Adobe – Cracked!

The Adobe security is making ripples that are building up into a venerable Tsunami. Some hackers now claim to have cracked some of the stolen passwords. While they admit that they have no way of verifying their data, it’s still reason for concern as it could potentially affect hundreds of thousands of users – not so much because Adobe bunked it up, but because it reveals the laziness of some of those users:

Passwords

Yepp, it’s inevitable that these kinds of passwords are easy to crack. You could sit a 6 year old in front of the computer and he’d find them just by trying out random combinations based on his limited knowledge of letters and numbers. I think it’s time to talk about password security…

Let me preface this by expressly saying that nobody is immune to getting hacked, no matter what security measures are in place, but there are a few simple things you can do to make it quite a bit harder. That is of course assuming your service provider (in this case Adobe) does his homework and you can actually implement smart passwords. If e.g. your passwords are stored as plain text or with only simplistic keys or server admin passwords, the most sneaky combination of characters you can come up with is worthless. What is the key to success then? The magic word of the day is “password complexity”. At first glance this doesn’t really mean much, so let’s see what it takes.

  • Passwords and pass codes should have a certain length. Yes, it may be annoying and seem unnecessary to say this, but a 12 digit code is much harder to crack than just 4 numbers. I’m actually one of those people who find it disconcerting when bank cards only have 4 numbers. Longer is better.
  • Where it’s relevant and technically possible, mix letters and numbers. An evil cracking algorithm may be able to cycle through 0-9 with relative ease, but cycling through another 26 letters will be more difficult. The least it does is cost the hacker more time and increasing his electricity bill.
  • When you use letters, vary their writing – only using small letters is just as bad as only using caps. “Rollercoaster” passwords with alternating upper and lower case letters may look odd, but since different letters mean different binary codes, it’s already making life more difficult for the evil ones.
  • To further make things difficult, use special characters. Contrary to common belief it is not necessary to clutter up your entire password. One or two such characters can already make a difference. The important part is to place them strategically so they break the password in separate chunks that by themselves don’t make much sense as words and a cracking algorithm would not be able to compare them against his database (dictionary attacks). Unfortunately many websites still do not allow certain special characters, the reason being that certain characters have special meaning in programming languages like PHP and JavaScript and without extensive extra processing and security measures could themselves become security risks.
  • Never use sequential combinations or repeating patterns like many of the examples illustrated above. As already mentioned, your own baby toddler could accidentally hack them in by just stroking keys on your keyboard.
  • Likewise, don’t use “standard passwords” that your grandma could guess because she knows you so well. That also includes birthdays, your own name, names of your loved ones, your favorite artist, favorite TV series and so on. It’s far too easy these days to look up such stuff on Facebook or other sites.
  • Use different passwords on different sites. You wouldn’t want someone to take over your whole life just because you used the same code everywhere.
  • Build a safe network of trusted sign-ins and e-mail accounts, where one account can act as a fallback for another. Don’t use the same e-mail address you sign up with for newsletters, surveys or giveaways for critical stuff. That way you can already differentiate and keep things relatively tidy.

All of the above may sound like stating the obvious, but one can’t repeat it often enough. While we’re at it, also let’s do some myth busting.

  • Random character combinations are not better than human-readable ones as long as the criteria described in the previous paragraph are adhered to. A password can mean something as long as you are the only one who understands this special meaning. A password that you can remember well and type without breaking your fingers will also aid accessing your accounts from other locations.
  • Because of the previous point, automated password generators and those little widgets that tell you the “strength” of your pass phrase do not necessarily mean much. In fact those could be considered a security risk themselves by lulling the user into a sense of false security that may not exist. If the algorithms used for this are faulty, you may end up with something that’s easier to crack then something you could have made up yourself.
  • Two-factor authentication/ 2-step sign-ins using secondary e-mail verification and your mobile phone are a great thing – until your phone is lost/ defective/ outdated/ being replaced or you forget the access data for the e-mail account and trying to access your account without that info drives you mad in endless loops on some support phone line. That and of course it does you no good if those secondary means are not secure themselves or your base password is weak. So when using such stuff, make sure the “closed loop” rule is obeyed. Also carefully judge where you actually need such extra security or typing in additional security codes may spoil using social media and other services.
  • There is no shame in writing down passwords and codes – on a piece of paper in your own handwriting and stashed in a place away from your bank cards and electronic gadgets. Having “bad” handwriting will make it difficult for most people to guess what it could mean and when you lose the paper note, it means nothing to someone else. This is under the condition that you only wrote down the numbers and passwords, but not actually “My credit card PIN is…” or something like that. If it’s just a list, only you know that this may be the second number from the top or bottom. You could even be totally devious and fill in random numbers just so the entire page is full.
  • Password/ account managers promise to take the burden off your shoulder and while this may be a technically adequate way to manage lots of accounts and their data, it still suffers from the basic problem: Without a strong master password someone could find your smartphone, unlock the safe storage and still have access to all your information.

In the end, the responsibility is still yours, but maybe you can at least try and avoid some of the glaring issues in the cracked password list and do better.

Advertisements
%d bloggers like this: