The Insecurity of Password Security

October 7, 2009

Astonishing, Shocking, and Surprising

I have skimmed over several posts the past day-and-a-half detailing the apparent shocking statistics regarding the lack of thought and security we end-users place when conjuring up passwordsGasp! Someone actually used 1234567 as a password?  Security consultants around the globe are printing these articles en masse, building their long awaited nuclear arsenal of “I told you so”s and “I tried to warn you”s.

Maybe a better study would be: why people make their passwords so easy.

Passwords like 111111 and iloveyou are not proof that people are ignorant and apathetic when it comes to proper password security, we just don’t know and don’t care.  Take a moment and count…how many passwords are you supposed to remember on a daily basis?  Me?  In one short minute I could count 39 personal and 50 work-related passwords.

Want to know the code to someone’s ATM card?  Just ask them their voicemail password.

We just live hectic, noisy existences, incapable of remembering a special ten-character, mixed-case, symbol-included code for every unique thing we do in life.  We just don’t want to remember one more and when we are asked to, it makes us mad.  So we type something stupid like asdfjkl.  We have run out of ideas, depleted our creativity, and locked up our grey-matter RAM storage and have no room for one. more. password.

If the security world wants us to have ‘at least ten characters’, ‘at least one number’ and ‘at least one special character’, how in the world is the average user supposed to remember that safe, secure, special password for their email account, Facebook and Twitter, online banking, eBay, Washington Post and the New York Times, iTunes, Audible, XMRadio and Consumer Reports online, Del.Icio.us, Carbonite, DropBox and Instant Messanger Client (for three different platforms), and on and on and on.  As we grow towards the cloud, both in business and our personal lives, the need for a true two-factor universal identity management system is crucial for electronic security.

Security Drives the In-Security

The only thing excessive password rules serve is to generate the most insecure tool of all password protection – the 3M Post-it Note.  What happens when ridiculous rules are applied to end-user password creation?  The users’ write them on the nearest Post-it Note and stick it to their monitor.

I ended up with sore abs last week laughing so hard when I dropped in on a colleague who was having some troubles with his machine.  And what to my wondering eyes did appear, but two 3M Post-it Notes with passwords to cheer:

passwords

No kidding, this guy had four, count them, four different passwords right there in plain sight stuck to his desk for the entire world to Xerox into their inner memory banks.

Oh wait that’s right, you’re the type that would never dream of doing such a security circumventing type of activity.  Instead, you place your sticky-note in the top right corner of your inside desk-drawer where no one would ever think to look – certainly not the after-hours cleaning crew trained in the art of kung-fu change pilfering from the tops of desk drawer organizers.

Or how about the Excel spreadsheet with all five hundred passwords you have ever created right there on your Windows XP desktop.  Labeled, not surprisingly, passwords.xls.

The Problem Defined

Herein lies my reprove of common password security rules:

  1. Make your password at least eight characters – I have no real issue with this especially on a Windows network where LanMan is disabled.  If your reasoning for more than seven characters is because of the LM Hash vulnerabilities, then why not force the Windows passwords to be 15 characters?  Or better yet, try turning off LAN Manager.  I like this rule because I’m too lazy to try and guess much more than four or five characters.  After that, computers make the guessing easy.
  2. Add at least one number.  Really?  Just one?  And who, when their password gets rejected for this rule, doesn’t just add the number ‘1’ to the end of their recently rejected creation?
  3. Change your password at least every nn days.  And why exactly is this?  So that if the password is compromised, suddenly it will be different?  If the end-user finally remembered their password now they could write a new one on a Post-it and stick it to their monitor?  Right, instead of rolltide1, I would never think to try rolltide2, or rolltide3.
  4. Add at least one special character.  This is the security/insecurity piece de resistance.  For those not fluent in 1337 speak, this is the equivilant of the Ovaltine secret decoder ring Ralphie Parker used in Jean Shepard’s 1983 film, A Christmas Story.  Instead of typing a ‘t’ you substitue with the leet equivilent of ‘7’.  Instad of the letter ‘s’ you substitute with ‘$’ and so on until ‘cromptonsucks’ ends up looking like ‘cR0Mp70N$uCks’.  What an ingenious scheme, for I never knew it was harder for a computer program to generate the letter ‘a’ than the symbol ‘@’.  And, of course, all of those extra symbols and wing-dings certainly would never drive us non-creatives to falter and reach for the nearest Post-it, lest we forget our super-secret creation.

