Quantcast

The Tech Desk: Protecting your passwords - WCAX.COM Local Vermont News, Weather and Sports-

The Tech Desk: Protecting your passwords

Posted: Updated:
BURLINGTON, Vt. -

With all kinds of gadgets and online accounts, protecting your passwords and privacy can be a challenge.

Duane Dunston is a cybersecurity professor at Champlain College and a regular on our Tech Desk. He offered up some tips on protecting your passwords. Watch the video to see.

From Duane Dunston:

Due to a well-known password

The recent high-profile attack that caused sites like Twitter and CNN to not be available for long periods of time was, fundamentally, due to a lack of changing the devices well-known password.

Passwords have been the nightmare for users probably since they started being required.  These days, people have multiple accounts.  Some may have dozens.  Practically every site that you visit want you to create an account with a password.  Then we, security people, tell you not to use the same password on every site.  Yes, we know that is frustrating and you're not going to do it.

Then there are accounts that come with "things" we buy; specifically, the wifi devices that are bought online or at the local electronic's store.  Other devices have a username and password associated with it - the dining room lights or coffee maker that can be controlled via your cell phone or the thermostat that you can turn on before you leave work so your home is nice and warm when you walk in.  Even better, recording a TV Show on your DVR (Digital Video Recorder) and streaming it across the Internet while you wait in the airport or a doctor's office.  These "things" (smart coffee makers, refrigerators, thermostats, DVR's) are what we call the Internet of Things (IoTs) because those "things" that were, traditionally, manually controlled can now be controlled via the Internet (or via a network).  More than that, these IoTs are always powered on.  Unless there is a power outage or the device is moved to a new location, it is always on and connected to a network, usually via wifi.

The ability to manage those IoTs from a different location than your home or across the room are nice conveniences and can be used without much of a security threat.  However, these devices often come with some form of authentication - or some way to gain access to the IoT - to customize when to turn on the heat, for example.  That access is granted with a username and a  password.  The IoT is developed and shipped to us with a password that is used to make those customizations.  The problem is that people don't often change the password.  There is a belief that "No one wants anything from me" or "So what someone can hack my coffeemaker."  Well, the attack mentioned in the opening is a result of someone wanting something from you - your unsecured device and that's why they want to hack your coffeemaker.  It is not about "YOU," but what "YOU" have to allow them to carry out their agenda.

It is very easy to find a list of passwords for IoTs.  Perform a search for:

Default list of passwords for IOT devices

in your favorite search engine and you'll find them.  Here's a site that organizes those for you:

https://cirt.net/passwords

Here's what happened.  Someone wrote a malicious software program that scanned the Internet looking for IoTs that had the default password set.  When it found the right device, it uploaded some malicious software to the device.  That malicious software was running and waiting for a command.  When it received the command, it tried to connect to a website called Dyn.com.  Other websites we use like Twitter, CNN, Netflix, make use of Dyn.com's network services.  When you type in:

https://www.netflix.com

Your computer has to convert that name "www.netflix.com" into an IP address.  The IP address is kind of like the physical address for your house.  Without the numerical address and street of your house, you wouldn't receive mail.  Dyn.com is like the Post Office.  Someone sends you a letter, it goes to the Post Office and then on to your house.  In the case of your computer, you type in www.netflix.com and Dyn.com handles telling your computer how to get to Netflix.

Further breakdown

What did I mean by "scanned the Internet?"  It is just like someone using the white pages of a phonebook to find your phone number and home address.  In this case, they used a software program to automatically look for IoTs that are connected to the Internet.  The Internet has a finite range of IP addresses which is well-known to people that know about computer networking.  The software checked those ranges until it found a device and then performed its tasks when it found an IoT that had the default password set.  That is a like a burglar driving through neighborhoods and looking for a house where there are no cars, or dogs, and an open door or window.

