The “Dark” Web

Or: Why you shouldn’t use Experian/LifeLock Dark Web Monitoring

You know “the web”. This is what you and your friends visit, link to, and find in search engines.

The “dark web” is pretty much everything else.

While most associate the dark web with being the “evil” places on the Internet, that’s simply not true. It’s a branding thing – use words like dark or black and suddenly people think “evil.” The vast majority of the dark web really is just the rest of the Internet that you’ve never seen or heard of, or which doesn’t show Google/Meta ads or push their approved narratives, so search engines don’t index them. Bob’s Antique Shoe Repair, that tiny diner that just has a picture of their menu on their website, and the pages on a poorly designed website that just aren’t linked to effectively from anything else. These all end up being invisible to the typical person because the Internet is just so insanely massive.

Don’t get me wrong, there are evil parts of the dark web, as there are of the web you know already. Facebook has actively been supporting child porn on their platform. So has Google. As well as racism, intolerancemurderporntrafficking, and more. That last one is a joke, but it also really demonstrates the ridiculousness of allowing a social media site like Facebook that allows all of this evil to remain in control the approved narratives for everyone else.

Anyway…this isn’t about that. What we need to talk about today is whether the “dark web” fear tactics from Experian and other credit reporting agencies, as well as exclusively-profit-driven Norton LifeLock and other “dark-web monitoring” services, are actually doing you a favor by warning you about the appearance of information “found” on the dark web.

No. No, you don’t need to worry. As long as you’re using new, strong, unique passwords for every single website and service you don’t have anything more to worry about just because one site or another was hacked and your data is now in one more place.

I briefly covered part of this in the Dictionary Attacks & Targeted Dictionary Attacks sections of the recent Password Advice article: There are literally billions of hacked accounts reported every single month. HIBP covers only a tiny fraction of them – less than 3%. If HIBP hasn’t found it then there’s very little chance Experian will. Experian telling you the same thing that’s been reported in dozens of MSM stories and news articles shouldn’t really surprise you. What would surprise me was if they found anything new.

It is impossible to stress just how significant unique passwords are. Invest your time and mental focus on creating unique passwords instead of worrying about the dark web.

For the rest of this article I chiefly name Experian, but it would be safe to mentally replace it with any of these other “dark-web monitoring” companies and the advice still applies. Experian is just a perfect demonstration of why you don’t feed these gremlins.

The impetus of this particular article is a friend who was concerned about Experian reporting that her information was “recently” exposed in an AT&T data leak. This data leak, which AT&T vehemently denied for weeks (years, actually) before finally acknowledging it on March 30th, 2024, contains 73 million customers’ information, and was added to the Experian “dark web” reports on April 26th, 2024. Experian waited almost a month to even acknowledge the data that had been available to anyone for months prior, that AT&T knew about for months, and that had actually been compromised five years ago and had been available on the dark web, linked to on many security forums, three years ago.

Okay, so they’re slow, that doesn’t mean it isn’t important.

That’s true. It does, however, strongly suggest that they’re not pulling their weight. You see, the dark web monitoring is one of their paid services and it took them literally months to find information that was being publicly disclosed on many popular technology websites, years after it was posted on the popular dark web info-trading sites. Do you really think they’re capable of finding information in time to make any difference?

More importantly, is there any information about you that knowing that it were leaked or compromised would make that much of a difference to your daily life? Your bank account or financial information, maybe your passwords (especially if you reuse passwords)…anything else? Checking your credit a few times per year or being alerted months after something got out isn’t going to help. Monitor your bank, financial, and investment accounts rigorously. Check them at least once per month since most institutions rely on fraud policies that can not reverse transactions after 60 days. If you’re not checking your statements then if you have a problem anything that Experian or LifeLock told you would be too late to do anything about it anyway.

There are other concerns, though.

It’s not merely that Experian is ineffective. These services actually increase your risk.

Sites and services that collect sensitive information are prime targets. That is, Experian is more likely to be a target than Betty’s Knitting Hub. A relatively minor hack on Experian (or LifeLock) could result in major data access. Even a single customer record could enable an attacker to abuse someone’s entire identity. Experian is no stranger to this. At all.

The sensitive information I’m most concerned about isn’t your credit report data or your name, date of birth, or SSN. All of which can be obtained in seconds with a background check – cheap. No, what I’m concerned with is all the data that you are required to populate into the “my private information” form on the Experian (or LifeLock) website so they know what to look for on the dark web. Stuff like your email addresses, phone numbers, user names, bank account numbers, credit card numbers, passwords, investment account details…you know, all the things an actual hacker would consider a wonderful treasure trove. This “feature” isn’t the same thing as adding your personal information to a credit report, as credit reports are actually limited in what they store and share, and for good reasons. The “monitoring” feature is wholly different because it literally creates a singular repository of information that would make it extremely easy for an attacker that gained access to that one page a lottery-winning-level of access to your information.