A Solution

My proposal, if nothing more than to make the Security Elite cringe with disdain, is to create for yourself three passwords, using the following rules:

  1. Password 1: should be really easy to type and remember.  You would not mind sharing it with a close friend if you had to.
  2. Password 2: should be semi-difficult.  Try at least eight characters and add at least a number or two – and not the number 1 at the end!  Think of something no one would guess and you won’t forget.  Try an acronym like ‘There Are 9 Planets In The Solar System” (oh shoot, that’s not right anymore?) and make it “ta9pitss”  You get the point.  If you like to ride motorcycles, don’t make it harley1 or iloveprincessleia or something anyone who knows you would guess.  My take is most people are lazy like me and view password guessing about as entertaining as watching paint dry.
  3. Password 3: make this one difficult.  And long.  And add all the doofy security stuff.  don’t ever give this one out.

Remember these three passwords and don’t write them down anywhere.  Now that you have your three stooges, put them to work:

  1. For the sites you really don’t care about and don’t hold any personal information, use your easy password.  Use your easy password for things like Facebook and Twitter.  Think about all of the not-really-big-deals you work with every day.  It’s probably not going to break you if someone hacks into your AIM account or steals your Consumer Reports online information.
  2. Use the next difficult password for those borderline sites.  Would it really hurt if someone hacked your Facebook account?  There should be no financial information and everything posted is known to the world anyway, or at least anyone that matters to you.  How about your Hotmail account?  You decide, but if you have a decent, medium-level password, your chances of getting hacked are slim and the ramifications of a hacked email account are normally not life-threatening.
  3. Save the third and most difficult password for the financially damaging tools.  Use it on your Paypal (and eBay since they are so close) account, online banking and investing.  Use it anywhere you have financial information stored.   You wouldn’t want someone to hack your Amazon account and start One-Clicking 60” Plasma’s to an alternate address, right?  And try not to store it in the ‘saved passwords’ section of your favorite browser, either.

Most importantly, be smart.  Watch where you surf and where you click.  If you don’t know what a phishing scam is, use the Internet and study up a bit.  Understand that a ‘Yes’-‘No’ box could easily read ‘Click Here for A Virus’ and ‘Click Here for a Virus, too’.  The programmers’ determine what the boxes say, not the browser.  And please, don’t write your passwords down.  On a Post-It note.  And Stick it on your desk!


OS X.6 Upgrade (Snow Leopard)

August 31, 2009

Normally I’m not an early adopter, but I just couldn’t resist the proposed speed enhancements of Apple’s new baby.  So just to see if it is worth the $29, I went ahead and loaded 10.6 (Snow Leopard) and recorded some [very unofficial] tests.

Conversion

Overall, the conversion was an exercise in simplicity.  Lots of published articles exist on how it works and how to upgrade so all can do is confirm – it really is that easy.  Pop in the DVD, answer a few questions, come back in less than 1 hour.  I have a mid 2008 MacBook Pro, 2.4 with the 8600M GT graphics card (256mb).  Total conversion time lasted just under 36 minutes.

When I was finished I went ahead and ran the daily, weekly, and monthly clean-up tasks to get any last minute clean-up out of the way then on to some benchmarking.

HDD Space

The first thing I was interested in was how much space could I reclaim.  While the available disk space was reported as a whopping 12GB gain…I’m not so sure how that happened?  Gina Trapini reported today it might just be an ‘accounting change’ (link to her post here), and I have to agree.  My ‘used’ disk space increased from 91.37GB to 93.54GB and yet I have have 11.55GB more space?!  A closer look reveals the capacity of the HDD is now being reported as 199.71GB instead of the 185.99GB reported before.  So sad, and I thought the OS was actually 7GB smaller?

