Posting in Technology
The recent security breach at the beloved online storage service, Dropbox, has reminded us of the weakness of the Web. Founded in 2007 Dropbox uses c...
The recent security breach at the beloved online storage service, Dropbox, has reminded us of the weakness of the Web. Founded in 2007 Dropbox uses cloud computing to allow us to store all kinds of large files on the Web, and across a variety of operating systems, that are then easily shared with others. For about four hours on June 19 anyone could get access to any account with a dummy password. As a fellow journalist John Pavlus, who also uses Dropbox, noted, "It was like our skirt got lifted for hours."
This is what Dropbox wrote on their blog on Monday:
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.
This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
This is a serious issue for Dropbox—a company valued at $1.5 to $2 billion—since trust is the number one value they offer over their competition. Until we hear more about the "additional safeguards" they intend to implement it does give us pause about our chosen passwords.
We live in a password era, and we all have our passwords that range from the ridiculously simple and romantically cheesy like "love" to impossible-to-get-straight gobbledigook. Apparently a shocking 50% of passwords are “based on names of a family member, spouse, partner, or a pet,” according to this Smart Planet post and this book “Perfect Password: Selection, Protection, Authentication.” And I learned recently that 75% of us use the exact same password for everything. This is a huge mistake. All it takes is one hacker and one weakly protected site (say, a site like Gawker) and your key to everything, including email and banking, is up for grabs. When you use the same password for everything it is only as strong as the weakest site. And there are plenty of weak sites. Ninety-three percent of organizations have been hacked at least once in the past two years, according to the State of Web Application Security Survey, Ponemon Institute.
I use the same series of numbers and letters but I mix them up (upper case, lower case, order, creating what I think is a near limitless variety) for different sites, banking, discount shopping, online publications, airlines, etc. I thought I was being smart. And I have been a bit smart, since I technically don't use the exact same password for sites, and I change them up regularly.
But there is a better way. A simple way. According to Christopher Mims at MIT's Tech Review, create only four passwords and use them in a tiered system.
Here they are:
Low-tier password: Something you may already be using that is so easy that it might as well be your middle name. Use this for sites you don't care about like commenting sites for online magazines or music streaming sites. If you get hacked the worst that can happen is that your username suddenly likes the band Toto.
Second-tier password: "For sites on which you don't want to be impersonated (Twitter, Facebook, etc.)," says Mims. Here you need something longer (as long as you are comfortable recalling) and use at least one special character, especially inserting it into the middle, not at either end. Never use what is called a "dictionary password" (any real word) since that is a classic tactic hackers use to break into sites.
Third-tier password: This is for email accounts. (I would recommend for your cell phone as well.) It needs to be unique, long and interspersed with special characters. Your email account is where you might hold information about your other passwords, so it must be highly guarded. It is like the "master key" of passwords.
Fourth-tier password: The gold standard of passwords should be given for your bank and financial information. And this password should be unique for your banking, nothing else.
So we don't need to have 30+ passwords memorized, or worse documented in email or on scraps of paper, we just need four—or at least three—that are tiered for importance and security.
As for tips on creating a vice-like, gold standard password I suggest reading this post on the worst passwords of all time, and avoid them. Even a cryptic string like "abgrtyu" is on the list, so be wary. The hard part is following the paradoxical mantra of password creation: Easy to remember, hard to guess. Uh, ok. Once you've mastered that statement, try measuring your password strength using this useful Microsoft test. I used to get angry and hurt when my passwords were noted as "weak" as if it were a personal affront. Now I know it can be part of an entire strategy of protection.
[via Tech Review]
Jun 22, 2011
It is not a good idea to use the same password for any two sites. If you do, a breach at one is a breach at all. I manage remembering various passwords by having a scheme that incorporates something about the site into my personal password. They're long, and don't all use the same pattern. If I tell you more, I'll have to kill you. The exception is perhaps the first-tier sites, which can all have the same, simple password.
