Passwords! It’s time to get serious!

As much as I hate to write this article, I think it’s worth writing and I hope everyone will help share it with others.  I have to admit, however, that it’s a bit embarrassing though since it happened to me, a 28 year computer software developing veteran.  But it did and I am about to tell you how to avoid the same careless mistake.

There I was minding my own business.  I was responding to some ads on the various job/project sites I frequently go to.  I sent out a bunch of resumes and proposals just like I always do.  On my resume and literature that I send out to prospects, I use a Google voice phone number  in Austin, Texas.

I’ve been using this number for years, but I rarely (as in practically never) login to that particular Google email (gmail) account.  I setup the phone number years ago and have it forwarded to my home and cell phone.  There is no reason for me to login per se.  When someone calls my Austin number, it rings me just like if they called my Missouri number.

In the course of sending out resumes and proposals over the past week or so, one person in particular wrote back to me.  He wanted me to help with a little project that he had big dreams for but didn’t have the funds to develop.  I politely declined his offer of a partnership and frankly, went on about my way.

He then became pretty ugly in the emails that followed.  Isn’t it funny how people feel all big and tough hiding behind their keyboard?  But that’s a story for a different day.

I responded with a terse, “Listen fella, I wish you well, but I only fly with the big boys so I’m not interested really.”  That was a direct quote from me actually.

What happened next was an absolute first for me.  I received a text message on that Austin number telling me that he had my password for my email account and the email accounts of my family (specifically my youngest son’s email account).   I thought to myself, what an idiot!  But I wasn’t too worried.  This ass-clown was/is clearly off his friggin rocker.  Such is the way of the internet, huh?

Since our little exchange two days ago, I have heard nothing from this waste of protoplasm.  Then today…. my son gets a text message from my Austin number.  The only way this could happen was if someone had indeed hacked my account.

Sure enough!  Someone had indeed hacked the password.  He wasn’t real bright though.  He could have easily changed the password or the email address associated with the password reset feature.  He didn’t change either.  He simply hacked the password, logged in and then proceeded to send a flaming email to the one and only contact record I had in that account… my son.

Here’s where the guy really messed up.   Google keeps track of every IP number used to login to each account.  The IP address clearly comes back to an ISP located in Abilene Texas called http://www.wtconnect.com/  With such a small ISP it would be child’s play to get the user logs of this guy.  I’m guessing he lives in a remote area and his only choice is this particular little ISP.  It would be a shame if this wanker had his account shut off, don’t ya think?  Next time he should probably take the time to drive into town and use a wifi hotspot or something.  But, like I said originally, he’s not exactly a big dog in the internet world.  LOL  (yep… this whole paragraph was just to push his button!)

So, how did he get in? How did he hack my password?   The answer is simple… I WAS STUPID!  When I created this account, I did it in a hurry.  I used  simple password and never got around to changing it in the two years since I created it.  It’s not that this twit was an expert or anything.  He probably downloaded some password hacker tool and let it run.  It did the job because I failed to do mine!

How could things have been different?

I should have used a stronger password.  I preach and I preach time and time again about this very subject, but I let my guard down and I got burnt.  Luckily it wasn’t much of a burn, but it sure as heck could have been had the attacker been more on his toes and I wouldn’t have had anybody to blame but myself!

In general, the strongest passwords are sufficiently long, randomly generated and contain no words in any language. Most others are weak because of the cracking methods programmed into password cracking tools.

The three main methods used are:

Weak password attack
Common password weaknesses are exploited, such as blank passwords, the word ‘password’, the users’ login names, names of your children, your birthdate or any other information the cracker may know about you, the user.

Dictionary attack
Word lists from various sources, including dictionaries, foreign language and slang lists, are tried.  Never use a word that can be found in a dictionary.  THIS IS WHAT GOT ME!

Brute-force attack
Every possible character combination is used until a match is found.   When all else fails, cracking software will resort to brute-force methods and sufficient password length becomes critical. Given enough time, your password will be cracked. This is the best you can hope for! If someone wants your password, given enough time and the right software, it’s almost a sure bet that they will get it.

Finding a scheme, that the hackers haven’t already thought of,  to remember your password is next to impossible. Their tools nearly always start with the most basic approach: the dictionary attack.  After trying variants of every word in the dictionary, combinations are tried. They basically put two words together, such as “snowcar”? This one is trivial to hack by the way.

Next they will try including a number like “snowcar4” That one will keep the cracker busy a bit longer, but again, not long enough. Spell it backwards? Nope, still trivial. Foreign word? Wrong again!  Add a punctuation character?  Nope!  Still not good enough.

Most people would be surprised to learn that their password had been cracked. Yet many large site administrators crack several passwords per day while performing routine security audits. If the good guys can discover your password — and they will tell you to change it, of course — think about what the bad guys might have discovered!

Always use strong passwords and change them often!

Here are some tips for choosing your password.

Do not use:

  • your first name, last name, or login name, in any form
  • consecutive or repetitive numbers or letters such as 12345678 or AAAAAAAA
  • adjacent keyboard letters such as qwerty or asdfghjk
  • common and obvious letter-number replacements (e.g. replace the letter O with number 0 or the letter S with a dollar sign)
  • easily guessed personal information such as names and dates of yourself, family members, pets and close acquaintances
  • easily obtained information, such as: address, license plate numbers, telephone numbers, credit card or ATM numbers, Social Security numbers
  • email addresses
  • dictionary words, in any language, forward and backward
  • popular book titles, movie titles, or phrases
  • short passwords

Use Strong Passwords

  • a strong mnemonic passphrase (easy for you to remember, without writing it down, but hard for others to guess)  e.g.  “It helps to use a rhyme or mnemonic.”  The previous sentence could represent the reasonably strong password, “Ih2uar0m.”
  • at least eight characters long
  • a combination of upper and lower case letters, numbers, punctuation and other symbols
  • quick to type, in case anyone is peering over your shoulder

Secure Your Passwords

  • Never write down passwords.
  • Unfortunately, the most secure passwords are very hard to remember. Try to come up with a mnemonic
  • Learn the key pattern when typing your password.  Most people can learn any random password in about a week of daily use
  • If you must write it down, disguise it and keep it in a safe place (as with a credit card).
  • Never share your password with anyone. Protect all passwords as you would protect your bank PIN.
  • Never store passwords unencrypted on your computer. Password management software is great for managing many passwords, but take great care to protect access to your password database with a strong password, access card or USB key! (Or better, a combination of these).
  • Never type your password when anyone is standing nearby.
  • Beware of phishing scams.
  • Change your password frequently.
  • Never use the same password in many places, especially online!

 

I hope this has helped you think about some things to do to become more secure online and yep… you can say it now… “Vern is a dumb ass for not following his own advice!”  LOL

 

Comments

comments

3 thoughts on “Passwords! It’s time to get serious!

  1. I found this very interesting and helpful. I’ve never been hacked (at least I don’t think I have) but I will definitely keep all this in mind. My problem is that when I set my computer up with parental control just recently, I inadvertently locked myself out!! I either put in a password that I’ll never remember (although my hint tells me I should know it) or I mistyped it when I set it up. Never ever set up a password after several beers!!! Any suggestions on how I can get back into my own computer?? SMH! 🙁

Leave a Reply