Complex Passwords
22/06/2012 4 Comments
Increasing numbers of Yahoo mail passwords appear to have been compromised; I don’t use Yahoo [although in a historically stupid move, I have multiple email addresses from multiple providers including hotmail, gmail, my ISP and my own domain ]. Anyway, I have been getting an increasing number of spam emails from friends and acquaintances with Yahoo accounts. Not from any other source. I have been multiply spammed from multiple yahoo accounts this year, but from no other provider. The conclusion I draw from this is that either Yahoo has had its password file compromised and the spammers are slowly working their way through it, or it has a significant hole in its security, or there is a focussed piece of malware out there harvesting Yahoo passwords.
Either way, I would strongly recommend that anybody who uses a Yahoo email go and change their password, make it computer-complex (i.e. long), write it on a Post-it and stick it next to your desk (at home – not in the office where everyone can read it)
WHAT! I hear you cry. Why do THAT! You’re mad! Well, no. Brute force attacks are rare, and they will generally use standard dictionary words. I hate to tell you, but hackers know you replace E with 3, A with 4 and L with 1. So your password of AFR1C4 it as much a dictionary word as AFRICA to a computer. [ If you want a really hard-to-crack, easy-to-remember password, I suggest you refer to this XKCD cartoon http://xkcd.com/936 ]
The likelihood is that your password will be compromised by malware and not brute force attacks, in which case it doesn’t matter how complex it is. The chance it will be compromised by a burglar looking in your desk drawer is very low indeed (although people with teenage children need to be a bit more cautious.)
And change your passwords occasionally – at least once a year. How many of you out there have 2 or 3 different passwords that they use everywhere? A (seemingly) complex one for your bank account and “password” for your forum accounts? And you have NEVER changed them as it would mean changing 200 accounts and it’s too much like hard work? Thought so. One day you will be pwned by the hackers.
Neil Chandler's DB Blog 
Hi Neil,
Agree with your comments – saw the same suggestion on QI a few weeks ago. I also blogged similarly the other day with reference to the LinkedIn password breach (http://help4security.com/blog/?p=46). The real problem users of any web service are facing is the increasingly large number of sites that they are using and the reliance on passwords to authenticate. Users are then left with the quandry of do they have different passwords for every site and how do they make them memorable but complex enough that dictionary attacks won’t compromise them. I was reading recently that even common ditloids are being put into dictionaries now so that option is becoming increasingly less secure. That combined with increased computational power and herd computing techniques involving rented out botnets makes the common password increasingly less suitable as a method of authentication! We definitely need an alternative but do we really want to be walking around with dozens of 2FA tokens attached to our keyrings….and then how do you remember which is which without writing on them ….. I expect eventually we’ll have to move to a trusted authentication provider and also start to provide levels of access based upon trust level of the computer or device you are accessing from.
LikeLike
Site-based ditloids are effective in keeping each site password unique. Websites using an encrypt-only hash with appropriate seeding would help with this as you would be impossible to decrypt. Still doesn’t get around the malware problem though. I don’t want 100 2FA devices. I have 2 and that’s enough. It’s thorny but we need to help ourselves. My intention is to have a harder password than the next man. It’s like being chased by lions – you don’t need to be faster than the lion, just faster than the man next to you [ or able to trip him up if you’re not 🙂 ]
LikeLike
I’ve adopted an approach of using anchors in the URL name to modify a standard password string depending on the site I’m visiting. Without going into specific detail. my password for http://www.abcd.com would be (ab)myStand@rdpassw0rd$tring(cd) for example. Obviously you have to modify the (ab) and (cd) but you can do that using something you’ll usually have on your person; an app, a paper chart or even something as simple as a jpeg of an old 80s computer keyboard can serve as a visual shifter.
Incidentally http://howsecureismypassword.net/ is a lot of fun (I’d check it’s still completely local js though, it was last time I checked).
LikeLike
That’s effectively a personal variation on ditloids, and its going to be a heck of a lot more secure. It still gives in easily to a trojan, but at least you’re only losing one site.
LikeLike