effort to prevent competitor products from being installed.

These are serious infractions. We’ve got a program that is overwhelmingly concerned with its own survival and is willing to use sneaky tactics to achieve it. That willingness includes sabotaging users’ ability use their machines as they wish (making them unsafe in the process).

What do we call a program like that? I think it’s obvious: McAfee Internet Security is a virus.

Read more about antivirus

Password Safe Version 3.2

I’ve been using Password Safe for about 3 years, and would recommend it to everyone. Yes, it’s free. I just downloaded the latest version, and discovered the following pretty cool features:

1. You can ask the program to automatically fill in password fields on websites. Cutting and pasting wasn’t hard, but this is twice as easy!

2. It’s now possible to customize the passwords the program generates for you. Choose the number of characters, the number of characters that should be lowercase, the number that should be uppercase, etc. You can even ask the program to generate passwords that are readable (rather than gibberish).

Yes, those features are for lazy people. But laziness in these areas will give you more time to spend elsewhere, like replacing old passwords every few months.

If Password Safe doesn’t quite do it for you, Beta News has a review of a range of password managers. Perhaps one of them will strike your fancy.

Read more about passwords

« Previous PageNext Page »