How to know a company takes your online security seriously.

After the news last summer about a measly 1.2 billion usernames and passwords being stolen I started doing my own research on Fortune 1000 companies that I do business with. I say measly because many large companies have downplayed the importance of protecting passwords. As far as basic password security the vast majority of them failed. By password security I mean how well will it hold up when it goes head-to-head with a super-powerful, cloud-based password cracker.

There is a very easy test that you can do as well. Simply go to the company’s website and attempted to reset your password.

The main problem is that login-based security enforcement is random and everyone does it somewhat differently. Some companies may do an excellent job of login and password security and other may not. And, yes, passwords are an antiquated, 20th century invention that’s unfortunately lived well past its useful lifespan. However, the usage of them is still so widely accepted that we as consumers are stuck with them for now. So I believe it’s up to us, the consumer, to also voice our opinions of what’s acceptable and what’s not rather than leave companies to go about their business without any feedback.

Companies with failing grades will have the following password characteristics:

  • Allow fewer than 15 characters
  • Limited you to letters only
  • Don’t allow upper and lower case letters
  • Limited you to alpha-numeric only with no special characters
  • Provided no password strength meter. Good ones are not security theater and consumers appreciate the instant feedback
  • Provided no hints on how to create a strong password
  • Blocked the pasting of passwords. This really discourages having longer passwords.
  • Don’t offer two-factor authentication
  • Don’t provide you the option to view your password that you typed. The vast majority of us are in the privacy of our office or home when type passwords. Seeing what you typed, especially if you get it wrong is a huge time and frustration saver.
  • Don’t track which computer you use and log IP addresses, dates and times of access.
  • Don’t allow you to register a specific computer or device.
  • Don’t enforce HTTPS. Any company that houses your secure data should enforce secure HTTP. It’s very rare these days, but it does happen.
  • ?? If you have other characteristics not listed here let me know.

Most of the Fortune 1000 companies I do business easily have some (or most) of the above characteristics. The problem is this creates a honey pot for bad guys who know that a company allows very-easy-to-crack passwords. In my opinion, it’s certainly an advertisement for would-be criminals looking for easy pickings especially if they can simply steal a huge chunk of the company’s database.

Where did I get the 15 character minimum number? It’s basic math. The longer and more complex a password the harder it is to crack. At 15 characters you are talking about some serious and expensive computing power. For example, a simple all lower case password of “abcdefghijklmno” could take a few months to hack using a super massive password cracker according to https://www.grc.com/haystack.htm. That’s potentially a very expensive proposition for cracking large numbers of passwords. In comparison, a complex six-character password combing lower case letters, upper case letters, numbers and special characters “a1C&qZ” might take all of a few seconds to crack. Hmmm, if there are a decent percentage of short passwords in a database that might make it a viable target for the bad guys and certainly easy pickings.

Who cares about passwords? I’ve seen many comments from large companies poo-pooing the need for complex passwords and saying they have far more important security issues to worry about. My retort is I totally disagree. Password security is the least common dominator in today’s world. It’s common knowledge that many crimes happen because there was an easy opportunity. Easy to crack passwords are no different than leaving your car or house door unlocked, or leaving your car window open with a laptop sitting on the front seat.

What type of information are we talking about here that hackers are getting access to? I’m not trying to over dramatize this but we are talking about very personal information as proven in recent data breaches that include but are not limited to: your social security number, date and place of birth, bank login information, private conversations with a doctor or hospital, credit card account information, information on when you’ll be out of town, business dealings, corporate secrets, investments and oh so much more.

And, yeah, I know that consumers can whine about having to be bothered with complex passwords. I too hate having to manually create long, complex passwords especially on a site that enforces what seem like ridiculously twisted rules. However, there is a great solution…password vault apps! PC Magazine, for one, reviews these apps and they range from free to approximately $60. You can also share some of these apps between your laptop, phone and tablet.

Conclusion. Whom do you think a bad guy would target first, a large company that allows easy and short passwords or a large company that enforces good password security and they encrypt their passwords on the database server?

My recommendation is if your company has weak user password security then write the CEO of the company and tell them that password strength does matter and that’s it’s one more piece of armor to help protect all of their systems. Don’t waste your time on filling out the standard blah-blah feedback form. Complain to the top management since they have the power to make changes.

And use a password vault when you can. It will make managing complex passwords oh so much easier.

Recent Examples

password

Password 2

Password 3

References

Wikipedia – Password Strength

How secure is my password?

Think you have a strong password?

Why you can’t have more than 16 characters or symbols in your password.

 

5 ways that passwords get compromised

Over the last month as I’ve been doing normal updating of passwords I came across several major public company websites that gave me the following error:

The password you entered is invalid. Please enter between 8 and 20 characters or numbers only.

Anyone that knows anything about “Passwords 101” knows if you go with a minimum of 8 characters and/or numbers it could problematic if someone hacked into the password database. Security experts say that excellent password security includes alphabetical, numeric as well as non-alpha-numeric characters. A password of 8 characters and/or number could be hacked in micro-seconds.