Question: If you give this information to Experian and Experian gets hacked and your data gets leaked as a result, what do you think the resolution is going to be? Maybe a couple years of “free” service from the same company that got hacked in the first place?

Yes. They were hacked. A lot. A whole lot. And that’s when they weren’t just flat-out selling your information.

Experian and Norton LifeLock have been hacked before. Lots. However, if you populate these forms it wouldn’t even require the attacker to necessarily even hack Experian or LifeLock. All they need to do is gain access to that one online account (at Experian or LifeLock) and suddenly they have access to this huge treasure trove of information. Using a good password is an absolute necessity, especially in cases like this, but their account validation system has proven to be quite defective in the past so I wouldn’t trust it with any other information.

DO NOT give these data brokers any more information than they’re already going to sell or allow to be hacked. The benefit, even if there were any, is far outweighed by the massive additional risk.

Instead of using these ineffective and oft malicious services, just use new, strong, unique passwords on each site and take a few minutes each month to look at your statements.

Regards,

Shawn K. Hall

Password Advice

This is a long and extensive article covering my basic password advice and reasoning. Please take the time to read it and if you have any questions comment below and I will respond.

Assume the worst

Whenever you start dealing with password problems, it’s safest to assume all passwords and accounts are compromised. If someone had access to your device then collecting your passwords from Chrome, Edge, Firefox and Safari would take only seconds. Even if you don’t store your passwords within your browser then the attacker could still collect your passwords from an installed keylogger or other malware.

Do not change your passwords until each of your devices has been disinfected, of course. It doesn’t make sense to give the attackers direct access to your new logins so clean it up first.

While changing passwords is a good first step, if you do not check the filters/rules, forwarding, reply-to, and active sessions for your email accounts then any passwords you change are moot since the attacker could continue to have access to your email accounts and can simply reset any passwords you’ve changed. The “forgot password” option on most websites sends an email to reset your password and requires no additional validation.

Why use a password manager?

Using the native browser password management system (such as the Google Password Manager in Google Chrome) means that if your browser or Google account are ever compromised, or if someone manages to have even brief access to your computer, or if a piece of malware steals the local password database from the browser, then your passwords are all immediately and completely compromised.

Not using a password manager means that you have to have a written record of all your passwords somewhere. I’ve seen this implemented as a wall of papers with painstakingly recorded names, username and passwords, as a “password book” where two thirds of each page is scribbled out, as drawers full of sticky notes, paper scrap or 5×7 cards each with a different account, within Notes or Contacts on iPhone & Android, and as a single monumental spreadsheet or document.

These are all bad ideas.

There isn’t any level of website trust and either the data is physically exposed to anyone who enters the room or rummages through a drawer, or the data is unencryped and accessible to anyone with momentary access to the device to access Notes or Contacts, even malware or rogue apps.

Knowing the username and password for a website is only part of safely authenticating: password managers ensure that you are using the login details ONLY on the real website that you saved it with, and warns you if you try to fill it anywhere else. This alone can prevent most phishing attacks.

The worst of these is using either the Notes or Contacts feature on smart phones because it’s not only unencrypted, but when you copy something on mobile devices the contents of your clipboard are then automatically sent to many applications on the device to see if they have any use for it. It’s announcing your password to potentially malicious or rogue applications. Why would a flashlight app need to view your clipboard? Simple answer: so it can hack your accounts.

Using a third-party password manager solves each of these potential issues by locking the password “vault” in at least 500,000 layers (really) of encryption so simply copying the vault file itself will not enable an attacker to compromise your accounts.

One other benefit of a password manager is that it will synchronize between your computers, phones and tablets so your passwords will automatically be available on each device, in every browser, and in most apps. You will still have to enter the master password, of course.

I recommend Bitwarden, which is free for most peoples needs:
https://bitwarden.com/

The basic version (all that most people require) is free, open source, cross-platform and well-maintained.

Once you have a password manager set up you can then generate new, strong, unique passwords for each of your other accounts with minimal effort.

Master Password

Before you begin using a password manager you will need to think of a master password.

All password managers operate through a “master password” mechanism. They basically use a single password that unlocks access to your “password vault” which holds all of your other passwords, so it needs to be memorable, strong, long and completely new. Something not remotely like anything you’ve ever used before.

Your master password should be a bare minimum of 24 characters. If you’re comfortable typing more, go big. I recommend using an entire phrase: something like a line from a song, a Bible verse, a quote, or something else like that which you are unlikely to forget. Just make sure you change it a little bit so that it can not be easily hacked by someone that uses these same rules for creating their password cracking database. 🙂

One note if you choose a song: make sure you don’t hum or sing the song while you are typing it. An observer would be able to use this hint to improve their chances of accessing your accounts.

It should go without saying, but I will say it anyway: do not use the same stinking password you’ve been using since you first touched a computer as your master password. Trust me when I say it’s a bad password. A very bad password.

