Posts Tagged ‘network security’

Common Password Mistakes and How to Create Stronger Passwords

September 20, 2011

A password is a secret word or string of characters that is used for authentication to prove identity or gain access to resources.  We encounter passwords in our daily lives, at the ATM, when logging onto our home or office computers, or logging into our table TV decoder when purchasing a pay-per-view event.  We use passwords several times per day when we are using our computers, such as retrieving e-mail from servers; accessing programs; databases; social networking websites; or even reading the morning newspaper online.  Computer passwords are our first, last, and best line of defense against damaging intrusions.  Companies rely on passwords to protect sensitive information from hackers.  The use of poorly designed passwords could leave us vulnerable to: identity theft, financial loss, invasion of privacy, exposure of proprietary company data, and sharing sensitive or embarrassing information.  Here are some common password mistakes that users make, including examples of bad passwords.

The password is easy to locate

Even though people can create passwords with little security, IT professionals can be equally guilty of failing to enforce the rules. Here are some common password mistakes made by users and network admins alike.

Monitors are the last place anyone should find your password.

Whether the password is long or short, complex or simple, a password that is written down on a Post-it note and stuck on your monitor, beneath your keyboard, or in your desk drawer (that has no lock) offers as much protection as a system that has no password in the first place.  Your best bet is to create a password that you can memorize easily or retrieve from your (password protected) mobile phone.

The password is too short and simple




These passwords share two other things in common: they contain fewer than eight characters and they use a single character set, where the first password uses all lowercase letters, the second uses all numbers, and the third uses all uppercase letters.  Most password policies require that a password be at least eight characters long, with even more restrictive policies requiring the use of at least two or more character sets.

The password is too common

Even though people can create passwords with little security, IT professionals can be equally guilty of failing to enforce the rules. Here are some common password mistakes made by users and network admins alike.

If any of these look familiar to you, change your password RIGHT NOW

Many users create passwords out of common phrases, obvious patterns, or combinations of words.  Part of the repertoire that hackers employ includes English and foreign language dictionary attacks.  Ironically, correctly spelled passwords are the easiest to crack by dictionary attacks.  Simply transposing a letter or number to its visual equivalent (swapping an “O” for “0” (zero) in “passw0rd”) is not enough.

Using the same password for all your accounts

If a hacker succeeds in cracking your password for one account, be it your e-mail account or your Facebook account, chances are, they will attempt to use that same password for every other online account that they determine is yours.  It is in your best interest to create a unique password for each online account that you own.

The password contains personal information

Avoid creating passwords that contain your name, home address, phone number, birthday, driver’s license, Social Security number, passport number, or similar information.

The password is based on your kids’ or pets’ names, nicknames, the names of characters in books or movies, or celebrity names.








If your Facebook profile can be viewed publicly, hackers can derive passwords based on the captions of your family photos or the books and movies that you “like”.

Reversing or capitalizing the last two types of bad passwords

Even though people can create passwords with little security, IT professionals can be equally guilty of failing to enforce the rules. Here are some common password mistakes made by users and network admins alike.

Some words spelled backwards are other valid words. "Stressed" and "desserts" are two of them.

Reversing your home phone number or your granddaughter’s middle name may be more complex for you to remember, but not for hackers to decipher.  After all, hackers can do a reverse dictionary attack (where they look up all the words in the dictionary spelled backwards) in an attempt to steal your password.

Network system administrators are not off the hook when it comes to creating password policies.  Often times, companies try to use password policies to keep those mistakes from hampering security.  However, these policies must be done correctly in order to have an effect.  Here are some common password policy mistakes IT departments make.

Overdoing a good thing

If a network admin requires users to create new and extremely complex passwords every 30 days, the users may start to ignore the rules and keep the hard-to-remember passwords written down.

Applying password policies unevenly

Companies may require strong passwords for users during initial login, but at other levels of security, password policies may be much weaker.  Hackers who toil at cracking the user’s tough login password would be pleased to discover that security throughout the rest of the system is much more lax.

