I’ve had some interesting experiences with two companies recently that I’d like to share. We all do business with companies online: we buy from them, we schedule appointments, we put in support requests, and so on. Today, I very seldom use the mail, and don’t shop in person very often. How these businesses treat customer security is interesting. Some places are very technically savvy and have robust, secure online transactions. Being realistic, though, I know that my dentist’s office does not employ a full-time sysadmin. They buy an off-the-shelf customer care solution and hire someone to install it on their website. Sometimes that’s good, sometimes that’s bad… First was with my mechanic. I like my mechanic – they’ve saved me[…]

When it comes to giving advice about picking strong passwords, experts are quick to point out some of the good password generators and managers available, or recite best-practices for making up your own. And although we do so with the best of intentions, it’s still easy for people’s eyes to gloss over when presented with matter-of-fact information, especially if it comes in the form of a lecture or a wall of text. For the people who are way more responsive to information communicated graphically, this short video from Mozilla explains some basic concepts of choosing easy-to-remember passwords that are still complex and robust: Passwords look like they’ll be sticking around for a little while longer as a key component in[…]

We all have passwords.  Most of us hate writing a new one for every new account we open.  The traditional thinking always said that for a password to be secure, it was necessarily unwieldy to memorize.  So who wants to memorize vRg5BoTA for your new Spotify account when you just solidified a mnemonic in your head for your Gmail password?  Many older account systems limited your passwords to be between 6 and 12 characters, so increasing complexity through a larger alphabet and using non-dictionary words was crucial to give yourself a chance against password guessing attacks.  If you’re still using 6 character passwords, I have bad news for you: you’re so laughably vulnerable, you don’t even register as roadkill for[…]

Stop and think about what an attacker could do if they gained control of your e-mail account. Many web sites let you reset your password via an e-mailed link. Poorly designed services may even send a copy of the password to your inbox. Much of your personal information is likely reflected in conversations you’ve had via e-mail, and services such as Gmail can store copies of all your messages. With all this in mind, protecting access to your e-mail has become an important priority. Using strong passwords is a great starting point, but that’s only one level of security. Many companies use another system, known as two-factor authentication, to protect sensitive data, but it hasn’t been widely deployed for consumer[…]

Although we’ve made many posts about the importance of password security, have you ever wondered just how long it would take for a well-equipped attacker (having access to clusters or supercomputers) to brute force your password? Or how much more protection you gain from adding some special characters? If you’re not inclined to crank out the numbers yourself, you might find the answers you’re looking for here. Here are some basic stats: With access to super-computing-like power (trying over 1 billion per second), it only takes about 84 days to crack the common 8 character password (alphanumeric mixed case, including special characters). With access to a less powerful class of attack machines (10k per second), without including special symbols, an[…]

Many information security blogs, including this one, have discussed the recent data breach of gossip site Gawker and problems associated with leaked passwords. The story has demonstrated some of the risks associated with password storage. Gawker did store passwords using a form of encryption, but it was a weak algorithm and thus the encrypted data could be cracked. It’s important to remember that you should never simply rely on “encryption” to protect information – that’s sort of like say a bicycle is protected with a combination lock. Some locks are easier to open than others, and if the lock is attached to a weak cable or not properly looped through the frame of the bike, its strength doesn’t even matter. With[…]