Note: If you forget your master password you can reset it, but you will lose access to all stored passwords. Real password managers don’t keep a copy of your password so if you forget it, it’s gone. Bad password managers either allow recovery or reset, but they should be avoided since this means that it’s never really secure. Some “business”-type password managers provide recovery through the business as long as the business account is still accessible. This is okay as long as you trust the business with access to your passwords or use it only to store the business accounts.

Length and Entropy

For all passwords, I recommend using a minimum of 24 characters, randomly-generated, including mixed case + symbols + numbers. If you don’t yet have a password manager like Bitwarden or RoboForm then you should do that first. If the site won’t let you use that many characters, use as many as it will allow.

ALWAYS use a new, unique, long, random password for each and every account.

An 8-character password is a joke. There are only 96^8 possibilities in an English 8-character password, or 7,213,895,789,838,336 variations. Roughly 7 quadrillion variations. The CPU on my 2016 laptop supports 14.4 billion calculations per second so it would take only 5.8 days to traverse the entire list. This password math also assumes that only a single computer was being used and that it’s an 8+ year old laptop using only a CPU for calculation. A relatively inexpensive video card (GPU) from 2022 can process the same password list in 48 minutes. Tandem or cloud computing can reduce this numbers to tiny fractions of this based on the number of devices you throw at it. These numbers also represent the maximum amount of time to process the entire list, not the average or mean time to crack an actual password, which is significantly less.

Furthermore, this assumes that most common printable characters are available and supported by the password platform. Many aren’t. Most systems even limit entropy by requiring a number (which reduces complexity for at least one character by 90%), or symbol (65%), and usually require the first character to be a letter (46%). These rules actually reduce potential password complexity in the name of increased security. Sigh.

15 characters isn’t long, either. A 15-character password still has relatively minor entropy – depending on the specific rules a site imposes, a 15-character password has only 96^15 variations in the English language, or 542,086,379,860,909,058,354,552,242,176 possible variations. I know that looks like a long number, but in cracking terms, it’s not.

These numbers are all based on cracking based on the full scope of the potential passwords. The actual time to crack is much smaller when based on dictionary attacks. More on that later.

With today’s hardware and what’s coming soon with commercial quantum computing you shouldn’t be thinking in terms of “how long do I have to make it?” but rather “how long can I make it?” Always use the longest password you can for any given site. For example, Facebook allows you to use a password that’s 500 characters long. Use it! That changes the number of variations up to 96^500 (that’s about a thousand digits). Using a password manager makes generating, storing and filling this password a breeze.

But again, if you’re not using a random password then you’re still the “low-hanging fruit.” Instead of having to try 96^n variations for any given account, they only need to try the millions of “known” passwords, or even better, only the most popular 10, 100 or 10,000 known passwords. This tiny dictionary will often succeed since people use such weak passwords, so it minimizes the effort significantly. By using a randomly generated long password your passwords are vastly more secure.

If a password manager is not possible yet then use a long passphrase that includes MISSPELLINGS and not simply “1337 5p34k”. A passphrase is a series of words instead of simply characters. People assume this means that this alone means it is more secure. Unfortunately, that’s not always the case.

The potential randomness (entropy) in passwords using only dictionary words (about 175,000 variations) is less than what you could get with only 3 characters of random text (~885,000), which means that any passphrase less than 7 words is functionally as insecure as using a 12 character random password, which is pretty weak.

Yes, passphrases are better because they’re longer, but if you use each word exactly as-is then you’re just trading entropy with a weaker scope. Adding random misspellings, numbers or symbols will significantly increase the value of using a passphrase. Not because a website requires it, but because it increases entropy.

Password Hygiene: Why use random passwords?

The first thing that happens after a website is hacked is that the leaked passwords are used in “credential stuffing” attacks where the attacker tries each of your passwords on all of the most popular websites and many unpopular websites. The attacker can try thousands of websites at a time with your leaked login details within seconds after downloading the breach data. If you have been reusing passwords then this means that the password you used on a Walking Dead fan site or a CNN talkback page that gets hacked likely grants the attacker direct access to your Amazon, Facebook or even Wells Fargo account.

There are only three critical password rules to remember:

  1. Any password you can remember is not secure.
  2. Never reuse any password or any part of a password.
  3. Don’t share your passwords with anyone.

If nothing else, these rules are the best reason to use a password manager (such as Bitwarden, RoboForm, LastPass, Dashlane, or 1Password) that performs site validation (to prevent phishing) and includes a built-in random password generator.

HaveIBeenPwned (HIBP), a white-hat repository detailing hundreds of hacking events since 2007, currently has over 847 million unique passwords in their database. It also has a counter applied to each password, so you can see that 300,185 idiots all thought “P@ssw0rd” was actually a good idea. This number is vastly undercounted, too, since this number only represents the number of times that this password has appeared within these few publicly disclosed breaches, while most sites either still haven’t had their data compromised or, more likely, the compromised data is not yet public.

