Tuesday, March 12, 2013

Security for Activists - passwords

I've been reading a lot lately about activists and their lack of knowledge about computer and on-line security is a little scary. Given the empire's long track record of attempting to suppress and silence activists (see the Wikipedia entry for COINTELPRO) it is imperative that those in the movement know how to protect themselves and prevent the status quo from disrupting us. To that end I am planning a series of blog posts about the tools and techniques we can use to protect our selfs and to try to prevent the empire from learning of our activities.   The first blog post will be about passwords.

Most computer systems and many web-sites require the user to have a password to go along with their login. While a password may not completely prevent a hacker from getting access to your information it is the first line of defense. A well-chosen and used password will stop most of the amateur. But just having a password is not enough, the password has to meet certain requirements in order to thought of as safe. Here are a few points

The password should be at least 6 characters in length. With each character added the password gets harder to crack. If a password is composed of all ASCII printable characters, thats 95, and the password is one character in length, the number of guesses a password cracking program has to make is 95. If the password is 3 characters in length the number of guess to crack the password is 857,375 (95 x 95 x 95 or 95 raised to the third power). So a 6 character password would require 735,091,890,625 guesses. There two points I am making here 1) the longer the password the harder to crack and 2) using mixed case characters, numbers and special characters makes it even harder to crack.

Use mixed case characters, numbers and special characters in your password. Again this makes the password harder to crack.

Never use an easily guessed password. Words like "sex", "money", "secret" and "password" are not passwords. Nor should the password be something about you like the city where you were born or your significant others name. A password should never be a word found in the dictionary. A common hacking technique is called a "Dictionary Attack".

A dictionary attack is system where the program that is attempting a break in will randomly pick a work from the dictionary, say the word cat, and will attempt to login to your account while changing the case of the letters like so; cat, Cat, cAt, caT, CAt, cAT, etc. if none of these combinations works the word is marked as tried and another word is randomly selected from the dictionary until either they successfully logged in or they have worked their way through the dictionary. A phrase or word with mixed case characters, numbers and special characters on the surface looks good but it contains words from the dictionary and it's just a matter of time.

One of the more secure password algorithms is what I call the "Name That Tune" algorithm. One picks a song, say "Take It Easy" by The Eagles, then one picks a phrase from that song, lets use "Standing on the corner in Winslow Arizona". Using the first letter of each word of the phrase the password would be "sotciwa". Not bad but we can make it harder to guess by changing the case of some letters and substituting numbers for letters like so, "s0tc1WA?". We have substituted a zero for a lower case o and a one for a lower case i. We have also made the letters w and a upper case and just for the hell of it tacked on a question mark.

The really beauty of the "Name That Tune" algorithm is that it's easy to remember, hard to crack and one can talk about the password without saying the password. For example, lets say we used the above example as the root password to a group of web servers. If someone who knew the password but forgot it (it happens) wanted to know what the password was all you would have to say is, "It's the Eagles song." You have just conveyed the password without saying it and even if someone knows the "Name That Tune" algorithm that don't know which song, which phrase and how the phrase was twisted.

Having a strong password is one thing it is quite another thing if used stupidly. Writing down your password is a bad idea, especially if it is written down in a place where it can be found. I've seen cases where a root password was written on a piece of paper that was taped to top of the monitor. Another bad idea is to use your password everywhere. One of the basic principles of security is compartmentalization, that is to keep things separate. One should be using different passwords for different accounts. Maybe not every account be every different class of accounts, one for social media, one for bank accounts, etc.

One last point, one should change your passwords every 3 to 6 months. The longer a password is in use the longer the hackers have to break into your account.