A Few Things You Didn't Know About Your Passwords

Passwords are used in email accounts, online shopping, social networking sites, online banking, etc. They, and other methods of authentication, are used to protect information available on the world wide web from unauthorized viewing. However, many people have relatively simple and insecure passwords that might not stand up to the various password attacks that malicious user are capable of. Among these attacks are brute force, dictionary, and hybrid.

Brute Force Attack

A brute force attack is a method of password cracking that tries every possible combination for a password. To illustrate, a brute force cracking software may begin cracking a password with the the following: a. Then, it might try, b. Then, c. (I'm sure you can see where this is going) A brute force attack will simply mindlessly go down a list of characters and enter those as guesses.Once it exhausts all possible one-character passwords, it moves to two character passwords (i.e., aa, ab, ac, ad, etc....). There is a significantly larger number of possible two-character password combinations than there are one-character password combinations. This additional length makes it more secure. This can be, by far the most time-consuming password attack, but given enough time, it will eventually succeed. 

Dictionary Attack

A dictionary attack uses a word list to crack passwords. The software references the words in the list to form its guesses. (i.e. dog, cat, bear, etc.) Often, some dictionary attack software will be able to append random numbers or symbols before or after dictionary words, thus making passwords like coffee22 a very weak password if the word coffee is in the attackers word list. Often, these word lists are not user-generated, giving them the potential to be very large and extremely exhaustive. Regardless of whether the words in a given password are obscure or not, it is highly likely that it is contained somewhere in an attacker's word list.

Hybrid Attack

A hybrid attack combines the use of dictionary words and symbols to allow for the replacement of certain letters with symbols. This attack is very helpful against passwords written in "l33t speak". An example of a l33t speak password is the following: k!ngsc0ff33. Certain letters have been replaced by either a number or a symbol so that an actual word is not formed, thus defeating a simple dictionary attack. However, hybrid attack software has the ability to take a dictionary word list and make numero-symbolic replacements of particular letters: 3 for e or E, @ for a or A, 1 or ! for i/I or l/L, and so on. This makes the above-mentioned password example very susceptible to cracking.

How to create a secure password

First, a secure password must have a proper length. It is recommended that your password consist of at least 8 characters. Assuming that your password is properly complex enough (such that dictionary and hybrid attacks are impossible), a 8-character password can take up to 11 yrs to crack (assuming that the cracking software takes into account all 26 letters, both upper and lower case, 0-9, and basic punctuation). This number, of course, changes depending on how many computers are working together to crack the password, but even with 50 computers at at 2,800,000 passwords attempts a second, it still would take up to 75 days to crack the password. And typical password-changing policies recommend at the most 60-day password changes, so your password might very well get changed before the attacker has a chance to crack your password.

In addition, dictionary words and dictionary words written in l33t speak are highly discouraged. It is recommended that you include numbers and punctuation in your password, but not as replacements for letters in a word. Instead, it it best to use them sporadically in a password to make it more complex and less susceptible to dictionary/hybrid attacks.

With all this talk about security, it is easy to forget about the need for a password to be memorable so it's not forgotten. Although increasing the character length above 8 characters will make the password more difficult to brute force, it often is unnecessary (and in the case that the password is 14 characters worth of dictionary words, this will be defenseless against a dictionary attack). So, 8 characters will do the trick.

Here's an example of how to form secure, but memorable passwords.

ilcvm (I begin with a memorable word or short phrase; acronyms can also be helpful; this one stands for "i love coffee very much")

IlcVM (I make some of the letters uppercase; this is made memorable because the acronym would appear as "I love coffee VERY MUCH")

IlcVM11 (include some numbers such as your favorite number)

&IlcVM11 (add punctuation)

Creating a final password of : &IlcVM11. The only way this password is going to get cracked is by using the brute force method, which will take a very long time to crack.

Now go change your password and secure your data!!

A Few Things You Didn't Know About Your iPhone

It seems like everyone nowadays has an iPhone. We're constantly using it keeping tabs on our Facebook, Twitter, email, blogs (guilty as charged), and so on. But do you realize that our iPhones are also keeping tabs on us? It's true. Here are a few interesting things you didn't know about your iPhone.

Location Services menu

Location Services stores GPS locations on your phone

Whenever you have Location Services turned on, your iPhone begins to take and store your GPS locations and the date/times you were at those locations on the hard drive of the phone. Because coordinates of longitude and latitude are such small memory items, you iPhone can store hundreds of these locations!

The average 4-character PIN takes at the maximum 30 minutes to crack

One might think, "Ok, then I'll just set my iPhone to wipe itself after 10 failed passcode attempts have been made." Unfortunately, this won't necessarily work. Software exists that can access the encrypted password file of the iPhone. So instead of entering every possible PIN combo into the lock screen (which after 10 attempts, would cause the iPhone to wipe), it picks a random PIN to try, uses the iPhone encryption algorithm, and compares it to the encrypted password file to see if it's a match.

"Cydia" app store for jailbroken iPhones

Jailbreaking substantially decreases the overall security of your iPhone 

Jailbreaking is the process of installing 3rd-party software onto an iPhone to unlock restricted features. It allows the user to install custom apps that cannot be found in the iTunes store and to customize various features of the iPhone. However, this process creates a gaping hole in iPhone security. iPhone system software is basically made up of two parts: system files and user files (music, apps, pictures, etc). There is a lot of separation between the two in an non-jailbroken iPhone. However, in a jailbroken iPhone, apps are able to interact with system software components (for example, an app may be allowed to track your emails, call history, text history, and even alert an attacker when you are making a call so that he/she can listen in).

Find My iPhone

To prevent data theft and privacy compromise, there is one app out there developed by Apple that can help you track your iPhone if it's lost/stolen. The app is called (simply enough) "Find My iPhone". Thought there are other features to this app, the most interesting ones include the ability to remotely locate your lost iPhone via GPS (provided that Location Services is enabled for this app), remotely lock your iPhone if it's unlocked, or remotely wipe all your personal data from your iPhone. There are, however, a few drawbacks to this app. First, to locate your iPhone, you need another iOS device with "Find My iPhone" installed on it. Odds are, though, if you don't have another iTouch/iPad, one of your friends has an iPhone and you can use theirs. Secondly, this doesn't work if your iPhone is off. Thirdly, if you have a 4-character passcode on your iPhone, it will be cracked quickly and once it is cracked, the user can put your phone into Airplane Mode which will disable any radio communication to and from the iPhone and, effectively, this app. 

My recommendation for an ultra-secure iPhone: install Find My iPhone and use a complex password (you can set it in the General settings menu under the Passcode Lock submenu by turning "Simple Passcode" off). This way, if your iPhone is stolen, the thief will not be able to effectively crack your password (to put the phone into airplane mode) before you have a chance to either locate it or send the command to remotely wipe your personal data off it.