What makes a password

We’ve talked a lot about passwords. We wrote a work of fiction about how your bank account password might be compromised, we wrote about how to have fewer passwords, we mentioned how you can break into a secure WiFi network without breaking the password, and we’ve even reviewed password software. But what goes into a password? Other than its commonality, why is “123456” so much less secure than “123abc456?”

Password anatomy

If you’re a doctor, you need to know your coccyx from your larynx, and why humans have 23 chromosome pairs and what that means. In other words, you need to know your anatomy. If you’re a password-ologist, you need to know your password anatomy, too — and on the “information superhighway” we’re all password-ologists.

The first and most obvious component of a password is its length. Simply put, a longer password is harder to guess, because each additional character increases the number of possible passwords of the same length. So, obviously, it’s better to have a 10 character password than a 5 character one.

How much better? Well, that depends on its complexity, or in technical terms, the size of its keyspace. The keyspace of a password is determined by the number of symbols it could contain (without knowing how many it actually did contain — remember, the attacker here only knows the length and the class of characters). Let’s pretend our hypothetical password is a single character to illustrate for now:

  • If the password was numeric only, it would have a keyspace of 10 (0, 1, 2, …, 9)
  • If it was only lowercase letters, it would have a keyspace of 26
  • If it was upper- and lowercase letters, it would be 52 (2 × 26)
  • If it was upper- and lowercase letters, as well as digits, it would be 62 (2 × 26 + 10)
  • If it was the entire printable ASCII character set, it would be 95
  • If it was the entire (current) Unicode character set, it would be over 110,000

Combining the ideas of length and keyspace, if all common English printable characters (letters, numbers, and “special characters”) were allowed, our 5 character password would have 95 × 95 × 95 × 95 × 95 = 955 ≈ 7.7 billion different combinations; that 10 character password, by comparison, would be over 7.7 billion times more secure than that, with nearly 6 × 1019 combinations (just over 59 quintillion, but who’s counting?).

Security margin (simple)

How much security would that ginormous password really provide, though? Well, that all depends. Automated password crackers have gotten pretty fast. My favorite (linked), for instance, can easily reach around 20,000 attempts per second on a normal home computer — and that’s not even touching distributed computing or other more complex (and powerful) attacks. That means that if your attacker knows your super secure password (123456) is six digits and numeric only, expect it to be broken in 50 seconds or less. (That’s quite a bit faster than the roughly 95 million years john would take on that hyper-secure 10 character password, cracked naïvely.)

It’s not that simple

The thing is, I lied. Not all ten character ASCII passwords are equal. For example, T$f0_ke\E` is quite a bit more secure than gesundheit. Why? Entropy. In simple applied terms, entropy measures the randomness, or unpredictability, of a password. Higher entropy (less predictability) is better. While it’s difficult for the layperson to measure, the following mistakes are all things that will affect your password’s entropy:

  • Whether or not your password appears on a wordlist. If you’ve got a word or common phrase, consider your password broken out of the gate. Rainbow tables and wordlists of common words and phrases will devastate any security you think you have.
  • If you’ve used common substitutions. Did you swap a “!” or a “1” in for your “i”s and “l”s? We know. Did you use a “5” or a “$” for an “s,” or write “><” instead of “x?” So did everyone else. Cracking software is built to try these and many other common word alterations, so security gained by these tricks is not as great as you think it is.
  • If your password follows normal symbol distributions. For example, in English, q is frequently followed by u, so if it is in your password as well, it’s less secure.
  • Whether your password relies on anything that can be known about you. Expect all of your biographical information and interests, as well as anything you talk about, to be used as guesses against your password. If you’ve used any family member names or birth dates, pet names, components of favorite songs, words relating to your favorite sports teams, etc., then someone can guess your password more easily just by learning about you. Social media makes this even easier, as people voluntarily vomit up the very information that is often all that is needed to compromise their accounts.

