Lessons learned from the Stratfor files

Topic

New Reply

	IN THE WILD[/size][/font] Lessons learned from the Stratfor files[/size]
	By Robert Vamosi Creating truly secure passwords can be difficult — at least for some security professionals, it seems. A recent data breach at the private intelligence firm Stratfor revealed some all-too-common password weaknesses. Here’s how to strengthen your own.

---

The full text of this column is posted at WindowsSecrets.com/in-the-wild/lessons-learned-from-the-Stratfor-files (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

You should include LastPass in your list of password managers. It’s a great product and is free.

Reply | Quote

Typically, we enter a password and it’s then converted. But then the password it’s self and the converted are in memory. Can’t a clever hacker pick that out of memory?

If we have a password manager open and presumably in memory, what keeps a hacker from picking all your passwords out of memory?

And a password manager is pretty easy for the programmers/analysts/managers who wrote the password manager to break into? Disgruntled ex employes from a password manager would seem to be a threat also?

Reply | Quote

Typically, we enter a password and it’s then converted. But then the password it’s self and the converted are in memory. Can’t a clever hacker pick that out of memory?

If we have a password manager open and presumably in memory, what keeps a hacker from picking all your passwords out of memory?

And a password manager is pretty easy for the programmers/analysts/managers who wrote the password manager to break into? Disgruntled ex employes from a password manager would seem to be a threat also?

Technically, that would be incredibly difficult. The hacker would have to be sitting right there at the computer, and even then, it would not be easy. And transmission over the network or the Internet is encrypted end to end, so that is a minimal risk as well.

Update: I was wrong about Internet transmissions of passwords. By default, they are NOT encrypted nor hashed. This should be remembered by all Internet users. The only exceptions are the secure logins at bank sites and financial web sites, among a very few others. Something to remember whenever we go to web sites which do not use secure logins.

-- rc primak

Reply | Quote

I would be interested to know the authors opinion of Roboform. I’ve been using it for years & really like it & now have the newer “Roboform Everywhere” version. But are there any issues to be aware of?
Thanks in advance,
Alan Salls
Temecula, CA

Reply | Quote

I have a couple of passwords for important sites with readme files that give the password, albeit in a form that only my wife might know. It uses information that only we remember. For example, the readme file might say, “Harry’s youngest child+Joe’s birthday+Anne’s middle name+address number in Chicago.”

This would give the password to me, which might be “charles072391sally40811”. So there is no need to remember the password itself.

John Porter
Newark, CA

Reply | Quote

I have a couple of passwords for important sites with readme files that give the password, albeit in a form that only my wife might know. It uses information that only we remember. For example, the readme file might say, “Harry’s youngest child+Joe’s birthday+Anne’s middle name+address number in Chicago.”

This would give the password to me, which might be “charles072391sally40811”. So there is no need to remember the password itself.

John Porter
Newark, CA

That method is very insecure. It would take only a little knowledge of you and your family (which can be obtained over the Internet in minutes) to allow an attacker to guess the password(s). The “ReadMe” File screams “password information inside” and would be the first target of any hacker or malicious program. Using ANY personal information which can be obtained from public sources as the basis for a password is very insecure. You are not nearly as clever as the hackers.

And this is a central problem with traditional passwords. If we can remember them, they are probably not complex enough nor long enough to be strong passwords. If they are strong passwords, they are meaningless to us or anyone else, and therefore very difficult to remember. Password managers help with this problem, but most folks just write down passwords or keep them in unencrypted files — or even in web mail messages. What is needed is what Windows 8 is pointing towards — a totally new way of creating and using strong logins which are easy to remember for most folks.

Gestures and pictures may offer a path towards the ultimate goal of secure login schemes which users can remember. The central idea is to have two parts to each login. Part one is something stored at the site which is known to the user but not to an attacker. That might be a photo with many points of interest. The second part is a biometric gesture, such as an actual handwriting sample which few attackers could successfully duplicate in a limited time and a limited number of tries. Specific gestures are applied to pre-determined areas of the photo in a pre-determined sequence, known to the user and the web site, but not to anyone else. The photo and the gestures are to be changed periodically. (Signatures would probably not be the best example of a biometric gesture, as they are not changed periodically.)

