Reveling the secrets of the password

Have you ever had the experience of forgetting a password? Most people now have their passwords recorded somewhere. I remember I had a piece of printer paper that had all of my usernames and passwords on it. There were about 30-40 different combinations of usernames and passwords. That’s quite a bit of passwords to remember. I was creating new accounts and services to use over the course of a few years and I have been putting the login information on this single piece of paper. Then I lost the paper, I was at a standstill. I scrambled until I found the piece of paper. Then I breathed a sigh of relief. After that experience I decided to go with electronic password storage. I started with a program called Keepass then from there I went to Lastpass. Electronic storage is much easier for me to handle. I don’t have to worry about remembering or having a piece of paper with all of my passwords recorded on it. I’ll go into more detail about Keepass and Lastpass later but first, what is a password?

A good definition of a password is a combination or letters, numbers, and special characters (such as @,#,$ and *) that when passed to an OS, application or web service allow the authorized user access to their account. Passwords can also be combined into passphrases. These can be quotes from TV shows or sayings that the user prefers. I recommend this approach because they are easy for the user to remember and they are usually long. When setting a password for an online service, application, or account make sure to check the password requirements. Sometimes they are very lax max length of the password might be only 10-12 characters. I have seen this in several places and personally I don’t like it. I usually like my password length to be somewhere between 15-20 characters. Longer if necessary depending on the account it is protecting.

How do passwords work? I’ll use Windows passwords as an example. When you create an account you fill out your username and password information, but what does Windows do with this password information? When the account is registered Windows takes the password and hands it over to a cryptographic algorithm. (Cryptographic algorithms are a set of rules that are used to scramble a human readable word.) After the password is scrambled it is called either a cryptographic representation or a hash. After the hashing process the password hash cannot be reversed or changed back. This is why the cracking of passwords is necessary by attackers. This hash is stored by Windows and used as a comparative value when trying to log into the account the password is protecting. When you try to log into your user account Windows will take your password that you typed at the log in screen, hash it, then compare it to the original hash that was created during the registration process. If the hashes match then you are granted access, if not then you are denied access.

In the red box are the account hashes from a machine  I hacked. You will see names like account1 then a random set of characters. account1 is the name of one of the registered accounts on the machine and the random set of characters is the password hash.  The format for the output is: account name:SID (security identifier:password hash) NOTE: The machine I hacked is a VM (Virtual Machine) that belongs to me, I only hacked it to show what a password hash looks like.
In the red box are the account hashes from a Windows 7 machine. You will see names like account1 then a random set of characters. account1 is the name of one of the registered accounts on the machine and the random set of characters is the password hash.
The format for the output is –  account name:SID (security identifier):password hash                                                               Note: This picture is from the output of a hacking tool I used against my own VM (Virtual Machine)

Windows comes with a nice built in password security feature that is helpful: the password policy. This is used to control how the passwords for all of the accounts on the system are created. The administrator can set a level of complexity, length, and password age. This feature can be enabled through the local security policy dialog box on Windows 7 professional and ultimate and Windows 8 professional and ultimate. For other versions of Windows 7 and 8 the command prompt must be used in order to change the password policy.

In my experience I have found some practices with passwords are good and others not so much. I’ll walk through the rules I use when creating and dealing with passwords.

First and foremost NEVER EVER use the same password for multiple accounts and services. Because if that password is cracked then the attacker will have access to all accounts that use that password. Using the same password is never a good idea.

With passwords most users would think that having special characters is the most important factor; it’s not. The most important factor with password creation is length. Brute force password attacks can crack any password no matter how complex. It’s just a matter of time. This is why length is so important. The longer the password the longer it takes for it to be cracked. Some passwords can take years or decades to crack based on how long it is. Make sure your passwords are a good length. In my experience a good password length is 15 characters. Do not have passwords that are less than seven characters. These are fairly easy the guess and crack. Special characters are a plus but the most important thing is to make sure the passwords you use are of a good length. Do not base your passwords on your name, email address, or date of birth. Doing so would make the passwords easier for the attacker to guess.

I have used two different programs to store my passwords after I stopped recording all of them on a sheet of paper.

The first program is Keepass available at: http://keepass.info/download.html

Keepass stores the passwords that are placed in the program in a separate file. This file is opened using a master key. I like to think of this file as the password vault. When the file is closed the file is encrypted by the Keepass program. Some additional features are: password creation, grouping of passwords, adding notes to password entries and much more.

All of the features can be viewed here: http://keepass.info/features.html

Here are the pros of Keepass in my opinion:

  • It can hold a large number of passwords,
  • Create complex passwords with a few clicks of the mouse,
  • Hold notes for each specific password entry

This program has a couple of drawbacks in my opinion.

  • It doesn’t have an auto fill feature
  • In order to use the mobile app a copy of the password file must be saved to the mobile device.

Here’s the websites on where to download the mobile version of Keepass.

Website for android app: https://play.google.com/store/apps/details?id=com.android.keepass&hl=en

Website for iOS app: https://itunes.apple.com/us/app/minikeepass-secure-password/id451661808?mt=8

Overall Keepass is a great program for anyone that is looking to store their passwords on their computer or mobile device.

Another great program for storing passwords is called Lastpass. This program differs from Keepass in which the passwords are not stored in a file on your computer but on an online server. Lastpass has many features: website password and username auto filling, secure password generation, and saving passwords as you create new accounts on websites.

There are three different versions of Lastpass:

  • Lastpass pocket
  • Chrome extension
    • The app is controlled from the Chrome web browser
  • Mobile app
    • iOS
    • Android
  • In order to use the mobile version of Lastpass you have to be a premium subscriber. It’s only $12 per year. That’s a $1 per month, more than worth it in my opinion.

In my experience Lastpass has many pros.

  • Password generation
  • Note taking for each password entry
  • Password auto filling
  • Password entry sorting
  • Security checking for passwords

In my opinion there is one con with lastpass

  • You have to remember the security key to open the lastpass password vault. If this key is lost or forgotten then the vault cannot be opened.

Using these programs and steps has made passwords easy for me to use and manage. I hope these tips and tricks also make it easy for you as well. If there are any questions or concerns please feel free to drop a comment on the post or email me at: hackingdefense@icloud.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s