Aug

How Do You Protect Your Sensitive Data/Passwords? Let's Encrypt!

A constant gripe our customers have is with the number of passwords they are expected to remember for all the online services they use.  We know all to well what they mean!

 

If it isn't bank details, it's PayPal, eBay, their email (and don't forget how seriously you should take the security of email - the password for this is maybe the most valuable as all your password reset request arrive here and so if somebody cracks that, they can easily work out all the others!), e-commerce/cms control, web hosting details (and potentially a chunk of brand identity - domain names!).  With many of these things, the username will be public information and so it is just the password that is the key to your potential downfall! The list and it's entrants' sensitivity really cannot be underestimated!  Remember that most people shred their physical documents before placing them into the bin, even if they only contain a name and address - we are talking about much more sensitive information here!

So, what common means have we encountered people using to address the issue of keeping track of all this information?  This is by no means exhaustive, but rather a sample of the more common methods:

Writing them down in plain text in a document on their PC's

Hopefully it is obvious what is wrong with this, but if not, here goes....

How easy is it for somebody to see that list if your physical computer gets stolen (more likely with a laptop too!)?  Somebody need not even steal the PC.  We all like to feel we can trust our friends, family, cleaner or gardener but people do get betrayed by those they feel they can trust.  It isn't even worth putting that trust to the test with this information.  And, what if you send the PC off for repair?  We've seen computer support companies cloning disks, albeit legitimately when fixing PC's, only to reuse the clone in another users computer without forensically wiping the disks.  So, now an unconnected third-party potentially has access to that data and relatively easily too!).  Also, did you know, that some viruses actively search the content of your computer for usernames and passwords?  This practise is utter madness!

Writing them all down in a notebook, kept in their top drawer next to their computer.

Well, this does overcome the threat from viruses and and from somebody having a crafty look on the PC. Plus PC repair scenario too.  If just your computer is stolen then you're also winning with this one I guess.  The paper notebook itself could of course be stolen with the laptop.  If you were carrying out such a crime you might think about looking for a book of this nature maybe (yes true,  you could hide it somewhere else).  But then, typing passwords in is a potential risk anyway and you are forced to do this if they are stored in a book (store them on a computer and you can copy & paste), the risk being that some viruses come with key-logging functionality so they detect your keyboard strokes and report back things like passwords, so copy and paste is essential.

Remember by having just one password and using it everywhere everywhere

Well, if one gets compromised you're stuffed, no matter how strong it is and if you are using that strong password online, you cannot guarantee how good the service with whom you are using it is at protecting this (you'll find out why this is important further down this article).  You cant just think that simply avoiding tin-pot organisations is sufficient either - see here.

Some people invent their own 'system of consealement' or rudimentary encryption

Rather than writing down 'password' (either electronically or in a book), they might write down 'qbttxrse' - every letter is one letter further on in the alphabet, for example (obviously your passwords are much more complicated than this - we will discover why this is so important in a minute).

This is quite a good system I guess and certainly better than those listed above but it isn't hard to crack (especially with weak passwords) and it still requires you to type the thing in.

So what is the solution

Now firstly, please understand that we are aware that some may look at this advice and consider it to be excessive or 'over the top' and we respect that.  We are aiming to increase peoples awareness of their exposure to risk and advise people of some steps that can be taken to mitigate against the risk.  Adopting only 1 thing wouold at lease be an improvement!  If you are happy you have done enough and that you have satisfied your own concerns then great! Please consider throughout that complacency is key to the success of the criminal's success!

Also, it is worth noting that nothing is 100% foolproof indefinitely.  What we do however, is to reduce the risk so significantly as to make it unfeasible for somebody to overcome your chosen system.  Then we monitor it's effectiveness going forward to ensure we continue to be happy with the 'unfeasibly-tiny-risk' that we take with storing this data.  As a minimum, we recommend encrypting this data (which we'll get on to in a second) and protecting it with an extremely strong password.

What is encryption?

Wow, this is immensely complex and for most people, there is no sense in understanding it in it's entirety.  Besides there are different types and strengths.  We are interested only in the concept at this stage.  If you wish to understand more then maybe look here.  Essentially, it is the process of taking the actual human-readable data and through some mechanism, converting it to an 'incomprehensible' unique string (there are some issue with certain methods that can lead to non-unique encryption strings and certainly MD5 has this flaw - this is called collision).  Anyway, if you fancy having a play, head over to this hash generator and see what happens when you type in a password - you should notice you get the same hash for the same password each time you enter it.  Granted this is fairly basic.  Now, keep this in mind for the section below about Rainbow Tables.

Why a strong password and what is a strong password.

A strong password should be at least 20 characters in length and be a mixture of upper and lower-case characters, numbers and symbols.  There should be no words, even with substituted characters (P455w0rd = Password, this is not secure).  To understand, you first need to know how passwords are cracked but be sure to head over to the Strong Password Generator to get some ideas as to what is strong - remember, minimum 20 characters and symbols too!).

How are passwords cracked

The first attack method would be a dictionary attack.  This is where a would-be attacker uses a dictionary of words and tries those.  Next comes words with obvious substitution, so '1's' instead of 'l's' etc.  Then combining words and then what is called brute-force, whereby the password is attempted as 'a', then 'b', all the way though the alphabet and then numerically and with symbols and then aa, ab, ac, ad (hopefully you get the point).  This takes a huge amount of time.  A strong password setup in this way could take millions of years for current computers to crack :-) - more on this in a minute.

Another 'way-in' for a would be attacker to use rainbow tables (I mentioned these above).  With any reputable on-line service, the password you type in is immediately encrypted and stored in a database in this way to protect your information and the only way to detect that the correct password has been entered is to enter it again and see if the same encryption key is generated.  Now, if the attacker has a dictionary of words in plain-text (human readable format) and has these converted into all the available encryption strings then if he can now read the encryption key from the database and by doing a reverse look-up in his table, he can see what your password is.  Scary stuff eh!?  Well, a good online service will encrypt their data using some secondary value so that rainbow tables are less effective e.g. Salt

Okay, cut to the chase, what are we saying?

Encrypt your sensitive data using an extremely strong password that you can remember and some proven encryption technique.  It isso easy to do there is no excuse for doing this.  Use a wide variety of good strong passwords for on-line services and varying the email address you use with each if possible (easy if you have a domain name of your own).

For encryption, we recommend TrueCrypt.  It allows you to create encrypted containers on your hard disk in which you can store your selected sensitive data or you can encrypt your entire system (very sensible if you let your browser remeber your passwords or you use an email client like Outlook or Thunderbird but remember, your data is accessible once your machine has booted up so you are still vulnerable to virus or oportunist snoopers, but having a separate store that you load and unload as needed is recommened too) and external USB devices.  It is platform independent, so the same volumes are accessible on Windows, Mac and Linux and it is pretty much uncrackable if you choose a strong password as the FBI discovered.  Better still, it is open-source and it is FREE! 

 

Remember, complacency is key to the success of the criminals success!

Go back