Most folks remember learned motor patterns (gestures) far better than we remember truly strong passwords. And we remember photos and faces very well indeed. Blind people recognize voices or music passages very well, and can usually do gestures just as well as sighted people. So the Windows 8 picture-gesture login scheme may point the way toward where web developers should be going with logins. (Yes, I am aware that the current Windows 8 implementation of this scheme leaves much to be desired. It should be improved over time, as more users start experimenting with this login scheme.) Password managers, good as they are, are only a stopgap measure, and will in the end fail to protect us.

But for now, finding the best password manager we can get seems to me to be a good strategy, and the article was very useful in this regard. The best password managers are at present very safe, reasonably reliable, and do offer good security for our passwords. They are not perfect, but they are the best measure I have seen yet, short of an overhaul of how we log in to web sites, such as the proposal I described above.

-- rc primak

Reply | Quote

And transmission over the network or the Internet is encrypted end to end, so that is a minimal risk as well.

Are you referring here only to banking/credit sites with secure login pages using https? Not sites like this one which do not have end to end encryption for passwords?

Bruce

Reply | Quote

Are you referring here only to banking/credit sites with secure login pages using https? Not sites like this one which do not have end to end encryption for passwords?

Bruce

Actually, even on this site and others where page content is not secured, the passwords are hashed.

Update: It turns out, they are not. Lounge members take note of this.

-- rc primak

Reply | Quote

Actually, even on this site and others where page content is not secured, the passwords are hashed.

That’s not encrypted transmission end-to-end though, as in your generalization, is it? No hashed password my end or inbetween?

Bruce

Reply | Quote

That’s not encrypted transmission end-to-end though, as in your generalization, is it? No hashed password my end or inbetween?

Bruce

I believe the transmission of passwords at this site actually goes through a secure web page, even though the remainder of the page is not encrypted. When I am asked to log in to The Lounge, I am redirected to a Secure Page, with the Lock Icon and https, indicating SSL security. Am I wrong about this? If so, the site needs an upgrade.

Update: In light of BruceR’s next post, I have real questions as to whether this site is using proper password and log in security.

-- rc primak

Reply | Quote

I believe the transmission of passwords at this site actually goes through a secure web page, even though the remainder of the page is not encrypted. When I am asked to log in to The Lounge, I am redirected to a Secure Page, with the Lock Icon and https, indicating SSL security. Am I wrong about this? If so, the site needs an upgrade.

Could you give me the URL of the secure page with lock icon and https for this site?

(PLEASE don’t say that providing me with that here would be a breach of security!)

Bruce

Reply | Quote

Could you give me the URL of the secure page with lock icon and https for this site?

(PLEASE don’t say that providing me with that here would be a breach of security!)

Bruce

That page flashes past so fast I cannot capture it. And I think that is what is supposed to happen.

BUT…
You may be right that this forum is not using proper security for log ins. I had never considered that possibility.

Maybe one of the Lounge Administrators can answer the question — does Windows Secrets Lounge employ security measures when members log in and enter our passwords? I am not asking about specific details, just a general statement from the site’s operators.

Just making a general statement about site security should not be a breach of security. I am really curious now as to what the answer really is.

-- rc primak

Reply | Quote

Typically, we enter a password and it’s then converted. But then the password it’s self and the converted are in memory. Can’t a clever hacker pick that out of memory?

If we have a password manager open and presumably in memory, what keeps a hacker from picking all your passwords out of memory?

And a password manager is pretty easy for the programmers/analysts/managers who wrote the password manager to break into? Disgruntled ex employes from a password manager would seem to be a threat also?

I guess I worded that wrong. I was looking at an Internet session where we are repetitivly accessing a password keeper and how safe that situation would be. So we log in to one site, the password keeper is read into memory, we access one secure site and then another and … At the first access to a secure site, a password keeper is read into memory. Subsequent access to other sites would find the password keeper is still in memory. This might go on for hours. What prevents a hacker from having his code lurking around trying to see a password keeper in memory?? And then when something that looks like a password keeper is found, just send that files buffer area to the hacker. In other words, the passwordword keeper remains in memory until we close Internet access. And that gives our hacker the ability to possibly find our password keeper in memory waiting for a next access.

