Hello, my name is: Amy

Safety + The Internet: Part II, Logging Into Things

If you've been using the internet for more than 1 day, you probably have at least 1,000 usernames and passwords to get into different sites. It's tough to remember all those, but if you have one takeaway from all this information it's that using the same basic username and password for everything is a bad idea.

Your typical login to a site goes something like this:

Site: Hey, who are you?

User: My name is username!

Site: Oh, hey! Wait, how do I know for sure it is you?

User: Our secret password, silly, 'password'!

Site: Great! Come on in.

But suppose for a minute, that someone has stolen your username and password, and this fake you is logging in:

Site: Hey, who are you?

Bad Person: Oh, uh, my name is username...

Site: Oh, hey! Wait, how do I know for sure it is you?

Bad Person: Our secret password, 'password'.

Site: Great! Come on in.

So, as you might guess, anyone can act as you if they have your password. So, suppose for a moment that my values were not so pure. If I might attempt to get your password, I'm not going to sit around and guess.

I'm probably going to try and somehow trick you into giving me your password:

  • I might look at the post it note you have on your fridge.

  • Send you an email that looks like it's from your bank, and directs you to my site so I can log your password.

  • Make you think your computer is infected, and that you need MY software to fix it. (Which allows me to control your computer. Thanks!)

  • Leave an infected USB around that you will think you got lucky and found. (PS. It has a virus that logs your keystrokes and sends them to me.)

  • I figure out who your boss is (cough, LinkedIn), and send you an email that looks like it's from her saying I need your password for this one super important thing.

Or I'm probably going to either try and guess every combination:

  • Brute Force - Perhaps similar to how you used to do math homework, this attack is the trial and error approach. An automated computer program will literally try every possible combination to see if one works, usually starting with one character and moving forward. This type of method is considered to be infallible, but not without a significant investment in time.

    No need to totally freak though, most websites have methods in place to prevent this sort of attack. You should be concerned about this if someone has some of your data in their possession, like they have stolen your computer. With all the time in the world, they will eventually get your password.

    But...If someone hacks a site that you have data on, in means that that bad person now has all of that sites data on their machine. So they now have all the time in the world to figure out what the combinations are.

    Sidenote: You know those annoying things where websites ask you to type in something you can barely ready? Those are called CATPCHA's, and are one of the ways to help to prevent people from trying this type of attack.

  • Dictionary - This is like the above attack, but instead of trying every character combination, words from the dictionary, or knowledge known about the victim are used. Let's suppose I was hacking my best friend's something, I'd start with things I knew about her.

    This follows the same rules as above, in that most websites don't allow enough guesses to win (assuming your password isn't terrible). However, if I happened to be in the business of spamming people's email this would be my go to. If I send an email to 'annsmith', 'annasmith', 'alexsmith', etc @gmail.com I'm going to get in some inboxes. (Also, don't do this. You will destroy your street cred in the email world. Seriously, don't.)

Here is why using the same old password is so bad

Let's suppose that upon my travels around the internet, I run across a site that promises to tell me what my Rock Star name is but needs me to create a username/password first. No problem, I quickly type in my go-to combo, amy/password123. I find out my Rock Star name (Cat Seger), and go on with my life.

Well, six months from now, RockStarName site gets hacked. Their user database was stolen and is now on a bad persons hard drive. That bad person can now identify what my username and password combination was. Big deal, who cares. They know my rockstar name. Well... sorry, but this hacker doesn't care about your rockstar name. With all of these username/password combinations, they are going to go straight to www.bank.com and try them out. Sadly enough, there are going to be ones that work. Which saves them a TON of time, and they are able to bypass a lot of the blockers that prevent against multiple entries because they are only trying one combination.

Note: most sites that are accepting passwords wouldn't store my password in the database as password123. They would do something called 'encryption' and store the password as 3W@@X#b!LIN, which only they know means password123. Think of it like the cryptogram that is in the newspaper. Given enough time, someone can eventually crack that code.

If you are wondering if any sites you are a member of might have been hacked, Troy Hunt created this awesome site Have I Been Pwned to find out, and even be notified of any data breeches you might have been a part of.

Two Factor Authentication

There are ways to improve your odds. One of those ways is with something called 'two factor authentication'. Basically what happens with this is that sites will require an additional way of confirming you are who you say you are. If implemented, in addition to supplying a password, users will also need to provide another method of proving their identity. Typically these can be things like:

  • Things the user knows (passwords fall into this category, shared secrets, PIN)
  • Things the user has (ID card, a code sent to your smartphone, a usb with a security token on it)
  • Things the user is (fingerprints, facial recognition, voice patterns, even how you typically type on a keyboard)

If you enable Two Factor Authentication on a site, the process might go something like this:

Site: Hey, who are you?

User: My name is username!

Site: Oh, hey! Wait, how do I know for sure it is you?

User: Our secret password, silly, password!

Site: Great! But wait, I need one more piece of proof. I texted you a code to your phone. Tell me what that is.

User: Hang on. Ok, it's 143295.

Site: You're in!

What this does is make stealing your login information that much harder for a hacker. In this above case, the hacker would have to acquire both your username/password as well as your cell phone. It's still not a totally secure method for a site to identify you, but it makes the likelihood of imposter's much smaller.

If you're interested in this and would like additional information, this article offers a ton of further information on two factor authentication.

Not all sites allow you to use this login process, but a good number do. Think back to your risk analysis as to the types of data you might care the most about. Check with those sites and see if they allow you to implement two factor authentication.

The site twofactorauth.org lists a lot of sites that have enabled this process so you can quickly see which sites you might be able to enable.

You can't seriously expect me to have a different password for everything?!

Yes and no. Think again back to your risk analysis. You might choose to only have a different password for sites that you are concerned about. But again, don't have one 'secure' password and one 'dumb' password. Because if one site gets hacked, or guessed, or you give your amazon password to your kid (which is also your bank password), all the secure ones quickly become dumb.

There are ways to make this process easy. A common one you might hear about is to use something called a password manager. This is a piece of software that either lives on your computer, or on a website, and keeps control of your passwords. So, my bank password can be !@DFJ!(!@$SJBVA*!!@$@!) and I will never have to actually type that in. There are a lot of password managers out there. If I may, I might recommend the below based on the recommendations I've been given:

Keep in mind though, that with some of these you are still trusting a service with your data. So, if that service was to ever be compromised, your data might be compromised.

If you'd rather manage this sort of thing yourself, you could create your own key that you use for your passwords. Meaning, your key is the name of the site, and the second character is a ^ symbol, etc. Or, you could construct a super long password that is at least readable, like 1aboxpineapplepretty. Chances are this isn't going to show up in anyones hacker dictionary, but won't be a pain in the butt for your to type in.

If you use a site like LastPass, or 1password, or the other tons of services out there, do your research and make sure you can trust them with all your precious eggs. And, you might want to make sure that this one place that you put all those eggs might also offer two factor authentication.

The underlying moral of the story, don't use the same password for every site. Pretty please.