Every website will be hacked eventually, if it hasn’t been already. I’m seeing an average of 200+ major hacks every month, with the total number of compromised accounts in the billions. Every month.

Microsoft was hacked three times in the ten-month window between April 2023 and January 2024. Adobe has been hacked at least six times that we know about. The NSA, FBI, Department of Defense, Whitehouse, and most government agencies have been hacked at least once. Most businesses (including Microsoft) did not even know they were hacked for months or even years and take even longer before they acknowledge it publicly…if they ever acknowledge it publicly.

Looking through the HIBP breach reports I see that the typical business is hacked for just shy of a year and a half before discovering it (16.8 months on average). They just don’t know. It’s safest to assume every site is already hacked and will likely be hacked at least once per year. The best defense is to practice good security hygiene yourself to ensure that the damage any individual hacking event can cause you is minimal.

Every password will be hacked eventually. A mysterious international “state-sponsored” boogeyman isn’t necessary. Being a billionaire, politician, or other high-value target isn’t necessary, either. Any 12 year old can buy time on Amazon or other cloud providers to automate anything they want, including cracking passwords, and no human being will ever know what goes through a 12-year-old’s mind. They can even do so for free using a trial or by paying for it with stolen credit cards in order to avoid any expense at all.

Dictionary Attacks

People often assume that passwords are usually cracked using brute force: sending every possible random password combination that a site/service/app can support until the correct password is determined. However, since people almost always reuse the same passwords or the same passwords as everyone else, hackers usually perform a “dictionary” attack. This is when the attacker uses a collection of common passwords instead of randomly generating every possibility. These common passwords are usually from password dumps from previous breaches. The attackers test the most commonly used known passwords instead of wasting time & resources on less likely passwords. These lists are out there and they are huge.

Every person will be hacked eventually, but the point here is that while there are currently only 753 dumps worth of data in the HIBP database the numbers show that most people never even consider password hygiene. 753 dumps and 847 million unique passwords might sound like a lot, but remember: there are currently over 200 major hacks every month. HIBP only includes a tiny tiny fraction of the trillions of accounts that we know have been compromised. If all the data from each of these hacks were actually available the doom and gloom might be far worse. Maybe people are even worse than what the HIBP data shows? We don’t know. What we do know is the data from HIBP and the numbers below are a signal based on what we can easily observe – the HIBP data. Nevertheless, what we see is truly terrifying.

According to the HIBP dataset:

  • 22,232 passwords have each been used by over 10,000 compromised accounts.
  • 1,222 passwords have each been used by over 100,000 compromised accounts.
  • 44 passwords have each been used by over 1,000,000 compromised accounts.

The top 10 most frequently used passwords account for over 13% of all accounts within the HIBP data. The 44 passwords with over a million accounts each make up a whopping 20.8% of all accounts within the HIBP data, so it is not an exaggeration to say that 20% of the world is using absolute crap passwords. Way more than that, actually, but isn’t that enough?

Here’s where it will really blow your mind: The top 10,000 most frequently used passwords account for 89% of all accounts within the HIBP data. Eightynine percent! That means that 9 out of 10 accounts in the world are likely able to be cracked with one of these mere 10,000 passwords. Put another way, almost 90% of the world is using passwords that are functionally no more complex than a 4-digit pin number.

Targeted Dictionary Attacks

Targeted attacks are quite different. Sure, the data is already depressing, but it gets worse. The password data from HIBP is generic and broadly applicable. People tend to use the same types of information in their passwords.

If you’ve been pretty good not to use one of these weaker passwords (on its own at least) there’s still the risk of a targeted attack. Targeted attacks will build on this corpus of information as well as a background check on the target individual. A background check will include your name, initials, aliases, email addresses, phone numbers, extended family members (grandchildren, children, siblings, parents, grandparents, cousins and so on) names and birthdates, neighbors, pets, physical and mailing addresses, cities, zip codes, business records, as well as public information you’ve posted on sites like LinkedIn, Facebook, Twitter and other social media.

Much of this information can be generated or collected in an hour or less or bought wholesale through any of a dozen providers that charge as little as $15/month for unlimited background checks.

This information is then added to a custom “personal data dictionary” about you and used as the basis for attacking your passwords. If you are one of the 7 billion people on planet Earth using these facts as the basis for any part of your passwords then this should concern you. This reduces the effort by way of complexity from potentially trillions and quadrillions of variations to mere dozens.

When personal data dictionaries are used together with your publicly available personal data from previous password dumps, an attacker can build up an exacting profile of the specific pieces of personal information you are likely to use when you build a password and programmatically predict every likely variation in mere seconds. Once a personalized data dictionary is generated, most passwords will be compromised near-instantaneously.

