Last summer was an embarrassing one for LinkedIn. The social media network aimed at professionals confessed in June 2012 that millions of users’ passwords had been breached.
A hacker had posted 6.5 million “hashes” – passwords in garbled form – online, in the hope that someone would be able to decode them. Experts believed the intruder had already decoded millions for himself or herself, unlocking many users’ accounts on LinkedIn and, probably, other online services.
How did the hacker do it? And, more important, how can you protect your passwords?
Many people are notoriously lazy when it comes to creating passwords. They use the most obvious combinations, assuming that no one will guess them. Among the combos found on the list of leaked LinkedIn passwords were: password, qwerty, abc123 and that old chestnut, 123456.
Presumably, these LinkedIn users didn’t have “IT security expert” listed on their resumés.
Those passwords were deliberately garbled by the website for security purposes. But if you use even vaguely obvious passwords, hackers who steal a password list from a website can crack them.
Websites that try to garble passwords do so using a mathematical program called a “hashing” function. This function reads the password and produces a string of gibberish, the hash. The website doesn’t need to know what the password is when you log into the site. It simply takes the password you type to access your account, runs it through the same mathematical function, and compares the result against the hash that it has on record. If they match, you are allowed access to your account.
The whole system relies on the fact that while every unique password produces a unique hash, the hash isn’t random. A password will always produce the same hash. Unfortunately, hackers rely on this fact to break passwords.
Because many people use the same, obvious passwords, hackers have run those passwords through the hashing function and produced hashes themselves. They have hashed every word in the dictionary, and a lot more besides (including every common combination of characters that you can think of, such as “abc123”). These hashes have been compiled into long lists, showing each word, and its accompanying hash. These lists are known as “rainbow tables.” When a hacker gains access to a website’s list of hashed passwords, he or she can compare the hashes against the rainbow tables and find out which ones match.
Without rainbow tables, an attacker could still guess an obvious password simply by knowing a little about you. When a college student hacked Sarah Palin’s Yahoo Mail password in 2008, he didn’t need any skill. He simply reset her password using the site’s “forgotten password” function. The security question required to reset the password was where Palin met her spouse. A simple Google search revealed “Wasilla High.”
So, how can we manage our passwords properly, using best practices, to prevent these attacks?
– USE COMPLEX PASSWORDS. Instead of “123456,” or the name of your dog, you can use alternatives. One is to make a random password using letters, numbers and other symbols, such as percent and dollar signs.
Another approach is to use “passphrases” rather than passwords. It took hackers a long time to put together the thousands of dictionary words and common combinations used in the average rainbow table. But it would be much more difficult to make a list of random phrases.
Where can you get a passphrase? Don’t use something obvious. (“iloveyou” was a common password used by LinkedIn members.) Instead, use a sentence from your favourite book or even the first line of a newspaper story. The important thing is that it be long enough to thwart a brute-force attack. Six or more words should do it.
This is all very well for a single site, but don’t break the cardinal rule: never use the same login credentials for more than one online service. If hackers do manage to gain access to your password (or phrase) for a single site and that same password is used elsewhere, then you risk having your accounts compromised on multiple sites.
– USE A PASSWORD-MANAGEMENT SYSTEM. If a website asks you inane security questions designed to help you recover a lost password, don’t give them the correct answers. In fact, don’t rely on these security questions at all.
Instead, use your own password-management system to take the pain out of remembering your passwords. These systems can even fill in the log-in fields on multiple websites for you.
A popular service is LastPass (www.lastpass.com), which stores your passwords centrally on an encrypted, cloud-based service. LastPass operates as a plug-in for a variety of browsers, including Firefox, Internet Explorer and Google Chrome.
When you sign up for an account on a website for the first time, LastPass will randomly generate a password for you with a long string of numbers, letters and other characters. It will then store the password and username or email for you when you submit these details to the new website.
The benefit of a service such as LastPass is that because the information is stored centrally, you can access it quickly on any computer with the necessary plug-in installed. This means you can easily swap between computers at work and at home, for example.
One thing to remember about your password management system: keep it safe. The password or passphrase used to log into your password-management system will be the most important of all, as it will grant access to all of your other passwords, making it the key to the kingdom. So, make it complex enough not to be guessable. LastPass helps here, by also using a technology called “salting” to make the use of rainbow tables far more difficult.
The other crucial point is not to leave your password-management system logged in all of the time. Set the system to not log in automatically when you start your browser.
No system is 100% secure, but a little foresight goes a long way. And if you must use your dog’s name, then rename him “u69gg%8.” It’ll sound quite catchy after a while.
© 2013 Investment Executive. All rights reserved.