This nicely dovetails with a number of conversations that I’ve had about this recently, and there is so much speculation about password security that I felt compelled to list the potential security holes for passwords. There is very little that you can do beyond minding your own passwords strength. The rest is up the companies and organizations that host your data. Here’s my list of the most common ways that passwords can get compromised.

Inadequate passwords – I suppose it makes sense to start off my list with this topic. But first I have a few important words about password strength. Simple passwords, such as those containing a limited amount of numbers and letters, for example “Test1234”, can be cracked in milliseconds on a typical laptop. When criminals get ahold of a username/password list the first they do is called a dictionary attack in which they try to compromise the easiest to break passwords first.

Unencrypted passwords stored on database – Not encrypting passwords in some way is the same thing as leaving the keys in the ignition of your car with the door unlocked. This is like ice cream to anyone that has access to the database, legally or illegally. They can simply download the ready-to-use user names and passwords.  It doesn’t matter how sophisticated of a password you have if it’s simply unencrypted. There is no way for the user to know if the passwords are encrypted or not, it’s completely up to the IT department that controls the database.

Phishing virus – This virus can provide usernames and passwords for a targeted organization. The intent of this virus is to trick someone into entering their username and password on a fake website that mimics another website, such as an email logon screen. Once someone enters their credentials, they are immediately available to the criminals. The best prevention against phishing viruses is to not open any suspicious attachments and to keep your virus software up to date. There is not a 100% cure against getting a phishing virus since any attachment, even from legitimate sources, could be compromised. But, a good start is not opening ones from someone you don’t know or one that has a suspicious sounding name. Trust your instincts.

Keystroke loggers – This is a spy program that can be installed on any computer. They can be very hard to detect and they do exactly as advertised: they log everything you do on a computer and then they typically relay that information to somewhere else on the internet where your data can examined. The best protection against keystroke loggers, and viruses as well, is a multi-faceted approach: anti-virus programs, spyware sweepers and software firewalls. In addition to that, occasionally viewing which programs are running on your computer and researching any program names you don’t recognize.

Network Sniffers – Sniffer software can monitor all internet traffic over a network.  Network sniffers can easily compromise public WiFi. The person who collects the sniffer data can sift thru the digital traffic information and then siphon out different types of login requests. Once they have the login information, if it’s encrypted they can run cracker programs against the encrypted information. As an internet surfer there is something you can to to help prevent getting your username and password siphoned off: purchase a consumer Virtual Private Network (VPN) product and always use it, especially if you are on an open WiFi at some place like Starbucks or an Airport.

Conclusion

Is there such thing as a truly secure password? Definitely not. This is especially true if the database server containing the password has less-then-adequate security measures in place to protect it from unauthorized intrusion.

Is there anything you can do to protect yourself? Absolutely. My minimum recommendation is to get a password manager program. They can create strong, unique passwords for every website that you need. Some password managers also let you securely share passwords between phone, tablet and laptop. Search for the words “password manager” to find out more. Here’s an article you can peruse as a starting point: pcmag.com. You should also keep your anti-virus software up-to-date and regularly run spyware scanners. Some folks go even one step further and install a software firewall that lets you control all communications to and from your computer. Last, but not least you can use VPN software when surfing the internet.

So what did I do about the websites mentioned above with poor security? In one case I wrote the CEO of the company and I also switched to using the maximum number of characters and numbers, which in the case mentioned above was 20. That website didn’t really store anything vital. In other case, I dropped the website like a lead balloon. If their password security is less-than-optimal I couldn’t help but question and wonder about the rest of their digital information security practices.

Simple steps for avoiding malicious spam emails

This post covers some simple things, in addition to having anti-virus software, that you can do to help prevent accidentally getting tricked by malicious spam email. I’m assuming you already have a full fledged virus checker installed. It was inspired by several friends and family members that aren’t particularly technically savvy, and they got infected via email.

It’s a fact that there are some potentially important emails that look absolutely legitimate at first glance. And, criminals are getting better every day at copying the look-and-feel of legitimate and highly recognizable companies. Four to five years ago, security experts instructed us to simply delete any email that seemed fraudulent. However, flash forward to 2012 and there is a chance you may be deleting a legitimate email.

How could I get infected when I have a virus checker?

Having a virus checker simply minimizes the chances of being infected. And, even major online email services can be fooled. Sorry to break the news, but virus checkers aren’t 100% effective.

Here’s one example and there are many, many more. Let’s say you have set up your bank account to send you monthly statements via email. Sounds reasonable enough, right? Well, recently I’ve seen some very convincing looking spam emails that did a really decent job of mimicking legitimate emails from a bank. The good news is there were a few things in the email that made me suspicious and fortunately I followed my suspicions and didn’t click on any of the links. One particular well done email came under the guise that the password had been changed on an account, and in fact it had been changed. How’s that for coincidence?

Two easy steps.

Step 1 is to use an email client that allows you to turn off the message preview feature. There are infectious agents out there that can nail you through JavaScript and HTML code that is run when the email is viewed via preview mode. One recent example was dubbed “Drive-By spam” by security experts. Another option it to use “text-only” mode, but for most of us text only messages are really boring and ugly to look at, and you also lose all images and styling.