So what’s a girl to do? Actually, the situation isn’t so bad:

  1. Pick one really good, secure password that will secure all your others. Bang on the keyboard a lot, then go into the middle and bang some more. Highlight some letters at random, and delete half of them. Bang some more in their place. Shuffle some things around. Bang. Delete. Bang bang bang. Tired yet? Good.
  2. Write it down on a piece of paper. Put the paper in your wallet or purse. You’re already really used to protecting the contents of that, so it’s pretty safe now.
  3. Download a password manager, or use one built into your system.
  4. Use the password manager to generate secure random passwords for any services you use. They can be long and crazy, because you won’t have to remember them. They can also be different, which is important because one account being compromised won’t compromise your others. (This is especially important for email accounts, which are often used to reset passwords for other services.)
  5. Whenever you need a password, take out your piece of paper, read off the password and use it to unlock your manager, and then copy-and-paste your random secure password into the login form as you need to.
  6. On a regular basis, go ahead and rotate your account passwords; and on a somewhat less regular basis, your “master password.”

Windows Phone 7.5: Without apps it’s more like Windows Phone .5

Back in the days when BlackBerry was king and Treo was the cool device, I was a Windows Mobile enthusiast. Quite honestly I liked my Motorola Q far better than the first iPhone, and at the time Windows had it right for my needs. Unfortunately for Windows, the iPhone grew up, and Android entered the scene. Microsoft had a problem. Windows Mobile went the way of the dodo, but in its place has come the Windows Phone. Enjoying Windows Mobile in the past, I figured why not try it again? I’m glad I did.

For testing purposes I choose an HTC Radar from T-Mobile. I won’t go all hardware geeky about the phone. What I will say is it feels good in the hand, the screen is bright and crisp, it responds quickly, and I’m not ashamed to show it in public. During my tests it wasn’t difficult to get though a full day on a single charge, in some cases I went two days without a charge. The downsides include the external speaker which doesn’t do much for listening to music, and photos that are nowhere near the quality of the iPhone. Overall the hardware stood up and stood out.

Account set-up and learning the ropes of the phone wasn’t bad. The metro UI is exactly as advertised: simple to the point of being boring, and it’s less distracting than most smartphone interfaces. Microsoft does a good job of walking novice users through setting up email and social media accounts. I’d bet that novice smartphone users would be content with this simple, yet functional set-up. After a few prompts, I have my email, calendar, Twitter, and Facebook accounts configured and data is streaming in. I realize many of us live on our phones, but those who don’t are generally satisfied with groupware and social connectivity.

Social integration

Many argue that Microsoft simply doesn’t understand social. The deep integration between social media and the Windows Phone tells a different story. The “People” screen on the Windows Phone quickly allows you to see what’s going on in your friends lives. A default “What’s New” presentation containing Facebook updates and tweets from your contacts is a quick update of what’s happen with those around you. Drilling down to a specific contact shows you their most recent updates. It doesn’t stop with just viewing. You can post a Facebook wall update, or mention them in a tweet directly from this screen. To sweeten the deal you can organize your contacts into groups, and add them as a tile to the metro home screen. Think the Google+ style of information management, only with information you might actually want to read.

Lack of apps leaves something to be desired

I’ll be honest, up to this point I’ve been rather impressed with the experience. Unfortunately, I’m not a novice and I went looking for apps. Right off the bat I failed to find my most must have apps such as Dropbox, Pandora, and Skype. While Microsoft is quick to mention that the marketplace has over 60,000 apps, the reality is that the majority of them are useless.

In a several cases I could find products comparable to the ones I wanted. For example, I could use Skydrive, instead of Dropbox but then I’d have to migrate all my data and it’s simply not worth it. Another example would be Google Docs. This for me is a critical app and I could find absolutely no way of properly accessing it on the Windows Phone. Instead, Microsoft offers up its own solution of Office for Windows Phone. I had intended to tell you everything wrong with Office Mobile but I realized if you’re in a Microsoft world it’s most likely not as bad as I’d make it sound. Instead, I’ll say if you’ve never used anything else it might just be ok.

One application I did manage to find was Facebook and, wow, is it different on the Windows Phone. I can’t decide if it’s good or bad but one thing is for sure, the placement of the send button is horrible. While the Windows Phone keyboard is actually one of the better touchscreen keyboards I’ve used, the Facebook app stacks the space bar directly over the send button and it frustrates the heck out of me.