If I didn’t make better sense this time, let me try a few more cracks at it. The other responses to my question were all valuable and address the original article in WS. And I appreciate them because they all do address passwords and things to consider.

Thanks to all

Reply | Quote

I guess I worded that wrong. I was looking at an Internet session where we are repetitivly accessing a password keeper and how safe that situation would be. So we log in to one site, the password keeper is read into memory, we access one secure site and then another and … At the first access to a secure site, a password keeper is read into memory. Subsequent access to other sites would find the password keeper is still in memory. This might go on for hours. What prevents a hacker from having his code lurking around trying to see a password keeper in memory?? And then when something that looks like a password keeper is found, just send that files buffer area to the hacker. In other words, the passwordword keeper remains in memory until we close Internet access. And that gives our hacker the ability to possibly find our password keeper in memory waiting for a next access.

If I didn’t make better sense this time, let me try a few more cracks at it. The other responses to my question were all valuable and address the original article in WS. And I appreciate them because they all do address passwords and things to consider.

Thanks to all

All password managers do use hashes and other encryption whenever they are active on the local computer. Hacking or extracting passwords which are protected in these ways from the local computer’s hard drive or from RAM would be a very intense technological challenge, and the hacker would probably have to be sitting at your keyboard to accomplish the task. Password managers have an excellent reputation, and they are very safe to use, even if you leave them open for extended periods while connected to the Internet. No unencrypted passwords are ever revealed by any good password manager.

What BruceR and I pointed out was that password transmission over the Internet is not encrypted by default. The passwords themselves may or may not be encrypted when they are sent and received at the web site’s login page. As we have discovered, the Lounge does not use secure logins. Banks and financial web sites usually do use secure logins. Obviously, the security requirements of a site dictate whether or not a secure login is necessary. At the Lounge, which is a public forum, a secure login is not necessary. None of this changes the behavior of any password manager.

Thanks, Deadeye, for the information about the Lounge login. And thanks, BruceR for raising the question of login security at the Lounge. It needed to be mentioned at least once.

-- rc primak

Reply | Quote

Gee, how can mention password managers and not have RoboForm there at the top? It’s secure, inexpensive, multi-platform, and WORKS!

Reply | Quote

I know this is just a comic,
http://xkcd.com/936/
but the guy who drew it apparently knows what he’s talking about —
http://www.zdnet.com/blog/networking/cartoon-makes-better-password-point-than-many-security-experts/1340
He also clarifies a few things in a reply to many posters, about 1/2 way down this forum,
http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so

st00b!ed00d

Reply | Quote

http://www.passpack.com

Reply | Quote

I’ve become convinced that I need unique passwords at each important site, and that means I need a tool to track them for me — my memory is not good enough to deal with five complex passwords, never mind the fifty or so I actually need. Two questions:

1. There seem to be at least three tools for remembering passwords and filling it other form information: Roboform, 1Password, and Lastpass. I’d be very interested in a comparison between them, both for convenience and for security. What risks am I exposed to if *they* have a security breach? What platforms do they support well? (For example, I’m currently a RoboHelp user — reasonably satisfied, but unsure as to the actual security it provides — but it is really pretty useless on an iPad, since it can’t integrate with the browser.)

2. A related question: What is good practice with password-recovery questions, “Name of 1st school”, etc. It seems to me that going without them means a significant risk of losing control of a login if you forget the password, but aren’t these questions, in effect, extra passwords that are particularly easily guessed?

Reply | Quote

First of all let me state that I do believe in good passwords with different ones for different logins. What has always bothered me though is how password crackers work since most systems that I have used lock you out after 3 to 5 wrong tries and you don’t need that secure of a password to be safe for only 5 tries. What am I missing?

Reply | Quote

I have the same quesiton as delduc. Can somebody address it?? I realize that this maybe a rookie question, but then the answer should be simple :^)

Lets hear from you!

First of all let me state that I do believe in good passwords with different ones for different logins. What has always bothered me though is how password crackers work since most systems that I have used lock you out after 3 to 5 wrong tries and you don’t need that secure of a password to be safe for only 5 tries. What am I missing?

