What makes a password great?

Published Apr 30, 2013 by

Monkey, ninja, baseball, football: Words related to hurling inexplicably fast objects towards unwitting onlookers?  Not this time.  These are just four of the top 25 most stolen passwords in 2012, as reported by splashdata.comStolen is the key word here.

Two methods for stealing login credentials are:

  1. Guessing the password based on general or personal information (birthdays, spouse’s name, child’s name, workplace surroundings)
  2. Cracking a web site or server, gathering huge lists of login credentials (often not even encrypted)

Method 1 is what I will call “local threats” where the intruder probably knows you, and at least has direct access to your workspace or public-knowledge-information.  Method 2 is a “remote threat”, where an attacker is not necessarily targeting you, per se, but rather a large segment of users in which you have been included.

To protect yourself from these methods, create a password that incorporates each of the following suggestions:

Make it a “Strong Password”

The generally accepted definition for “strong password” is one of at least eight characters in length with uppercase, lowercase, number, and special (.!@# etc.) characters.  This, however, is a bare minimum recommendation.  A good password uses as many characters as you are willing to remember, and although a “strong password” is a great defense, it is not the whole defense.

Make sure it has nothing to do with you or your workspace surroundings

Password on a Post-It (Original photo by Pavel Krok)

Remove that Post-It from the bottom of your keyboard right now! Go ahead, I won’t look.

This is an important step to follow in order to avoid password theft using method 1.  Assume everyone knows everything there is to know about you.  Now, choose a password with that in mind.  “St@nford98” might be considered a “strong password”, but when you hang your 1998 Stanford degree above your computer monitor, that may be one of the first things someone tries when they sit down at your desk.  Also, you may have the strongest, most random 26 character password in the world, but if you have it written down anywhere, someone will find it.

Make it easy enough to remember

Picking a word or phrase with an easily recallable number association is a great way to come up with a password, but make sure the word is an obscure reference that nobody would think to guess.  Pick an insignificant detail from a memorable event.  For example, I recently took my daughter to her first baseball game and we had lunch together there in the 7th inning: “H@mburgerInThe7th”.  It does not mean anything to anybody but me, and I can remember it fairly easily so I do not have to write it down.

Make it unique to the web site you are creating it for

This is a very important aspect to password security.  In the case that a web site has failed to properly secure your log in information, it is important that one compromised password does not compromise every account you own.  One method I have come up with provides two fail-safes to protect your password:  Copy and paste a portion of the domain name of the website you are accessing as the start of your already-strong password: my password for google.com becomes “gooH@mburgerInThe7th”, my password for twitter.com becomes “twiH@mburgerInThe7th”.

With unique passwords, a compromised Twitter password does not also result in a compromised Google password.  Also, physically copying and pasting that portion of the domain every time makes you look at the domain name.  That means if you are the target of a phishing attack at twtter.com (notice there is no “i”) and you cut and paste “twt” for the start of your password, not only will they not get your real Twitter password, but you will probably not attempt to log in when you realize you are not actually at “twitter.com”.

Change your passwords

Finally, with all these suggestions in mind, it is time to stop using “password1″.  Coming up with a good password for new log-ins  is great, but it does nothing to protect what is already out there.

How should I secure my wireless network?

Published Apr 25, 2013 by

If you have a wireless network, you may have asked yourself, “Is a wireless network secure enough for data sensitive work, like banking?”  This is an excellent question to ask, and the answer is conditionally: “yes, if you’ve adequately secured your connection.”  What, then, is adequately secured?

Unsecured Connections

Without enabling any of the security features on your wireless access point, any traffic between your devices and the network is sent without modification.  Anyone within range of your wireless network can listen to, or “sniff”, the signal that you’re using and record the data.  Everything that you transmit is out in the open, and while some institutions such as banks protect the information you send, it is still undesirable to have this information accessible to anyone within receiving range.   Additionally, there is nothing stopping an outsider from connecting to your network and having access to your connected technology resources such as printers and network file shares.  Given the right set of tools and time, anything you transfer could be available to those with malicious intent.  As a business, it may not only be your information that is vulnerable.  Customer payment methods, contact information, and proprietary company data are just a few of the pieces of information that you want protected.

What is encryption?

Encryption is the process of taking some type of information such as text or computer data, and converting it into a different, unreadable form.  The data is known as “plain text” until it changes form, and it becomes known as “ciphertext.”  This ciphertext is not readable on its own, but requires conversion back to its original form.  Conversion of the information is done with the use of a “key”, which is a special type of data that specifies how the information is to be transformed.  As long as this key is only known to people who you want to have access to the information, it can be considered secure.  Encrypting information makes it unreadable in transit, and helps to ensure only the intended recipient has access to it.

What are my wireless encryption options?

One of the early methods of encryption for wireless networks was known as Wired Equivalent Privacy, or WEP.  The problem with WEP was that it didn’t live up to the name.  There was a weakness in the way the encryption was implemented, and it wasn’t long before anyone with Google and a little techie know-how could connect to your network.  Initially this process could take a long time, but through certain techniques this process has been reduced to minutes, making WEP ineffective at protecting wireless transmissions for the last decade.