All of this to make sure you understand why you need to use a new, unique, long, random password for each and every account. I don’t care how much you loved your cat, just use a random password. Please.

Password Change Order

Now that you’re getting a password manager set up you need to change every password for every account. Really. Most people have dozens or even hundreds of accounts, so this is not a minor task. If you don’t change the passwords then all you’ve done is protect yourself from phishing, while many of the accounts are already exposed or even compromised. Change each stored password to a new, unique, long, random password.

I recommend you change passwords in this order:

  1. Email (Google, Yahoo, AT&T, Hotmail/Outlook, Comcast) – reviewing filters, forwarding, reply-to, and active sessions; and enable 2FA (two-factor authentication)
  2. Banking, Finance and Investment (BofA, Wells Fargo, Vanguard); and enable 2FA (two-factor authentication)
  3. Anything with stored credit card, payment or banking information (Verizon, Costco, Amazon, Walmart, Propane); and enable 2FA (two-factor authentication)
  4. Social Media & Forums (Facebook, Twitter, LinkedIn); and enable 2FA (two-factor authentication)
  5. Everything else

#1 – EMAIL MUST BE DONE FIRST! Any attacker that has access to your email account can just change your passwords again after you change any other accounts.

You must check the filters, forwarding, reply-to, and active sessions for your email accounts or an attacker will be able to either recover access to your email accounts and simply reset whatever passwords you’ve changed.

How do you eat an elephant? One bite at a time.

As I write this I can see your eyes glaze over. Hundreds of accounts and I just want you to change all your passwords?! Yes. Don’t be silly though: you don’t have to change every password right now. Even if you just change one or two passwords each day you will get it done before you know it. You just need to commit to actually working towards this goal.

Device Accounts

There is a gotcha when using good passwords with specific services: device accounts.

You can change almost any password for almost any account and use a password manager to fill it on your devices. Unfortunately, there are three accounts where this can actually be a problem. Apple, Google and Microsoft accounts are now often used for device-level authentication on macOS, iPhones, iPads, Android, Chromebooks, and Windows devices. That means that you will need to be able to manually enter this new, unique, long, random password every time you log in to your phone or your computer, when you make an app store purchase, or at least when initially setting up these devices. An 80+ character random password isn’t fun to type even once, and these devices require it to be entered each time certain actions occur, which could be quite frequent.

In these scenarios using a passphrase is just about the only safe option. Your passwords for these accounts (that are tied to your devices!) need to be as long as possible but memorable, since you may not be able to access another trusted device with your password manager when you are logging in to one of these devices.

If you have accounts on these services that are not used for device authentication then you can still safely generate good random passwords for these accounts.

But wait, there’s more!

In addition to a password manager, there are a couple other things you can do to minimize your risk.

  1. Set a watch on your email addresses/domains with HIBP:
    https://haveibeenpwned.com/
    This will alert you when your email address appears in breach data along with the site that it was leaked from and what other information was exposed.
  2. Check your passwords against the Pwned Passwords database.
    https://haveibeenpwned.com/Passwords
    If you don’t want to risk putting your password into a form on the Internet (and you shouldn’t!), then you have three options:

    1. You can use the “pwcheck” program I created for this purpose. Steps in the next section.
    2. You can create an SHA-1 hash of the password and send ONLY the first 5 characters of it to this URL:
      https://api.pwnedpasswords.com/range/00000
      Replace 00000 with the first five characters of the SHA-1 hash of your password, then compare the results.
    3. You can download and extract the 30+GB database of the entire password collection and compare it yourself offline.

Note: The HIBP Pwned Passwords service uses the k-Anonymity standard to ensure that your actual password isn’t uploaded when using pwcheck or the API URL. Now compare the return data with the actual SHA-1 hash and if it’s not there then it hasn’t (yet) appeared in a publicly disclosed data dump. More about that stuff here.

  1. Call me! When you have any security question or concern, please call me. This post covers a lot of the “why” and some of the “how” but you’re sure to have issues when you start using a password manager.

Checking a password with pwcheck

I wrote pwcheck to help test the security of passwords. Over time I’ve added more features to it, such as the ability to generate passwords and passphrases. To use it you’ll need to open a command prompt: click the Start button, type “cmd”, press Enter. A black or blue command window will appear.

To test a password, copy it to the clipboard then type this into the command prompt:

pwcheck .

You’ll get something back like:

Uh-oh. This password has been used by 10382543 compromised accounts.

Or:

Yay. This password is not known to be compromised. Yet.

You can use pwcheck to generate random passwords, too. Type one of these commands in the command prompt:

pwcheck /g1
pwcheck /g2
pwcheck /g3

You can then highlight the password and press Enter or CTRL+C to copy it to the clipboard.

/g1 creates a truly random, but relatively short password.

/g2 creates a word-based password (aka, “passphrase”). This is much longer, but doesn’t include symbols or numbers, and does include spaces, so often needs fiddling before some websites will accept it.