Imagine if over 400,000 people showed up at one Post Office to send letters every second for 24 hours.  The post office would be overwhelmed with mail and the carriers could only carry but so many letters at any given time.  That's what happened online.

The IoTs sent a little bit of data (a few envelopes of mail) to Dyn.com (the Post Office) every second.  Now, imagine over 400,000 IoTs doing that every second.  Accordingly, your wifi at home still worked and  your IoT continued working.  That's because it was only sending a few letters every second, but when you aggregate that with over 400,000 other devices, Dyn.com had problems. The problem is that it didn't have enough postal workers to allow your computer to know how to get to www.netflix.com.  This affected most of the East Coast and started to affect other parts of the country before the attack subsided.

All this was because of a default password was set on publicly available devices.  Well, there are some other methods that could've prevented it, but let's save that for another blog.

How could this have been prevented?

First, changing the default password or the password that is set by the IoT vendor before you purchase it.  That would've not allowed the malicious software to run on the IoTs so easily.

Companies that develop IoTs have the capability to require a password change before the device ever accesses the Internet, but many don't do it.  Convenience and ease of use sells.  'Plug it in and forget about it' is the common tagline or "Plug 'n Play."  There are even security vendors that have IoTs that claim you just plug it in and it starts protecting your IoTs.

To reiterate, the fundamental issue could've been resolved by changing the default password to something that is not easy to guess.

Password Changes

It is possible to create more memorable and secure passwords than this:

Y?#$aw)9hal

While strong, remembering it is more complex.  Imagine a password like that for 20 accounts.  Thomas Baekdal wrote a provocative article https://www.baekdal.com/insights/password-security-usability) about the ability to create memorable, but strong passwords.  By "strong" I mean the password is not easy to guess based on a dictionary word, pet's name, family name, etc.  With this method you create passwords based on dictionary words, but non-sensical.  However, you want to add in special characters or a numbers to further strengthen the password, but keep it easy to remember.

Essentially, the password:

Y?#$aw)9hal

is no longer used rather a password like:

Churning_discombobulate_inconsequential_Flubber

Why would this password be considered strong?  A dictionary attack would take a literal dictionary of words all on one line and check to see if the password someone uses on a website matches a unique 'fingerprint' of that dictionary word (that fingerprint is actually called a hash, just keeping this article accessible for the non-technical folks).  The password above requires someone to take that dictionary of words and make combinations of it until it matches.  Given enough time a match will be found.  That is called a brute-force attack.  Eventually, the correct combination of:

Dogs Roof-Roof is Cat's Meow

will be matched, but could take many, many, many, many years.

The password works because the average person knows between 10,000 and 25,000 words depending on the source you read.  If you used 6 sets of words from your large vocabulary, along with some special characters and numbers, you can create strong and memorable passwords.

Password Management

There are lots of password managers out there.  I like Encryptr by Spideroak.  Encryptr will secure (encrypt or make unreadable with a password) your password database and then send it to Spideroak for storage.  This allows you to access your password database via a web browser, on a smart phone, PC, Mac, etc.  If someone compromises the Spideroak servers, they shouldn't get access to your password.  Shouldn't because your passwords are protected by one really, really strong password...YOU CAN'T FORGET THAT PASSWORD or you lose access to all your passwords.  People complain that it is too simple and doesn't have enough features.  That's good.  Simple is better.  The more features, the more chance of introducing other security problems.  It is super simple to use.  Again, do NOT forget the master password.  Spideroak can't help you recover it.  Keep that master password is a very secret place and not under your keyboard, in your wallet, underwear drawer, etc.  With Encryptr, you can maintain those dozens of accounts safely and securely and have access to those on any device.

As always, ensure you are using a trusted computer when accessing your passwords with Encryptr.  Encryptr does one job and that's it.  https://spideroak.com/personal/encryptr

Powered by Frankly
All content © Copyright 2000 - 2017 WCAX. All Rights Reserved. For more information on this site, please read our Privacy Policy, and Terms of Service, and Ad Choices.