Final thoughts

I suppose if I were just starting out with a smartphone many of the solutions offered could fit my needs, but anyone looking to migrate will simply not tolerate the experience of the lack of applications. If Windows Phone is going to compete, Microsoft will have to open up to solutions other than those that they own and control.

Beyond the weak application store, other problems do exist. Being last to market, everyone has designed mobile web experiences for WebKit browsers like the ones found in iOS and Android. A quick jump into IE on a Windows phone leaves you with a desktop experience on a very small screen, or worse, drops back to something resembling WAP on an old Nokia. This is one place I fear MS will never catch-up, mobile browser penetration is set and IE simply isn’t in the game this time.

Overall it’s a decent experience for entry-level smartphone users, and it will only get better. Windows Phone 7.5 experience feels incomplete if you’ve been using another device. Windows Phone 8 promises to be better, but there is a lot of ground to cover to catch up. Like I said, I’m glad I tried it. Windows Phone is distinctly different and while my experience wasn’t good enough to make me switch from my iPhone, it hasn’t scared me away from ever using Windows Phone again.

How I stole your bank account

The following is a work of fiction, written from the perspective of a would-be attacker. While the work is fictional, the techniques are not. It’s a scary world out there, and with the bad guys roaming around, it helps to know just how they might nab you. Keep your head straight and their meddlesome ways at bay and you won’t be like Bill in this story!

“Hi, Judy, it’s Bill here. I’m so sorry — I forgot my network password again. I know, I’m such a dolt. Would you be able to reset it please? I’m on the road and I won’t be back until next week, and I know Doreen and Jim want my expense report tonight. Thanks!”

That was me, talking to Judy, the new girl at the IT help desk at your work. You might have guessed that my name isn’t Bill. Yours is. My name isn’t important at all. I’m just the guy who stole your bank account.

Remember the average looking sedan parked outside Starbucks? Of course you don’t. The guy sitting in it — the guy you don’t remember, sitting in the car you didn’t see — was me. Remember when you opened your laptop and joined the first open WiFi network you saw? I do, too, because that’s when we (well, our laptops) met, and you didn’t even know it.

The network was the coffee shop’s, sure, but I owned it. Well, I pwned it. A little arpspoof here, a little webmitm there, a sprinkling of iptables, and bam! — you think you’re talking to them, and they think they’re talking to you, and really, I’m relaying the traffic in the middle and I see it all. It isn’t hard to set yourself up silently to intercept all the traffic on a vulnerable WiFi network.

Sometimes it’s a little more difficult. If the only active networks around are encrypted, I might have to crack them with aircrack-ng or break into the WAP with reaver to obtain the network key. If there’s no network around at all, I might even have to tether my laptop to my phone over USB and use its 4G connection and my WiFi card in ad-hoc mode to set up my own honeypot network for you to join. Everyone likes free WiFi!

But however I get connected, the result’s always the same. Your traffic is running through my computer, so I see what you see. In your case, when you joined the coffee shop’s network, I took the time to nmap scan you as well and saw that you were running an older version of Adobe Reader, so after I saw you send a “check in” email to your wife, I forged one back to you via sendmail with a custom little attachment I cooked up for you in set. I said it was a PDF of the insurance forms and I asked you to take a look. And when you opened my precious little virus, I got a command shell on your box, and I had control of your operating system. Thanks for that.

Once inside, I started gathering information. I already knew your full name (from watching you log into Facebook) and from that and the files on your hard drive, I quickly found out where you went to school, where you worked, what your dog’s name was, your shoe size, when you would be back home from your business trip, and that you had an unhealthy collection of Bee Gees albums. After searching a couple public records databases, I also knew where you lived, how much money you made, who your kids and parents and grandparents were, where and when you were born, where you used to live, and that you just took out a loan on a brand new house. Nice location, by the way. Oceanfront property. Impressive. Not showy, but definitely upper-class.