/g3 creates a passphrase, like /g2, but replaces the spaces with random symbols and numbers.

For each of these commands you can also add a space and number after the password type (as below) to control the length of the password. For /g1 this number sets the number of characters. For /g2 and /g3 it sets the number of words.

pwcheck /g1 112
pwcheck /g2 9
pwcheck /g3 4

Credit Freeze

Whether you’ve been hacked or not you should freeze (sometimes called a lock) your credit. Do this by creating an account at each individual reporting agency and then setting up a freeze/lock on the account. This will prevent any new lines of credit (where the creditor actually checks your rating) so it should minimize the risk of financial damage.

Here’s the specific pages for the big three credit reporting agencies:

There is NO CHARGE for the ability to freeze your credit, but each of the big three credit bureaus are businesses so they make it easy to accidentally sign up for a paid service instead of simply freezing your credit. Be careful to follow the links/buttons for Freeze your account for free or similar verbiage. Also note that each credit bureau requires that you have a cell phone in order to freeze your credit. This is absurd, especially since so much of the elder population that are the largest targets for credit fraud are also the least likely to willingly use cell phones.

Regards,

Shawn K. Hall

Flash Begone!

Adobe Flash: You Will Not Be Missed

Flash is going to be going away in about a month. Adobe announced the end-of-life (EOL) for Flash about two and a half years ago. Microsoft will be removing the built-in Windows version in 40 days. Flash is currently built into chromium-based browsers (Chrome, Edge, Brave, Vivaldi and so on), and will no longer be included at all in a couple weeks, and the only other browser that has supported it (Firefox) will block it in late December. By mid-January no browser will support Flash and any website that relies on it will have major compatibility problems. Facebook game players have been terrified of this because it’s going to finally kill Farmville.

HTML5 is the replacement for Flash. Flash is closed-source and historically extremely insecure – directly responsible for over half of all malware infections. Flash was originally designed by Macromedia which was later bought by Adobe. Adobe’s entire system has always been designed around closed-source and limiting access to how their software works, which means that it doesn’t have the ability for outside code review or security analysis. HTML5, on the other hand, is open-source, designed by the same people that designed the Internet itself. It does have a digital rights management (DRM) stub which allows publishers to prevent data from being copied (like Netflix), but it’s nowhere near as closed as Flash has been.

Those few sites that lament the loss of Flash don’t understand the risks and troubles that we’ve all experienced as a direct result of this uniquely horrific technology. There are over 1,000 known vulnerabilities in Adobe Flash. At 24 years old, that’s an average of 42 vulnerabilities per year or 3.5 per month. At the time of publication, 652 of the vulnerabilities score a “perfect 10” on the CVS risk scale, and 894 vulnerabilities score 9.0 and above. Put simply, 90% of the known vulnerabilities in Adobe Flash are considered Critical and are capable of completely taking over the affected device.

If you don’t want to wait, you can eliminate Flash yourself using the Adobe Flash Removal Tool.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

Do Not Reuse Passwords

Password security is a growing field and the old conventional wisdom of using a “strong” password and changing it frequently has lead to people using the same “strong” password on many different websites, resulting in their complete identity being hijacked when any one of those sites is compromised.

HaveIBeenPwned (HIBP) is a service that collects data dumps from when websites are hacked and uses the data to provide a service to alert users whenever their accounts are compromised. It’s like a central clearinghouse for account monitoring. Unfortunately, by the time accounts are listed in HIBP it is often years after the account has been hacked and the hackers that originally took the account information have had that entire period to make use of your account details. Many websites store their passwords in plain text, and many of the others that do use password hashing algorithms to store only a mathematical representation of the password and not the password itself neglect to use properly salted hashes, which means that those hashed passwords can often be compared with rainbow tables to effectively convert them to their plain text equivalent. Seeing the passwords that people – still today – continue to use is destroying my hope in humanity. For example, “123456” is used by almost 1% of business professionals for their online social interactions. Dead serious.

The trends on these exposed passwords show that there are very common patterns and weak password consideration is the rule of the day. Few people, and by few I mean I could probably count them on one hand, actually do passwords right. It’s time to take your own security seriously, because the evidence shows that many of those you do business with do not.

Here’s the Problem

Weak passwords you’ve used on service x (Yahoo, for example) will be dumped along with all the other passwords on that hacked service. Those same weak passwords will be tested on service y and service z. And everywhere else. This process is called “password stuffing.”

If you reuse even part of your passwords then you open yourself up to being targeted either randomly or by evil people you may already know. “Script kiddies” live and die by their ability to make an example out of people who they feel have done them harm. You could also become the victim of automated scanners that consume the usernames and passwords from these dumps then try them on every known system from Facebook to Gmail to email to banking services. The passwords will be munged in order to test similar or stylistically equivalent passwords. For example, of the LinkedIn hack, almost 2.5 million accounts (or about 1.5%) used some variant of the site name in their password. Those same accounts probably use some variation of the site name in most of their passwords. This can safely be assumed to be done everywhere, meaning that if you use “linkedin123456” for LinkedIn, there’s a good chance that your Facebook password is “facebook123456”.