I've also read that once you cross into 10 characters in your password you're significantly stronger than 9 - even if it is "1234567890". This recent breach is a major fail for dropbox and honestly a ding for the cloud industry as a whole. That being said, I still will stick with my current choice of cloud based storage - sugarsync and just trucrypt anything that is SUPER sensitive. You can actually get 5.5GB of free storage for signing up through this link. Almost TRIPLE what you get with dropbox. http://bit.ly/SugarSync500MBBonus Smart move sugarsync!__.
There was a similar article on another site. I have all mine in an Excel Spreadsheet with a password. The biggest deal is the requirements vary so widely as mentioned by someone above. Some can only handle alpha-numeric while some can take anything you throw at them. Lengths vary as well from maximum of 8 to the full 256 character. Translating a song into French or German or Spanish and then using the letters, would not work for most of who have very little language skills in something other than English (and some have poor skills there as well). It might be better to pick a song such as "They're Coming to Take Me Away" than "White Christmas" At least it is isn't so widespread.
The real solution is in using password vaults. These can be standalone programs on your computer or some are even web-based, though with obvious concerns. Then you can create unique passwords to EVERYTHING and keep it all in your vault. Surprised the most common tip wasn't mentioned: create a phrase that is easily remembered and personal (eg "When I was 5 I went to Brubaker Kindergarten"), then take the first letter of each word (WIw5IwtBK) and for kicks change all A's, I's, and S's to corresponding special characters (W!w5!wtBK). Also, as someone else mentioned, those security questions are a real backdoor. Most financial sites let you make your own Q&A, so pick something really only you would know (first speeding ticket, nemesis in high school, or even a false flag: "Are you really John Smith?" "No! I'm a Russian hacker trying to steal his financial information.")
If you're a company or website of some kind and require your users to create a password, could you make sure to let the user know exactly how many characters may be entered, if upper/lowercase matter, and if a character such as an exclamation point can be used? That would be just great. Thanks.
This suggestion doesn't take into account the fact that web sites have wildly different rules for passwords. A strong password that I might want to use could be acceptable for many, but violate the rules for others. Most of the time, that is the reason why I have had to have so many different passwords: It's not one size fits all.
First, those "security" questions. (Why didn't you mention these? They're one of the biggest holes people leave open!) NEVER provide a security answer which is the answer to the question asked! "Where were you born?" should not be answered with any city name or country! Treat "security " questions as seriously as the main password--it's a key to the same lock. Things like mother's maiden name & such are all becoming quite readily available on the Net...such personal data isn't secret. Strongest, use a password generator, and use a password store with a VERY long password (Store it in pieces in a document some where.) Use the set of all available characters (e.g. 0-9, a-Z, punctuation.) Tell your high priority targets (banks & such) that you want to be able to use very long passwords using the entire character set. (Many still limit you to 8 characters and 0-9, a-Z.) Be insistent, nasty if need be. It's YOU they're protecting. To be really secure, change them each time you visit. For lower security stuff, generate a short (4 char) random alpha-numeric phrase(s) For each site, generate a pw using that phrase with something that reminds you of the site. It's nearly impossible to generate a strong password that is easy to remember. Don't bother--use a plan like the phrase generation above. And above all else, don't write them on, or post them near your computer!!! (Under the keyboard is the first place I look....)