That’s when I called Judy. I knew what bank you used (nice job trying to protect those tax forms, but zip encryption isn’t anything these days), but I didn’t have access to your account quite yet, and frankly, while I had enough data to make you miserable by having your power disconnected or quitting your job for you, pranks aren’t what I was after. I had to call Judy because you set your password reset email to your work address, but I hadn’t seen you type it (and yes, I already tried “barrygibb”). When Judy was nice enough to reset your work email’s password for me, I had the last piece of information I needed.

So I headed to the bank’s website. “Forgot your password?” Enter date of birth and mother’s maiden name, it told me. I did. It asked me to answer your security questions: the street you grew up on and your favorite band. Good thing I knew those too (I figured it was the Bee Gees from your iTunes account, but your Twitter profile said the same thing for everyone to read as well). “We’ve sent your new password to your email address,” it said. A moment later, your work account chimed. I opened the message, wrote down the temporary password, deleted the email for you so you wouldn’t notice for at least a little while, and logged in.

Gloves. Scalpel. Suction. Prepare transfer.

Thanks for the funds, sucker. Tell your wife and kids I like the new drapes you can’t afford anymore. It’s nothing personal. It’s just what I do. Nurse, we’re gonna need a crash cart.

Hate passwords? Have fewer!

Creating passwords sucks, remembering passwords sucks, and forgetting passwords, well you get the picture. Passwords affect nearly everybody. If you don’t believe me look around at all the password generation and management software. You can tell a technology is irritating when it’s supposed to be simple, but managing it creates its own industry.

Lets take some time to create a personal password strategy that will lesson your frustration, keep you from buying goofy unneeded software, and maybe make you a bit more secure. Yes, I’m going to recommend you rely on your brain rather than technology to solve this problem but stick with me and you’ll see it’s rather simple.

First, most people have either too many or too few passwords. In my perfect world you would have no more than 3-5 passwords. Think of passwords kind of like locks –  you wouldn’t use a bike lock to protect your car, and you wouldn’t use your house key to open a safety deposit box. At the same time, you wouldn’t create a key for walking into Walmart, or visiting the hair salon.

My suggestion for required passwords

  • Work – Used to login to internal company resources
  • Work Internet – Used to login to websites related to your work
  • Personal – Used to protect your personal equipment
  • Personal Internet – Used to login to websites you use on a personal level
  • E-commerce – Used for high security situations such as banking, taxes, etc.

Once this is completed your next step is to create passwords that are actually usable. Each company, website, application, operating system, or other technology do-dad has different password criteria. Our best bet is to set up a criteria that will manage to meet the requirements for the majority of the systems we might encounter.

Basic password requirements

  • Must exceed 8 characters
  • Must contain both upper and lower case numbers
  • Must contain one number
  • Must contain one special character

Based on this criteria we have a set of parameters we can use to create passwords. I like to use pass phrases myself, as they are easier for me to remember.

Sample password creation

Creating pass-phrases that meet my length limits:

  • OutsideCowsEat
  • CowsEatGrass
  • IHateCows
  • WhyCowsMoo
  • TastyBurgersCowsMake

NOTE: You can use about any method to create a pass phrase. I normally start with a simple statement and work into other statements. My strategy is to have one word in each password that remains constant.

Adjusting capitalization to make things a bit harder on bad guys:

  • outsideCowsEat
  • cowsEatGrass
  • iHateCows
  • whyCowsMoo
  • tastyBurgersCowsMake

NOTE: By default I have capitalization so I want to remove the pattern I’ve created. Most crackers will start with the first letter being a special character or capital. Not that this is a great advantage, but it makes me feel better setting this all to lower case.

Adjusting for numeric requirement:

  • outsideCow5Eat
  • cow5EatGrass
  • iHateCow5
  • whyCow5Moo
  • tastyBurgersCow5Make

NOTE: I chose the same letter within a word that is present for a reason. The s in cows will always be a 5, it helps me remember where the five is. It also ensures the 5 is in different places in different passwords. If I were to change all the representations of s to 5 it would also be easy to remember but password crackers commonly replace all letters with numbers. By leaving the other representations of s, it’s more secure.