Reported HDD Capacity

Boot Time and General ‘Snappiness’

After I got OS X back up and running, I recorded a few times of some of the software I frequently use and timed the startup and shutdown of the machine.  Generally, the numbers reported the same; Boot Time was the same at 42.7 seconds, time to start Safari and to access my Gmail with all of the lab plug-ins was the same 5.3 seconds, it was actually quite a bit quicker to start a new Word 2008 document (14.6 versus 19.3 seconds) and, strangely, slightly slower with a fresh Excel 2008 spreadsheet (7.2 versus 7.0 seconds).  Also, I forgot to record times with Adobe CS3 products, but they seem to load quite a bit slower on start-up.

I have the 8600M GT GeForce graphics processor, which is compatible with OpenCL.  Since the new Quicktime X is supposed to use these new technologies, I thought I would render a short video with iMovie ’09 using Quicktime and see what the results were.  The two-minute video I chose did render 12% faster with a time of 4:38 versus 5:16 using Quicktime Pro in 10.5.

time_to_render_2_min_video_in_imovie_%2709-1

Shutdown time increased by almost 40%.  Before I could move my hand off the keyboard the notebook was quiet and ready to travel.

time_to_shutdown-1

Final Thoughts

Overall, I believe most OS X users will be disappointed parting with their $29.  Why?  Because Apple users are accustomed to being blown-away by visual innovation every time Apple introduces something new.  No matter how many times Apple reminds us, this really is a refinement of the underpinnings.  I left the upgrade with a feeling of “okay…that’s it?”

If you use a lot of OS X features, you will notice a few subtle refinements that boost the overall polish of the operating system.  For example, if you use spaces, the movement from one workspace to the next now seems more fitting and smoother.  Stacks look and operate cleaner.  Four-finger track-pad gestures ROCK!  As a whole, the entire Mac experience also seems snappier.

Understanding that Snow Leopard paves the way for more architectural underpinnings (OpenCL, Grand Central Dispatch) that will make computers faster in the future, makes the $29 a little bit easier to cough up.  You’ve gotta start change somewhere, right?

One final thought: I noticed a comment on a public blog yesterday  from a Windows sour-graper complaining about how Microsoft would have introducted this as a service pack and it would have been free.  Since when was the last time Microsoft REWROTE the core underpinning of the entire OS and gave it away as a service pack?  Oh wait, they did that in 2007 when they gave away Vista for $319.  At least the ‘upgrade’ to the Windows 7 service pack will only be $219.


Busted iPhone 3G

August 28, 2009

So I am at my niece’s birthday party last weekend and I get to talking about my new iPhone with my brother-in-law’s brother, Chris. Better yet, he is my wife’s sister’s husband’s brother, but that is another puzzle for another day.

Anyway, Chris whips out his old iPhone 3G and HOLY CRAP the face of it looks like it has been dropped face first onto the concrete and then slammed in the door of a car! Turns out, that is exactly what happened…

First, Chris tells me, he accidentally dropped it a couple of months ago face first onto the concrete pavement which cracked the upper corner. Then a few months later, he continues, he was driving with it in his lap. When he arrived at his destination, he had forgotten it was sitting in his lap and simply got out of the car. The phone fell and rested onto the door-sill, which turned out to be a beautiful thing, because otherwise it would have landed on the asphalt again!

He went to shut the door and the door would not shut properly because the seat belt was caught in the door (or so he thought). So he gave the door a couple of more hard slams for good measure when what should his wondering eyes should appear but an iPhone 3G getting beat between the door like a four-year-old playing Wack-A-Mole.

He told me it still worked and then turned it on to show the proof. “Dang”, I said, “How do you run this thing without slicing the ends of your fingers off?” Remember, that’s glass Apple brags about in those displays, not some cheap plastic. This is the real deal that can make your prints untraceable like a James Bond movie.

So I whipped out my new 3GS and shot a video. Those are my precious fingers doing the demonstration, too. Only once though, that’s all the proof I needed. Hmmmm, maybe I will splurge for one of those fancy safety cases…