So when over a million people used “123456” as their LinkedIn password, not only did it expose that as a very commonly used password, but it demonstrated that those million-plus email addresses tied to those weak passwords were used by people that didn’t take security seriously. If you use a weak password anywhere, chances are good that you use weak passwords elsewhere, if not everywhere. If something as quick and easy as changing a password isn’t done, then you also probably neglect your hardware and software. You’re using older and insecure programs. You’re exposing all of yourself with a single simple decision that you think will make your life easier.

It doesn’t. Reusing even part of a password only makes life easier for whoever attacks you. They can stay in their momma’s basement and spend all day throwing your account details at different sites until they get in. When they do, it doesn’t hurt them, it hurts you. Two or three hijacked accounts, or variations on your passwords from multiple dumps show how you think, and the style and scope of password complexity you use.

Again referring to the 2012 LinkedIn hack, there were over 26,000 variations of passwords that included “12” or “2012” in the password. From this we can imply that users will seed their passwords with the year they changed it. The same accounts are probably still using the same patterns with “2019” or “2020” today.

“Different” !== Strong

Usually these dumps are sold on the black market or used by the original hacker for a while before they’re inevitably released publicly. The data is out there so it’s necessary to use defensive passwords.

You can’t just change a number at the end of your password and possibly think that it’s going to make a difference in your security. The delay it might impose against an organized attacker is less than a single second. You can’t create a strong password by typing random characters on your keyboard. You just can’t. The predictive value of muscle memory, social and cognitive signals, and even keyboard bias result in a relatively small set of potential values for manually-generated passwords.

1337-sp34k offers no additional protection.

Using a strong password is no longer a suggestion. To be secure in the current world you must use a strong, unique, randomly-generated password for any and all sites and services. Failing to do so will result in that password being used as the seed to corrupt your digital life later on. Maybe not today, maybe not tomorrow, but soon, and for the rest of eternity.

The rules used to be pretty simple, but were still never observed:

  • DO NOT use a series of numbers and a word or two. (123badpassword)
  • DO NOT use a word or two and a series of numbers. (badpassword123)
  • DO NOT use a word with numbers breaking it up. (1bad2password3)
  • DO NOT use the site name or URL as any part of the password. (mylinkedinpassword)
  • DO NOT use keyboard sequences like “qwerty” or “123456”.
  • DO NOT use any word or name related to you or your life (pets, family, friends, musicians).
  • DO NOT use dates or other simple patterns.

Unfortunately, these rules are still ignored, and even if they were followed to a T, these rules are no longer sufficient for creating a passwords or passphrases manually. Today, any password you can remember is not a good password. It’s time you put the effort into proper password management.

Fortunately, the new rules are actually simpler:

But my browser remembers my passwords!

All modern browsers (Chrome, Firefox, Edge, Safari) have password management built-in. You can use that in order to generate strong passwords and, while short, they’ll be unique for each site. Unfortunately, since these passwords are stored in the browser they can be extracted by any malicious software that manages to make it onto the device or compromise your browser Sync account, where password managers generally use much stronger encryption.

Websites are still catching up to the reality of password managers

Long passwords, 300 characters or more, are not a problem for your password manager, but they’re probably a problem for the site. BofA limits your password to 20 characters. Yahoo limits your password to 128 characters. Facebook allows much longer passwords, but only requires 6 characters and character case isn’t treated as significant so entropy is significantly reduced, especially for shorter passwords.

Some websites and app logins don’t allow you to copy & paste in the password field which means that they often don’t play well with password managers. Others (like AT&T and Yahoo) refuse to allow certain characters in passwords, so randomly generated passwords have to be manually munged instead of allowing them to be truly random.

Nevertheless, failing to use a password manager means that you’re not using random passwords at all, and are likely reusing passwords to your own peril.

The solution is to get a password manager now and immediately start working to migrate your accounts to it. Almost Every password manager today offers password analysis to warn you of weak, reused, and known compromised passwords so you can prioritize changing the passwords for those accounts.

What’s your favorite password manager?

Conventional Wisdom on Solid-State Drives

Every time I post about solid-state drive’s (SSDs) there’s always a nay-sayer warning about their “short life” and limited usability. It’s a huge misunderstanding of SSD wear-leveling and endurance to assume that a thousand program/erase (PE) cycles somehow implies that the drive is of less persistent value than a conventional drive. This is wildly inaccurate.