yes, i also use a tier system of passwords - a simpler password for free newspapers and comments sites. a harder one for facebook, and that one as a base with an added songline-letter format (see below) for my email accounts, a 3rd harder one for more secure sites such as shopping online, and then the 4th is the granddaddy hardest password, that i use for my banking sites only. this method below works like a charm! and it does not rely on any personal information like family stuff, and even though you can have 100's of favorite songs, it would be next to impossible for someone to guess which song you use as long as you dont tell. when i started university, they suggested using a line of a song (but not the 1st line of the song), and using the 1st letter of each word, capitalise the letter of the verb, and to insert a special character after the verb letter, and capitalise the last letter. i then chose to do 1 step better and used a song line after i translated it into a foreign language! but, the trick is, when you need that password, you just hum the music/words to yourself! you will remember a song for much better and longer, and it creates an extremely difficult password, especially for banking, yet one that you can remember because you can remember the music. and this will work if you need a short version and long version of a password, and if you run across a bank that wont allow special characters (like 1 of my 3 banks do), then you can easily drop it out but still use all the letters. example (and not my actual song, so dont bother trying it) - noel song "white christmas" / "noel blanc" 3rd & 4th line of second verse: Je revois tes yeux clairs, Maman Et je songe a d'autres Noels blancs thus, long password (15 characters) would be: jR*tycMejS$adnB and short (less than 8 characters) would be jR*tycM i used the special characters of 8, and then half of that, 4. so, trying using a song and the 1st letters of each word in its line(s).
DJElliot, I agree with you. Why would a hacker target regular people like us to bust our passwords. A Citibank security breach is another problem but even then, is the hacker going to browse through the revealed passwords, target you, then try to hack everything you have on the www? And if a security breach of this magnitude occurred, the security level of YOUR password wouldn't matter anyway. They have it. This so-called problem is the result of neurotic magazine columnists and caffeine-sated bloggers who stay awake at night dreaming up the next fantastical topic to strike fear into the hearts of their readers. For example: Now you only have to remember FOUR passwords but that last one is a doozy....uh, G$%3spgYv()&f8G**(h@# Oh! What the heck! Johnlgalt - I think Ayn Rand came in last.
I have read tsk tsk articles for years blaming users' 'weak' passwords. It doesn't make sense to me that a hacker would try to guess where I have an account and then guess my account's passwords by figuring out the names of family members, spousal units, pets,or partners. Account by account. Doesn't it make more sense for hackers to target a web site's password file, so that all accounts could be accessed...quickly? Other than being personally a target, why wouldn't hackers work in such a way to maximize profit and minimize exposure?
I wish life were so simple. You have the sites that make you change your password regularly and those that don't let you repeat the last 10 that you used. Some sites insist one set of special characters while others use a different set. Someone is going to get very rich by designing a better identification/security scheme that can be implemented on PCs, Macs, etc. without requiring special hardware.
I've had a number of accounts that require you to use no more than 8 characters and no special characters. Some have had the password displayed as clear text or they pass it as a parameter to other pages, again, in the clear.
Very helpful pw tips that I haven't seen before--thanks! A tip I recently learned I want to share: people do not realize that standard email messages are often transmitted in plain text over the internet without any form of encryption and is an inherently an insecure medium. As a result, anyone can intercept the emails and easily access its contents, including any attachments. A good email encryption solution will use powerful cryptography techniques to ensure your messages are both stored and transmitted securely, and that only you and your recipients have the capability to decrypt your message data. If you need to send emails with confidential data, use this free email encryption form to send secure encrypted emails at https://www.sendinc.com
and, pray tell, how do you expect to remember each password when you need it? i agree with you on security questions, i never tell the truth, but i know the answers....every one that wants mother's birthplace, it is a foreign capital, but she wasnt born in that country. mothers maiden name - i just use the last name of a 16th century monarch that i was reading the family tree of one time. age - i shave 10 years off. zip code - generic chicago 60606 or montr??al H1H 1G1.
You're looking at it from a risk of the hacker knowing absolutely nothing about you and where you bank, etc. Do you realize, though, that a lot of the malware out on the net that are infecting computers around the world are transmitting personal information every day to these hackers? If you've ever been infected (and many times people never even know that they are infected, at least not until it is too late), chances are your info is out there somewhere. Chances are someone knows about where you bank, where you shop, and the like. The only real way to protect yourself is to not use a computer at all. For anything. Cash only. No social security / ID cards, no credit. And not too many people can follow all of those rules. To further answer your question, in order to get those password files, as you call them, they first have to gain access to the server - and in order to do that they need a password. So which came first, the password or the file?