Due to the weakness inherent in WEP, the trade association responsible for certifying WiFi products came up with a new standard known as Wireless Protected Access, or WPA.  WPA was intended as an intermediate measure to secure wireless networks until the more secure WPA2 was finalized in 2004.  While much more secure than WEP, WPA and WPA2 still suffer from vulnerability to “brute-force” attacks which rely on repeatedly guessing different passwords until a match is found.  WPA/WPA2 do not have the weakness that existed with WEP, and as of today are still considered secure as long as certain best-practices are followed when implementing networks to mitigate the vulnerability to brute-force attacks.

With WPA/WPA2, there are two options for implementation.  The first is known as “personal” mode, where all devices on the network share the exact same key.  This would be like having a regular door lock to your office, with a single key and lots of copies for all your employees.  The problem here is that if one key is stolen, you have to re-key the lock and give out new keys.  This is okay as long as you only have a handful of the same key to replace, but if you have more devices it can become a hassle to change your entire network this way.  The second method of implementation is known as “enterprise” mode, and requires an additional piece of equipment that stores credentials.  Every device on the network is given its own key to connect instead of sharing a single key.  This would be like having a keypad lock on your office, and each employee having their own combination.  If one combination is compromised or an employee leaves the company, it is a much easier task to simply invalidate the combination and give the user a new one.

Recommendation

Our recommendation is to implement WPA2, and if you do not have a large quantity of wireless devices, to use it in “personal” mode.  This represents a high level of security with lower cost than enterprise mode.  If you find yourself having to reconfigure your network regularly due to theft of devices or employee turnover, however, then enterprise mode may be appropriate for you in order to simplify management of the network.  In addition, using a strong 13 character or longer value for the key will ensure that brute-force attacks are unlikely, and reading your data would take thousands of man-years.

Remember that regardless of the encryption methods in place, given enough time and resources, your data can eventually be compromised.  The intent of encryption, however, is to make the time and resources required unreasonably large.  This is what was meant by “adequate” security.  Does your attacker really have thousands of man-years to spend trying to crack open your encrypted data?

Why is my wireless network so slow?

Published Apr 22, 2013 by

Struggling to figure out why your WiFi connection feels sluggish compared to your hard-wired devices? Perhaps its not the fault of the technology, but an issue with configuration and utilization.

Perfect World, Worst Case

With wireless technology, every device operating in the same frequency shares the bandwidth available.  This includes not only the devices connected to your network,but ANY wireless devices operating in the same frequency range as yours, such as your neighbors’ WiFi.  Additionally, the rated speed of your wireless access point is not per-device, but a total shared rating. In a simplified perfect-world model, a WiFi router with ten devices utilizing their connection to capacity (worst case) is only capable of providing one tenth that speed per device. Remember those “walkie-talkies” you played with as a kid?  Only one of you could transmit your voice at a time.  The same concept applies here, which is why the bandwidth is shared.

Real World Problems

In the real world, given the situation above, your connection speed would be much less when taking into account the additional network traffic associated with maintaining the connection and correcting for errors in transmission. Errors are introduced when some bit of information that is sent doesn’t make it to its intended destination or is unreadable, either due to the distance involved or radio interference (noise) that may be interfering with the signal.  That microwave oven in the break room next to your office?  It operates in the same frequency range as your WiFi connection, making it a direct source of radio frequency (RF) interference.  Cordless phones within your business environment?  If they are of the 2.4GHz variety, they can be an additional source of noise.

So how you do fix it?

You can reduce interference by relocating things such as microwaves and cordless phones, or simply operate on a frequency with less wireless traffic.  The wireless frequency range used by WiFi is split up into channels, which are smaller divisions of the total frequency range.  You may have seen the channel setting in your wireless access point and left it set to “auto” or some other default channel value.  Each channel uses a particular part of the wireless spectrum, and if you can select the channel with the least noise and least amount of utilization, you should be able to maximize the use of your wireless bandwidth.  Software exists that allow you to take an accounting of the wireless networks in your area and provide some easy to read visuals, letting you know which channel would be most advantageous for your network.

Screenshot of inSSIDer, a tool used for analyzing wireless networks.  Note lots of overlap in the graph at the bottom, giving us a quick visualization of wireless network channel allocations.

Screenshot of inSSIDer for Home, one tool used for analyzing wireless networks. Note lots of overlap in the graph at the bottom, giving us a quick visualization of wireless network channel allocations and channels to avoid.

Once you’ve determined which channel is most appropriate, you can reconfigure your access point to use that channel.  While the “auto” setting on most routers purports to do this, it is typically inadequate for high traffic areas or anything more critical than home usage, and manually setting the channel is preferred.  In the screenshot above, you can see that there are lots of networks overlapping in the middle of the 2.4GHz band.  It is also important to note that while 2.4GHz is the most widely used frequency, equipment can also be purchased that operates in the 5GHz range with reduced interference.  However, this frequency is not without drawbacks, most notably reduced operating range and increased cost.  As such, 2.4GHz is usually the better choice overall.

Conclusion

Besides the unrealistic expectations of relocating all your office microwaves to the farthest end of the hall or forcing your company president to stop using the cordless phone in his office suite (both of which will not help your reputation), channel selection is the best option for maximizing wireless bandwidth availability.  It is one of the easiest fixes to make, but also one of the easiest to get wrong if ignored. Don’t forget, however, that a hardwired Ethernet connection will always win out in speed and security (which we’ll cover in a future post), and wireless connections should only be used if absolutely necessary.