It was perhaps one of those little jokes that fate sometimes plays us. On Thursday, when the World Day Passwords was held, it was learned a computer security firm had obtained a database with 273 million accounts stolen from the mail service Russian Mail.ru and smaller (but still significant amounts ) of Gmail and Hotmail.
If the promoters of this year #passwordday wanted a stellar debut, they could not have imagined anything better. Or worse, if you know what I mean.
The company found this new filter is Hold Security, the same as in August 2014 had revealed the theft of 1.2 billion passwords. This time, bought for 50 rubles (0.75 dollars) a massive database with more than 1100 million records to a vandal who had been showing off their booty online; instead of money, he asked to speak well of him on the Internet. That’s ego and no nonsense.
After debug and remove duplicates, were 273 million accounts Mail.ru and tens of millions of gmail, Hotmail and others. However, according Hold, credentials were not subtracted directly from these services. What happened is much more interesting.
A password to control all
There is a tendency, on the other hand understandable, using the same password everywhere. As is almost a norm sites to register us through our email account, pirates today reaches them to steal their customer databases to companies whose security is not the strongest. These databases can include personal information, and emails and passwords. Passwords that most also used Gmail, Outlook, Facebook, Twitter and everything else.
Notable Victims of this kind of virtual mugging have been Target, Adobe, eBay, Ubisoft, Home Depot and many others. On this site there is a contudente display major thefts of databases users in recent years
That simple. When we use the same password on Gmail or Hotmail in several other places, we are exposed to to stay with our mail account. . What is not exactly fun
The question seems to be: why do we keep using the same password everywhere, even when all lights risky?
But no, that’s not the issue. What we do is wrong continue to use passwords. We should change phrases. For two reasons. The first is that, if sufficiently large, are very difficult to break. Second, because the human mind is very awkward trying to memorize combinations of characters such as G & amp;% # 98Tf , in very simple change memorize meaningful sentences. Somewhere in La Mancha whose name I do not want to remember, (including coma) has almost the same entropy something like 0qoG00C8YxdQdxP4itIlvfCmngw9Vxa5wzdJOeWDucqazCNGEFi2vwIqnLgQ .
Entropy It expressed in bits and roughly comes to express the number of combinations that a program should try to brute force the password before breaking. The infaltable 123456 has about 10 bits of entropy, which means that a program should try brute force 2 to the tenth power before break. That is, barely, 1024 attempts. Brainer, for machines that are capable of processing billions of floating point operations per second. (In addition, 123456 is vulnerable to dictionary attacks, because it is password most common.)
Instead, the principle of Don Quixote require the machine to try 2 to the 295 combinations. That’s a 6 followed by 88 zeros, or sixty thousand cuatordecillones. To put it in perspective, that’s more than all the hydrogen atoms in the universe. In terms of computing time, the figure implies a period of extension inconceivable. And still need more time for their countless combinations, extinct all solar systems and off the cosmos, the program brute force a Foreign the beginning of Don Quixote.
For many, a password such strength is a exaggeration. Personally, in these matters I prefer it over and not missing.
As we can recall dozens of phrases in our language (in any language), the need to repeat the same key in all services fades, because now we have a long list of sentences in mind. Perhaps we confuse a couple of times, but it is much easier to memorize random character strings
Clarification perhaps unnecessary. If your phrase header on Facebook, Twitter and Instagram is, for example, what is essential is invisible to the eye , do not use what is essential is invisible to the eye (which is an excellent password) as your password. Seriously, much of the credentials guess just knowing what club is fanatical user or reading their profiles on social networks.
The problem with managers
Intel (and other companies that led the World Day Passwords) advises using a key manager such as KeePass. They are not bad, granted, and the matter is debatable, but from my point of view pose two problems. The first is that password managers are programs and, therefore, may have vulnerabilities that allow unauthorized access. Examples of this, here, here and here. Conversely, there is, for now, exploits for the human mind. There, yes, social engineering, so do not share any of your passwords, no matter what the pretext with which you request.
The second problem is that administrators password cause dependence. It’s the same with cell. Nobody remembers phone numbers. What if in a critical situation had to borrow another phone or use a public one? Do you know the number of your spouse? Does a colleague? Does mechanical help? What’s more, do you know your own number? I know a couple of people who would not know with certainty answer this last question.
With password managers happens the same. All goes well until for some reason you need to check your mail from any system in which the memoirist programita key is absent. And then I want to see you.
My best advice is to avoid managers, use memory (it is a good exercise as well) and dip into a different tactic.
In order importance
Another thing that our mind does very well (well, in general) is to prioritize. If a vandal stays with the profile we opened a forum on fly fishing techniques, nothing happens. If we steal the email account or Amazon, it’s a disaster. Well, it is not necessary to handle 60 complex sentences. It is better or at least more practical, have half a dozen sentences of quality for critical services and use one or two basic sites whose importance is negligible. Yes, of course, it would be better to use different phrases for each page, but in practice this is impossible. There are services that use daily and others who visited once a year. Remember the everyday with the same precision as the exceptional is another thing that people do not know how to do well.
Of course, there are a number of intermediate options that combine the above tactics with others. For example, using a password manager for sites unimportant and keep in mind only the keys of vital services. Each has its recipe. What is very, very bad is to use the same password for all services. Because one falls and then fall all the others.
It is very important, for example, maintain that used to recover passwords when we forget very safe. Which leads me inexorably to the next point. That is, that passwords are no longer enough.
Double or nothing
As I passed, this guessing your password is increasingly unnecessary trouble for the bad guys. databases to steal user information and, if they can decipher, ready, get millions of keys in one fell swoop. In this PDF (in English) presented at BlackHat 10 years ago, but still in force, some of the ways in which an encrypted database can be broken explained. Worse, sometimes even these bases are protected.
So, now it takes more than a good password.
Enter scene multifactor authentication. What does it mean? Also enter your username and password will have to prove your identity by some other means. There are many, but typically, for the rest of us, is a PIN that will be sent by text message.
For example, when ponés first search in Gmail or Twitter, the service sends you a text message with a PIN 6 numbers. What you write on the form that appears on the screen and you’re in. If that is your machine, you can say no again ask you a PIN there. Strictly speaking, the service associates you with a browser session, so if you change your browser or delete cookies, will re-ask the PIN. It is slightly cumbersome, but very useful. At a minimum, your email accounts, Facebook and Twitter, in addition to the places where spend money, should have enabled multi-factor authentication.
What is the usefulness of this? If they steal a database which lists your email address and password and a pirate tries to steal some of your important accounts, you will miss the PIN and not be able to enter. In addition, you will notice the attempted unauthorized connection and, if so, is not a bad idea. . . Exact: change password
.
No comments:
Post a Comment