Adjusting for special character:

  • outside?Cow5Eat
  • ?cow5EatGrass
  • iHate?Cow5
  • why?Cow5Moo
  • tastyBurgers?Cow5Make

NOTE: Most people will insert special characters at the beginning or end of a pass phrase. Because this is expected behavior I recommend doing what we did with the 5 and associating it with a trigger word. This places the special character in different locations within different passwords.

Complete secure pass phrases:

  • outside?Cow5Eat
  • ?cow5EatGrass
  • iHate?Cow5
  • why?Cow5Moo
  • tastyBurgers?Cow5Make

Now you have 5 strong pass phrases you can use as passwords. While I wouldn’t suggest testing passwords you plan to use (you never know who’s listening) you can use this tool http://www.passwordmeter.com/ to see if the strategy works.

Consistent use and fewer passwords should aid you in your memorization process. Creating pass phrases, and using patterns within each should help you recall passwords faster if you happen to stumble and forget one. I’ll be very honest and say I only have three passwords; work, personal, and banking. There is no hard and fast rule that you must have all five, but very few people require more than five.

Have other hints on managing passwords? Let me know in the comment box below.

FlogTube Increases Communication Between Buyers And Sellers

Fed up with getting items that weren’t exactly matching their description, Simon Weatherall created FlogTube. FlogTube bridges the gap between eBay and YouTube allowing sellers to use video to showcase products and services in greater detail that simple text and images. FlogTube is still in testing mode but it has a solid concept, and appeals to buyers and sellers alike.

FlogTube has one aim which is to increase communication between buyers and sellers all around the world.

Have you ever bought something online and realized it’s not exactly what you wanted? FlogTube helps to stop this fast and that’s it!

via About | Flog Tube.

To get more information behind the story of FlogTube visit KillerStartups.

Do you know of a cool new on-line product or service? Share it with us by commenting blow.

QR codes suck

Quick: What’s square, scannable, looks like something a Transformer vomited up after a night of binge drinking, and awesome? If you said “nothing,” you’re right, because while the first three are right on, QR codes are something we should be looking back on the way we look back on Milli Vanilli. That is, “not awesome,” not a bunch of lip-syncing hacks. Although I’m pretty sure that if QR codes had a record deal they’d have all the talent of Justin Bieber too.

A huge waste of time.

Seriously, don't even bother.

QR codes would have made a lot of sense at one point in history, and that is, before the advent of readily available WiFi, nationwide LTE data networks, RFID tags, GPS receivers in everything from my car to your personal massager, and NFC. Kind of like bloodletting made a lot of sense before we had medical knowledge. (Fun fact: Barber poles are red and white striped because those fellas with the straight edge razors were our doctors too! Yay bloody bandages!)

But they (QR codes, not barbers) don’t make any sense now. Let’s see why:

  1. They’re just barcodes. What is a barcode? It’s basically a way to print, on a physical medium, some information for a computer to consume. In other words, it’s putting a middle man — something you can fold and put in your pocket — between two computers talking to each other. This is wonderful if you have a huge investment in antiquated information transmission systems (supermarkets, brown-colored shipping corporations, governments), but otherwise nothing but a waste of time. Have you heard of this “Internet” thing yet?
  2. They’re effing hideous. Have you ever looked at one? I’m not an epileptic and they give even me seizures. You know those services that offer to exploit the hardiness of the algorithm by inserting pretty symbols and logos inside and twiddling the colors around? That should tell you something. QR codes make babies’ eyeballs bleed. Why do you hate babies?
  3. They’re limited. As ways of transferring information go, they’re pretty bad. They can’t hold much more than an SMS message can, and they’re a lot worse to look at. (Even worse to look at than that text you sent me last night.)
  4. They’re slow. You want me to see something great on my phone? Wonderful — but don’t make me open an app so that I can take a picture of a pile of digital horse droppings… just to find out I can buy V1@gra from your awesome eBay shop. While we’re at it, why are so many companies putting QR codes on stuff when the QR code loads a giant widescreen-optimized website full of flash advertisements and streaming HD video that makes my phone catch fire and die? WTF AcmeCo, were you expecting me to scan your code with my 70lb desktop tower from 1993 instead?
  5. They’re still just barcodes. Why are we doing this? We have a bit of information on a computer, then we print it out on something physical so that we can… put it back in a different computer. (That’s what your smartphone is, you know.) When we have other, simpler, faster, better media (NFC, RFID, et al.) for transmitting the data, making me go through a visual medium is just stupid. Why not embed a little RFID tag for your phone to pick up on? Or write an app that exploits the GPS inside your phone to tell when you’re near an ad and pop something up on your screen? Or use image recognition software in the camera (as some companies are starting to do, thankfully) so that you can just point your phone at a magazine cover and not the visual hemorrhoid that is a QR code printed on the front? Why not use all the wonderful little wireless protocols and the magic of the Internet to transfer information to me, rather than the IT equivalent of the Amish? (No offense meant — I have great respect for the Amish and their carpentry. I’m also fairly certain none of them read this blog.)