Allowing password policies to become outdated

While making users update their passwords every 30 days may be difficult for some users, not updating password policies at all would allow a system to become just as susceptible to attacks by hackers, who can rely on old information to gain access.

In order for users to protect themselves from identity theft, financial loss, or loss of privacy, users should actively and regularly create strong passwords.  Here are some guidelines to creating a strong password.

Keys to password length: length and complexity

An ideal password is long and has letters, punctuation, symbols, and numbers (e.g. spanning four character sets: lowercase letters, uppercase letters, numbers, and special characters).  If possible, use a password that is at least 14 characters or more and spans all areas of your keyboard, using letters and symbols you use less frequently.

Create a strong password you can remember

Microsoft outlines a method to create a long, complex password:

Start with a sentence or two.

  • Complex passwords are safer and easier to remember.

Remove the spaces between the words in the sentence.

  • Complexpasswordsaresaferandeasiertoremember.

Turn words into symbols, numbers, or shorthand.

  • ComplexpasswordsRsafer&easier2remember.

Add length with numbers.  Put numbers that are meaningful to you after the sentence.

  • ComplexpasswordsRsafer&easier2remember2011.

Another site has additional suggestions for how to create a stronger password that is difficult to crack, yet easy to remember:

  • Choose two short, unrelated words (like your favorite exercise, animal, flower, or weather, for example) and join them with an arbitrary number and/or symbol.  Examples: “jump3$lily” or “dog+rain”.
  • Use first letters of a sequence.  For example: your nephews (named Jeremy, Roger, and Allen) and their ages: “8Je9Rog12Alle”.
  • Make a really long password from a sentence.  Examples: “IwentskydivinginApril87” or “0416istheBostonMarathon”.
  • Select a line or title of a song or poem, and use the first letter of each word.  For example: “Who ya gonna call?  Ghost Busters!” would produce “Wygc?GB!” or “You can’t always get what you want” yields “Ycagwyw.”  Even better, throw in a number or punctuation mark in the middle: “Ycag$wyw”.
  • Alternate between one consonant and one or two vowels, up to eight characters.  This creates nonsense words that are still usually pronounceable, and thus easily remembered.  Examples: “routboo,” “quadpop,” and so on.
  • Consider treating your password as multiple parts: a central core and a prefix and/or suffix when needed that is specific to the service the password protects.  For example: your core might be “gPw4” (that is, “generic Password for…”) and then if it’s a password for a newspaper website like the New York Times, you might choose to add “NYt” to the beginning or end of the password (“NYtgPw4”), while your password for eBay auctions might be “gPw4eBa” and your Yahoo! email password could be “gP4Y!e”.
  • Generate your own scheme very methodically.  Start with a word, and then delete a character or two, or perhaps just the vowels.  Throw in some numbers or punctuation.  Continue making the rules for yourself.  Choose something that would seem totally random to someone else but that makes sense to you.  Use your imagination!

Tester password with the password checker

Always run a password checker to evaluate your password’s strength automatically.  Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them.

Protect your passwords from prying eyes

If these strong passwords are still too difficult to remember, go ahead and write it down, but keep the written password in a secure location.  Once you’ve created a strong password, continue with the suggestions below to keep it even safer:

  • Never share your password with anyone.  This includes family, friends, significant others, computer support people, and bosses.  If you need someone to read your email, many email programs (for example, Outlook) allow you use a “delegates” feature to enable certain persons do so without using your password.  Check with your email provider.
  • Never say “yes” when your browser asks you if you’d like to save your password.  Although it’s convenient, it’s not a good idea—especially when the computer you are using is shared.  Some computer viruses can even recover your passwords from your Internet browser and then e-mail them to random people or post them publicly on the Internet.  Stop this from happening in the future and to remove passwords that are already stored.
  • If you absolutely must write down a new password the first time or two you use it and until you can remember it easily, be sure you keep it in a very safe, hidden place—not a sticky note stuck to your computer or your desk!  Then, shred it—don’t just toss it in the trash—once you’re done.
  • Never send your password in email, even if the request looks official.  If you receive e-mail from someone claiming to be your systems administrator, requesting your password because they supposedly need access to your files, ignore it.  This is a popular phishing scam.  Remember, your computer support people will never ask you for your password for any reason.  If someone must ask you to change your password so that they can gain entry to your account, they do not have reason to be there!
  • Change your password often.  This is important, particularly for passwords that protect highly sensitive data.  And if you ever suspect your password has been compromised, change it immediately!