Step two is view the message source code and look for links where the domain name does not match the domain name of the company that sent you the email. If there is anything suspicious then use the phishing reporting feature in your email service. DO NOT open the email, dude.

Now, criminals can change malicious URLs faster than anti-virus software vendors can keep up. So, everything in an email may look legitimate with the sole exception being the link they ask you to click on that could lead to a harmful website.

Step three is if you want to dig even deeper you can verify if the senders IP address is legitimate using an IP address lookup service. The senders IP can be found in the header information of the email source. If the email is sent from a block of computers not registered with the correct company name then I’d be highly suspicious. All legitimate and important emails should always originate from a company’s domain name. If it didn’t then there’s a really good chance it’s marketing related and trying to sell you something, or its hostile.

A note about your spam folder. I have actually received legitimate emails from banks that ended up in the spam folder because I forgot to put let my email client know email from that domain was legit. It was human error and it happens. So, simply saying I shouldn’t have opened it because it was labeled as spam isn’t 100% true. But, it is an indication that you need to proceed with caution. I agree that in general all the emails that are placed in a spam folder by your email vendor are actually 100% certifiable spam. But, human nature makes us curious especially when it appears to come from a legitimate source. The good news is you can still be curious and protect yourself by following these three steps above.

What does hostile email source code look like? It can actually look very much like a real email in the source code. Looks for the code specifically related to things such as links for “Getting Started”, “Log in”, and “Click here for more information”. Hopefully you get the idea. It will be wrapped inside a tag called “<a href=”, and if you are a software developer you already knew this.

Hostile code can also be downloaded through JavaScript. It’s much, much harder to detect hostile JavaScript code because it may have already run when the email was viewed. One option that’s not appealing to most people is you can disable JavaScript in your browser when using browser based clients. The downside is this makes browsing the web an awful experience because much of the dynamic nature of modern websites is driven by JavaScript.

As I mentioned above, some criminals are getting better at re-using templates from legitimate emails. So I’ve received email where all the logos, banner images and help links pointed to real and legitimate sources. In fact, in a recent phishing email that seemingly came from a well-known bank, everything looked perfect except for the code tied to the getting started button. Even the “reply-to” email address was correct.

Here’s an example of an email supposedly from a major, name brand bank where I have obfuscated the URL for security:

<a href="https://--some other non-bank website name---.com/spa---/"><b>Click here to get started</b></a></p></font></td>

Here’s what the header of the email looked like, it’s also been obfuscated:

x-store-info:4r51+eLowCe79NzwdU2kR...
Authentication-Results: hotmail.com; sender-id=softfail (sender IP is 70.---.---.142)
header.from=AmericanExpress@---.com; dkim=none header.d=welcome.---.com; x-hmca=fail
X-SID-PRA: AmericanExpress@---.com
X-DKIM-Result: None
X-SID-Result: SoftFail
X-AUTH-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9...
X-Message-Info: uTMDiBlPf5+Op9WrkKVGnq8+zr4Yfrs3...
Received: from server.DRGARCIA.local ([70.---.---.142]) by ... with Microsoft SMTPSVC(6.0.3790.4900);
Wed, 17 Oct 2012 07:11:24 -0700
Received: from USER ([198.--.--.35]) by server.DRGARCIA.local with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 27 Sep 2012 12:20:10 -0500
Content-Type: text/html
SUBJECT: Important: Notification of Limited Account Access

FROM: American Express &lt;AmericanExpress@---.com&gt;

Bcc:

Return-Path: AmericanExpress@---.com

How to view an email source using Gmail or Outlook.com? In Outlook.com you can simply right click on any email and select “view message source”. In Gmail, you have to open the message and in the Reply options pull down list select “view original”.

I use Outlook.com (formerly Hotmail) because it lets you view a messages source code without having to first open or preview the email. On the other hand, Gmail forces you to open the email first, and then you can view its source code. Simply by opening or previewing a potentially hostile email can allow malicious code to be installed on your computer. This seems like a major security hole to me.

Conclusion. If you have an email in your inbox or spam folder that looks legit and you absolutely have to open it, then the two steps listed above should help protect you, your computer and your data. Criminals are getting better every day at creating the illusion that an email is totally real. And, if you know how to read the source code of the email you can potentially avoid an infected computer.

DISCLAIMER. Of course I have to have a disclaimer these days. The contents of this post do not 100% guarantee that you still won’t be tricked into doing something unintentional that causes personal trauma, data loss, catastrophic damage to your hard drive or even cause kittens to purr. If followed properly, these steps will significantly improve the safety of your computer and electronic data. But, hey…even experts can be tricked!

You should also have anti-virus software installed and up-to-date. Yes, some virus checkers offer email protection of sorts and that should also be enabled. I’m also here to tell you that some viruses can and will slip through that protection. Sometimes, when a virus, Trojan, worm etc. infects your computer it takes hours to remove it, or in drastic cases you have to completely rebuild your system.