It’s 2012, not 1912. QR codes serve no purpose for consumers. If I wanted to look at antiques I’d re-watch Madonna’s halftime dance routine.

Six reasons to switch to Chrome

Quick: What are you reading this in? If it’s been a while since you evaluated your browser of choice, you might be missing out on some enhancements that you didn’t even know you were missing, but soon after switching won’t be able to live without. Internet Explorer has long been left in the dust. For a while, Firefox was the undisputed champion. These days, it seems Chrome takes home the gold medals — and we’re not talking consolation prizes, either.

  1. It’s fast. No, really, really fast. It opens quickly, it closes quickly, it loads pages quickly, it runs Javascript quickly… basically, you’ll spend more time doing and less time waiting for things to happen. It’s even got Flash and a lightweight PDF viewer baked right in, so you’ll go from “install” to “full experience” without any extra steps.
  2. It’s polite. You know how you’ll have a witty Facebook retort half-typed in one window, and you’ll be doing your taxes in another, and then your friend sends you a funny video to click on? And then you know how your computer starts grinding to a halt, and none of the windows will respond? And then you know how your browser dies and you lose all your work? Well, with Chrome, if one tab dies, it’s isolated — it doesn’t take down any other tabs or windows with it. And if a web page is misbehaving, the browser will tell you and let you stop it, before it stops you.
  3. It’s safe. Chrome automatically harnesses the power of Google, and stops most malware and phishing sites in their tracks. It’s also updated on a very regular basis (several times a month) without you having to do anything, so when there are problems, Google fixes them fast and pushes them out so that you don’t have to worry about whether you’re vulnerable or not.
  4. It’s easy. By default, the URL bar in Chrome serves as a search engine as well. Type “chase.com” and you’ll go to the bank page, but type “nearby pizza” and you’ll be taken to a Google search result for the same thing. The bar remembers new searches too, so if you visit wikipedia.org or flickr.com at some point, you’ll find that in the future, all you have to do is start typing “wiki,” press tab, and voila: the browser bar is magically searching the encyclopedia website for you automatically. No in between search result pages.
  5. It’s flexible. Tired of web ads? Chrome can stop them from ever appearing. Don’t like nasty Javascript popups and web trackers? Chrome can eliminate them. Want one click access to Google Maps or Weather Underground? You’ve got it. The Chrome Web store lets you install extensions to make the browser do almost anything you can imagine, and you can pin your favorite apps and pages to the starting tab if you want (or see your favorite bookmarks, or most frequently visited pages — your choice). (Search for “Adblock Plus,” “ScriptNo,” “Google Maps,” and “Weather Underground” in the Chrome Web Store, respectively.) And in true Chrome style, you don’t even have to close the browser to see the changes — it’s just instant.
  6. It’s skinny. The focus of Chrome is on the page content, not the “chrome” (ironically enough, the term for the visual display of the rest of a browser window). There’s very little visual cruft to stand between you and your web pages, or distract you from what you’re trying to focus on.

Convinced yet? Get Chrome here.