Google summarizes the above information in the following video:

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Francis Unson

Hackers’ Next Victim: Nintendo

June 8, 2011

On Sunday, June 5, 2011, it was reported that Nintendo Co. had been hacked.  The security breach on their network was not as severe as the one on Sony’s PlayStation Network.  Hackers were not able to obtain any sensitive information, nor have the attacks caused any damage to internal systems that would inconvenience their customers in any way.  The latest attack has raised questions over who exactly is responsible for hacking these online servers.

Nintendo is the latest victim in a string of high-profile attacks on its servers and network, which should serve as a wake-up call for other companies to bolster security defenses on their own computer network.Unlike many security breaches which are done anonymously at the hands of obscure hackers, the group who took public responsibility for hacking Nintendo is called LulzSec.  LulzSec has claimed responsibility for hacking other websites, as well, including some of the Sony websites.  LulzSec stated on Twitter: “We’re not targeting Nintendo…we sincerely hope Nintendo plugs the gap.”  The group also confirmed Nintendo’s claims that no important customer data was lost in the breach, stating, “we [sic] just got a config file and made it clear that we didn’t mean any harm.  Nintendo had [sic] already fixed it anyway.”  The recent string of security system breaches serves as a wake-up call for other companies to bolster security defenses on their own computer network.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Joie Montoya

Sony Gets Hacked Again

June 1, 2011

In April of 2011, the Sony Online Entertainment network was hacked.  I was dismayed to hear that Sony was hacked again, putting even more users at risk.  Hackers may have stolen the personal information of 24.6 million Sony Online Entertainment users, the company said on Monday, May 2.  More than 20,000 credit card and bank account numbers were also put at risk.  This is in addition to the recent leak of over 70 million accounts from Sony’s PlayStation Network and Qriocity services.  On Monday May 2, 2011, Sony released this statement, “We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyberattack”.

For the second time in as many months, Sony's network was hacked and the personal information of 25 million users has been stolen. What action is Sony taking against these attacks?Not only is this affecting users in the United States but it also affecting users worldwide.  12,700 non-U.S. customers, plus 10,700 direct debit customers in Austria, Germany, Netherlands and Spain are at risk of getting their bank-account numbers, names and addresses exposed.  The PlayStation Network is still down and will remain closed for a few more weeks.  In order to make it up to their customers, Sony is offering a selection of free downloadable content along with 30 days free for all premium services.  Sony has not decided when the Sony Online Entertainment services with officially be back online.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Joie Montoya

Sony’s Network Security Breach: the Global Outage (and Outrage)

May 9, 2011

On April 17, 2011, hackers gained access to Sony’s PlayStation Network.  At first, the company thought they would be able to keep damage to a minimum but as it turned out, the hackers were able to access the account information of the network’s 77 million users.  As a result, many of Sony’s PlayStation customers were very upset that their information had been exposed.  The only way Sony was able to stop the hackers from accessing anymore information was to completely shut down the network.

Sony's PlayStation Network is the latest target for the company's most valuable asset: its customers' personal information. The security breach has affected users around the world.The Sony security breach has impacted PlayStation users on a global scale.  Not only are customers upset because access to the PlayStation Network was disrupted, but they are also upset because they are now at risk for identity theft.  Since PlayStation is a gateway to an Internet-connected network, it requires users to provide information such as birth dates, mother’s maiden names, and addresses, all of which could be used to access users’ bank accounts.  Tom Standage, a technology editor for The Economist, said, “So the danger is that if your passwords and personal questions — your mother’s maiden name — so forth, the answers to those questions have been made available, fallen into the hands of hackers, then they could potentially use that for identity theft, to get into things like your bank account, and other online systems where you might have provided your credit card details.”  Let’s hope Sony resolves its issues and looks into more effective ways to secure their network.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Joie Montoya