Security 101: Less painfull than identity theft
One of the better commodities that hackers treasure is your authentication details. Your username and passsword is worth a lot in the black market. We all know the basic rules around passwords, having a strong password with numbers and characters, changing it regularly, etc. But what we neglect to do is to have multiple passwords, it is just too difficult to remember.
Phishing is one of the hacking methods that is used more and more, and this week for the first time I had phishing attemps on Twitter. One user send me two messages, both requiring my twitter username and password, one for an apparent report about me, one for a photo. On its own it is not all that bad, its only twitter, there are no financial stuff, they can’t get to your banking details, so that is save, or is it?
Let’t take a step back, the traditional way of getting user credentials was through what they called a “brute force attack”, using a list of thousands of words, they tried every word as your password. They had to have your username, and if you used a word that is well known, e.g. “patato” as your password, odds are they would have gotten your credentials. Then we started using strong passwords, instead of “patato” we used “p@Tat0”, it is still easy to remember, but it is not a normal word, making the odds of brute force attacks working very small. This worked for a while, but then phishing became main stream, as more and more of us were using websites.
The real problem with phishing, is not loosing your username and password to one site, it’s losing your username and password to all your sites. Because we are using strong passwords, we tend to use the same username and password for all our sites. So if they now get your username and password, through a different type of brute force attack where they enter this username and password into different sites, they might get lucky and make a profit from your credentials.
Last year’s hacking of Sony nicely illustrates the point. The problem was not that LulzSec were able to steal your username and password, the problem was a lazy administrator that saved the passwords as plain text. Thus making it readable to anyone who got it. The second problem was that LulzSec published this information, creating a new type of brute force attack, where anyone can try as many sites as they want with usernames and passwords that they got for free.
I’m not lucky enough to have a playstation … yet, but the Sony hacking was a valuable lesson. I also used about 4 passwords for all my login details, from emails through to my banking stuff. I downloaded a password vault application, there is a number of them, and started changing all my passwords and usernames, one of each for each site. A little bit more work from my side, but a lot more secure, and you get used to it rather quick. The password vault applications is also very easy to use, making it quick to retrieve your usernames and passwords.
I was amazed to see how many sites actually stored my passwords. I easily had each password stored on between 10 and 20 sites, and all you needed was one lazy administrator on any of those sites, and you were at risk.
You get different password vault applications, my wife uses one that is integrated into her browser, I prefer using one that is standalone. All your data is encrypted in the vault, which means I have to remember one difficult password. And that at least I can still do 🙂
Comming back to the Twitter phishing attempt, might only have been Twitter at risk. But if I actually gave them my username and password, and I still used them for a number of other sites, I could have been in real trouble.
Search Google, there are many of these applications, pick one that you like, and be a little bit more secure. Even if you loose a username and password to hackers or phishers, at least you minilize and the fix is quick.