Tag Archive | Tips
May 31, 2012  

Microsoft Gives Advice To IT Professionals About Social Engineering

In a new security article on social engineering Microsoft highlights what measures can be taken to both prevent and remediate  socially engineered attacks.

Some key highlights are:

  •  Limit attack surface
  •  Limit user accounts and strictly monitor high privilege accounts
  •  Maintain a proper incidence response team
  •  Risk analysis and weighting
  •  Proper training

You can read the full article for details but I think those are the tips that stand out. The go-to policy for many companies is “enforce periodic password changes, don’t hand out smartphones to just anyone, tell users to be secure.” That’s my (limited) experience at least. This article should prove useful to anyone willing to put the work into maintaining a secure environment.

May 31, 2012  

How To Create A Strong And Memorable Password

Tips For Creating A Secure Password:

A secure password has a few features: it’s easy for you to remember, hard for a hacker to guess, and too complicated/ long to bruteforce.

A good password will have at least one of each of these: lower case letter, upper case letter, number, symbol. This guide will explain how to create a strong password that’s easy to remember and duplicate for various services.

Your password should be at least 12 characters long. Anything “mission critical” (as in the government is after the nuclear codes that you stole) should be at least 14 characters. Some people recommend 20 characters, this isn’t really necessary unless you can’t verify the crypto behind the password security.

A horrible password for anyone would be “password123” as it’s the first thing any attacker will try. It’s got a single word, which means it’s highly susceptible to a dictionary attack, and merely 3 numbers. It’s also only 11 characters, which isn’t awful but for protecting critical data it should be key.

A bad password for me would be “insanitybit12345!?” as an attacker might guess that I’d use my username as a password. At that point they only need to bruteforce 12345!? and they’ll likely do the ‘12345’ anyways.

A good password for me would be “CatBike92391(!” as it has 14 characters, two words, a friends birthday (not my own, just some random friend from years ago) and two random symbols.

A great password for me would be “AwfulCatBike92391(@#(!(!” as it has 24 characters, three unrelated words, an old friends birthday, their birthday typed while holding shift, and two random symbols. This password is beyond overkill, I suggest you stick to a password closer to 12-14 characters unless you can’t confirm that the crypto behind what your entering the password into is secure (like an online service.)

A bad, but ‘strong’ password would be “a%f!1234BZV245NDF!#$?;;z<qortQERG” as it has over 30 characters, all ‘random’, but there’s no way in hell I’ll remember it and I’ll be pissed off every time I spend the time typing it out just to retype it because I forgot a letter. If I were an inexperienced user I’d end up writing it on paper, which is horrible.

Remembering even my incredibly long AwfulCatBike92391(@#(!(! is simple. You just need to remember 3 words, 1 birthday, and two random symbols. That’s 5 things to remember, it’s nothing. It’s like remembering “party” is your password or any other 5 letter word.

Keep in mind that the equation for password combinations is (character set! ^ length!) so simply by adding one of each character set (a, B, 3, $) you improve the security of your password by a massive amount.

I’m also using “AwfulCat” and not “Gorillas” – even though they are both the same length “Gorillas”  is actually much less secure because it is one word. The difference is very large when you consider dictionary attacks and how they work. Stringing two unrelated words will be much more secure than one long word.

TIP: You can create multiple strong passwords very easily.

Let’s take our AwfulCatBike92391(@#(!(! example.

Maybe that’s my email password for GMail and now I want a strong Hotmail password. I’ll simply change AwfulCatBike92391(@#(!(! to:

SuperDogCar71488&!$**%$. I’ve changed “Awful” to “Super”, “Cat” to “Dog”, and “Bike” to “Car.” Anyone who got a 200 or above on their SATs should be able to understand the relations here. I also picked another friends birthday and another two random symbols. So now we have a very different password that’s just as secure as the last and it won’t be difficult to remember both because they’re similar in terms of semantics..

Other examples might be:

GreatEmuTruck52090%&()$# or EvilRabbitJeep41794$!&(%*%

Its simple. Though, again, I think that these passwords are overkill and something more like the 14 character example is ample.