Passwords: Sharks Can Smell a Breach a Mile Away

image

2013 is not shaping up to be a banner year for Internet security. 2012 saw data breaches like 6.5 million LinkedIn password hashes leaked, 420,000 member accounts from social network Formspring, Yahoo! Voices more than 400,000 usernames and passwords, 1.5 million passwords from the online dating site eHarmony. Twitter is the latest system to suffer an embarrassing security breach with accompanying data loss. Approximately 250,000 accounts holders have had their usernames, email addresses, session tokens and encrypted/salted versions of passwords stolen. Twitter has been as proactive as possible it seems. They updated the passwords for all effected accounts, revoked session tokens and emailed the users. I find the tone of the official statement from Twitter interesting. They are quick to point out similarly compromised organizations, most notably New York Times and Wall Street Journal. Still, I think this is more than an attempt at deflection. Instead, Director of Information Security, Bob Lord is trying to be adamant about the seriousness of not just this security breach, but of the general state security across the Internet.

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users. - Bob Lord

Perhaps the most salient points in the article come in the form of links to an advisory from the U.S. Department of Homeland Security and FTC’s guide on passwords. The surprising notice from Homeland Security urges everyone to disable Java in their browsers! Now, this has been a recommendation from some sources for years. For example, Mac OS X 10.7 removed the Java runtime from the bundled software. Also removed was Rosetta, a bridging application that allowed the running of programs that were designed for the older PowerPC architecture. As for passwords, to paraphrase the linked FTC article:

  1. Don’t use your name, birth date, children's names, birth dates or those of your cat.
  2. "Make your password at least 10 to 12 characters long, and use a mix of letters, numbers, and special characters". This is up notably from the standard of eight characters that held for many years.
  3. "Don’t use the same password for multiple accounts".
  4. Don't share your password with anyone. Same goes for the ole PIN number and bank account information obviously.
Number 3 in the list above is perhaps the least obvious security measure of the set and also the least likely to be followed. People can only remember so many random strings of letters, numbers and nonsense symbols, right? Well, I'm a software guy. I live and work in a world of software. Hence, a software solution! Or, in this case, a list of them. There are plenty out there but here are a few of the popular choices:
  • RoboForm Everywhere

RoboForm has been around for at least 10 years and it's not going anywhere based on the price point (~$10) and functionality. Although you have to update your information from the desktop client, you can access your secure data from any device.

  • KeePass
Point 1, it's free. Despite being open source, this app scores high reviews in ease of use and features.
  • Kapersky Password Manager
A powerful and popular application., Kapersky picked up StickyPass last year and only lacks in the cross platform arena, especially mobile.
  • LastPass
Another common free option, LastPass has a good reputation. Too bad you need a premium prescription to get any mobile support.
  • Passpack
My colleague, Avani Mehta put together a great Passpack article a few months ago so I won't go into detail. I include it in the list because, 1) it's an excellent tool for teams and 2) I really like their multi-form factor authentication. It's worth a look just to go through the authentication process. Great idea and well executed.
 
Whichever option you choose, even sticky notes in a locked drawer if that's your thing, recognize that data breaches are going to keep happening. While we can't control the security of the systems we use, we can do our part to make an infiltrator's task as difficult as possible. The sharks are circling.
Tags: Best Practices, Cool Tools, Security

Comments

Jon's picture

Jon on February 05, 2013

That's awesome Karl! I haven't used RoboForm in a while. That mobile update may be enough for me to go back. Thoughts on the VERY strong password as the "key to the kingdom" - 100% agreed. Public Wi-Fi spots are an easy spot to have your passwords, even your master password, nabbed. Unless of course the app uses SSL. I'm betting it does.

Subscribe to Our Newsletter

Stay In Touch