The Old Way

Conventional drives store their information on revolving platters and use magnetic arms to read and assign magnetism to specific locations on each platter. The arms are fragile. The movement of the platters is subject to environmental forces. A drop of only a fraction of an inch can toast your conventional drive. An hour in the car in front of Starbucks or the moisture that makes it through your laptop bag when walking between classes in the rain can kill it. Some are even faulty by design (planned obsolescence) or even if they’re not, can suffer from a random failure at any point in their life from dust or exposure to magnetism or even sunlight. This is the fatal flaw with moving parts. In any entropic system stuff will inevitably go wrong. The endurance you hope for is that gamble that it either won’t be you, or at least it won’t be now.

There have been dozens of studies of both conventional and solid-state drives. Most studies on conventional drives essentially conclude that some are better than others, but that they will all fail randomly at some point. Unfortunately, when it comes to conventional drives there’s really no guaranteed way to know how long your specific drive is going to last.

Even with the best SMART data you can never really plan for when the conventional drive is going to fail. You can look at the brand or model and estimate in months or years, but actual operational time will vary even between devices from the same factory made at the same time in the same room. You just can’t plan for it.

New Tricks

Solid-state drives, however, do not suffer from the randomness of not being able to know for sure if the drive will even survive it’s first year. Due to their lack of vulnerable moving parts, vastly improved tolerances and predictable wear-leveling values, they have a calculable life that can not only be guessed, but very effectively planned and measured. You can pro-actively track with the drive’s own self-diagnostics in order to identify, if not the very hour, at least the week that your SSD will no longer be able to be written to (the data will usually still be readable).

SSDs provide several measures of their PE values to determine drive longevity. TBW and DWPD are basically different faces of the same number of writes before the drive will begin to fail. This can be measured in hours or bytes, but the meaning is consistent between presentations: if each block can be written 1100 times (which is a pretty close approximation based on current market values) then a 250GB drive could have 275TB written to it during its reliable life. A 960GB drive would be able to have just over 1PB (petabyte) written during its reliable life. If you measure the actual writes to your current drive over a couple months (with PerfMon or SMART) you can see exactly how long it would take you to consume that amount. The drive won’t exactly crash and burn on that day, it will just fall out of the vendor-tested effectiveness in a “how many licks does it take to get to the center of a Tootsie Pop” way. Many SSDs will safely write twice as much data or more. You know, as long as you don’t bite into it. 😉

SMART

Every drive for the last 20+ years has supported some level of self diagnostics (SMART), but the detail provided by SSDs is fantastic. SMART provides potentially hundreds of flags to identify, track, and observe various drive usage and diagnostic information. SSDs provide self-diagnostics through SMART that enables you to see their actual writes, reads, and life. Get an SSD and use it a couple months, and you can effectively estimate its life for your actual usage.

For example, my current C: is a 240GB Kingston SSD. As of the writing of this article the drive has been in use for 937 days (2.57 years), and has only been restarted 72 times (roughly twice per month – usually for software updates or installation). It’s written 18,925 GB (<19 TB) in that time, which is about 20.2 GB/day. With the magic 1100 PE number we can safely assume it’ll be able to write about 264 TB in its life. This means that this drive will likely survive another 33 years at my current usage. Give or take.

Now it should be noted that I’m not the typical person, and I do tune the crap out of my hardware (and the hardware of my clients) to ensure we get both the best experience and the best value out of our hardware. I’m not a gamer, but I run more varied applications and services than anyone I know, keeping a lot in RAM and minimizing page file usage to prevent unnecessary writes. This is to say that the typical person with a stock install may only get a “mere” ten to fifteen years out of similar SSD – for a computer where most of the rest of the hardware will be unsupported in 10 years. Task-based users (email + web + Word) could get centuries out of it if tuned properly. Hardcore gamers may only get a couple years, but they will be fantastic years.

I love the performance of my SSD, but believe me when I say I hope I am not still using this drive as my C: drive in 30 years. New developments are made every year and I plan to offload this one into one of my workhorses when I upgrade my primary rig. 🙂

True Wisdom

Should everyone use an SSD as their operating system drive? Yes. Should it be used for everything? No. You wouldn’t haul manure in a Porsche 911, would you?

I use SSDs in all my computers, but for some tasks I use conventional drives as well. I even use a few drives I know are defective but that have great caching capabilities. For example, I do a lot of video transcoding – converting and resampling video to improve quality and performance. This can write as much as 2 terabytes per day on one of my machines. That would kill my Kingston SSD in just over 4 months, so for these I use cheap conventional drives that are disposed of when they inevitably fail. The SSD runs the apps, but the conventional drive acts as a read/write canvas for transcoding. It works very well. But why don’t I just use an SSD anyway – they’re faster, right? Because the performance for video transcoding with FFMPEG is capped at the speed of the CPU anyway, so it’s never going to be bottlenecking at a disk read or write operation on a conventional drive, making use of an SSD a waste of valuable resources.

The choice is yours, of course, but don’t base your decision on whether to buy a solid-state drive on uneducated FUD.

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/