Reply | Quote

First of all let me state that I do believe in good passwords with different ones for different logins. What has always bothered me though is how password crackers work since most systems that I have used lock you out after 3 to 5 wrong tries and you don’t need that secure of a password to be safe for only 5 tries. What am I missing?

I have the same quesiton as delduc. Can somebody address it?? I realize that this maybe a rookie question, but then the answer should be simple :^)

Lets hear from you!

The vast majority of publicized hacking/cracking incidents do not involve passwords being cracked whilst online to a system which can lock out after incorrect attempts. Instead, they involve theft of encrypted password files from sites; the password cracking can then be accomplished offline with no lockout protection, before returning to use passwords.

According to the article which started this thread, the hackers took nearly a month to crack potentially thousands of passwords in stolen files before returning to create havoc:

According to various sources, the hackers broke into Stratfor in early December 2011 and acquired company e-mails and customer account information. They returned Christmas Eve to publicize the break-in on Stratfor’s own homepage and then cripple the company’s servers.

Bruce

Reply | Quote

Well that makes sense! Thanks for the response.
Andrew

Reply | Quote

So the first element listed by Microsoft for passwords was length, but then that wasn’t really explained. In research I’ve done before supposedly of the “known” password cracking software programs that are out there, ALL will crash when getting up to around 14-15 characters is exceeded. So if I use a pass phrase with say 20- 25 characters (or 26 in the case of my Windows password), they then should be uncrackable? This seems to be true when trying that length of password on one of several password strength testing sites, therefore can those sites really be trusted as being a true test of password strength?

Reply | Quote

So the first element listed by Microsoft for passwords was length, but then that wasn’t really explained. In research I’ve done before supposedly of the “known” password cracking software programs that are out there, ALL will crash when getting up to around 14-15 characters is exceeded. So if I use a pass phrase with say 20- 25 characters (or 26 in the case of my Windows password), they then should be uncrackable? This seems to be true when trying that length of password on one of several password strength testing sites, therefore can those sites really be trusted as being a true test of password strength?

There are security researchers who agree with you on this point. See THIS article by Roger A. Grimes of Infoworld Security Watch.

-- rc primak

Reply | Quote

I’ve always wondered how you know if your password managing software is, or is not, sending all the info you enter into it off to destinations unknown!
:confused:

Reply | Quote

I wrote a blog post about how poor the password requirements were for banking and e-commerce sites in March 2010. http://neil.eton.ca/blog/?p=187 As far as I can tell, nothing has changed since then. It is no wonder that users feel that weak passwords are adequate.

Reply | Quote

Here is a great site about passwords for all concerned….
https://www.grc.com/haystack.htm

Reply | Quote

Hello Bobprimak and BruceR,

There is no secure log in for the Lounge. The only secure connection for the Windows Secrets site is for payment of the Newsletter subscription. There is no compelling reason to have a secure log in to the Forums.

Reply | Quote

Hello Bobprimak and BruceR,

There is no secure log in for the Lounge. The only secure connection for the Windows Secrets site is for payment of the Newsletter subscription. There is no compelling reason to have a secure log in to the Forums.

I don’t keep personal information in my profile and I do not use the Lounge Private Messaging services. So in my case, you are absolutely correct. But I think Lounge members who have been loading their profiles with personal information, and have been using the Lounge’s Private Messaging services should bear in mind that there are no secure web pages nor secure service in the Lounge, and logins are not Secure Logins. I was not aware of this when I joined. No harm done, but it would have been nice to know about this from the beginning.

-- rc primak

Reply | Quote

I use six browsers. My antimalware suite’s password manager supports Internet Explorer and Firefox; I use Bruce Schneier ‘s Password Safe for the other browsers, although I wonder if I could just use the browser’s password manager. I will ask the antimalware suite maker to support SeaMonkey, K-Meleon, and Google Chrome. It’s too early in its development to include Webian Shell in that request.

So far, knock virtual wood, I have not had any passwords compromised, I believe.

I use passwords and passphrases, but when time comes to change them (30 days for banking, 45 days other sensitive sites, and 90 days for most sites) I use passphrases. Even though I use password managers, I discover that I remember several dozen passphrases.

Reply | Quote