Do Not Reuse Passwords

Password security is a growing field and the old conventional wisdom of using a “strong” password and changing it frequently has lead to people using the same “strong” password on many different websites, resulting in their complete identity being hijacked when any one of those sites is compromised.

HaveIBeenPwned (HIBP) is a service that collects data dumps from when websites are hacked and uses the data to provide a service to alert users whenever their accounts are compromised. It’s like a central clearinghouse for account monitoring. Unfortunately, by the time accounts are listed in HIBP it is often years after the account has been hacked and the hackers that originally took the account information have had that entire period to make use of your account details. Many websites store their passwords in plain text, and many of the others that do use password hashing algorithms to store only a mathematical representation of the password and not the password itself neglect to use properly salted hashes, which means that those hashed passwords can often be compared with rainbow tables to effectively convert them to their plain text equivalent. Seeing the passwords that people – still today – continue to use is destroying my hope in humanity. For example, “123456” is used by almost 1% of business professionals for their online social interactions. Dead serious.

The trends on these exposed passwords show that there are very common patterns and weak password consideration is the rule of the day. Few people, and by few I mean I could probably count them on one hand, actually do passwords right. It’s time to take your own security seriously, because the evidence shows that many of those you do business with do not.

Here’s the Problem

Weak passwords you’ve used on service x (Yahoo, for example) will be dumped along with all the other passwords on that hacked service. Those same weak passwords will be tested on service y and service z. And everywhere else. This process is called “password stuffing.”

If you reuse even part of your passwords then you open yourself up to being targeted either randomly or by evil people you may already know. “Script kiddies” live and die by their ability to make an example out of people who they feel have done them harm. You could also become the victim of automated scanners that consume the usernames and passwords from these dumps then try them on every known system from Facebook to Gmail to email to banking services. The passwords will be munged in order to test similar or stylistically equivalent passwords. For example, of the LinkedIn hack, almost 2.5 million accounts (or about 1.5%) used some variant of the site name in their password. Those same accounts probably use some variation of the site name in most of their passwords. This can safely be assumed to be done everywhere, meaning that if you use “linkedin123456” for LinkedIn, there’s a good chance that your Facebook password is “facebook123456”.

So when over a million people used “123456” as their LinkedIn password, not only did it expose that as a very commonly used password, but it demonstrated that those million-plus email addresses tied to those weak passwords were used by people that didn’t take security seriously. If you use a weak password anywhere, chances are good that you use weak passwords elsewhere, if not everywhere. If something as quick and easy as changing a password isn’t done, then you also probably neglect your hardware and software. You’re using older and insecure programs. You’re exposing all of yourself with a single simple decision that you think will make your life easier.

It doesn’t. Reusing even part of a password only makes life easier for whoever attacks you. They can stay in their momma’s basement and spend all day throwing your account details at different sites until they get in. When they do, it doesn’t hurt them, it hurts you. Two or three hijacked accounts, or variations on your passwords from multiple dumps show how you think, and the style and scope of password complexity you use.

Again referring to the 2012 LinkedIn hack, there were over 26,000 variations of passwords that included “12” or “2012” in the password. From this we can imply that users will seed their passwords with the year they changed it. The same accounts are probably still using the same patterns with “2019” or “2020” today.

“Different” !== Strong

Usually these dumps are sold on the black market or used by the original hacker for a while before they’re inevitably released publicly. The data is out there so it’s necessary to use defensive passwords.

You can’t just change a number at the end of your password and possibly think that it’s going to make a difference in your security. The delay it might impose against an organized attacker is less than a single second. You can’t create a strong password by typing random characters on your keyboard. You just can’t. The predictive value of muscle memory, social and cognitive signals, and even keyboard bias result in a relatively small set of potential values for manually-generated passwords.

1337-sp34k offers no additional protection.

Using a strong password is no longer a suggestion. To be secure in the current world you must use a strong, unique, randomly-generated password for any and all sites and services. Failing to do so will result in that password being used as the seed to corrupt your digital life later on. Maybe not today, maybe not tomorrow, but soon, and for the rest of eternity.

The rules used to be pretty simple, but were still never observed:

  • DO NOT use a series of numbers and a word or two. (123badpassword)
  • DO NOT use a word or two and a series of numbers. (badpassword123)
  • DO NOT use a word with numbers breaking it up. (1bad2password3)
  • DO NOT use the site name or URL as any part of the password. (mylinkedinpassword)
  • DO NOT use keyboard sequences like “qwerty” or “123456”.
  • DO NOT use any word or name related to you or your life (pets, family, friends, musicians).
  • DO NOT use dates or other simple patterns.

Unfortunately, these rules are still ignored, and even if they were followed to a T, these rules are no longer sufficient for creating a passwords or passphrases manually. Today, any password you can remember is not a good password. It’s time you put the effort into proper password management.

Fortunately, the new rules are actually simpler:

But my browser remembers my passwords!

All modern browsers (Chrome, Firefox, Edge, Safari) have password management built-in. You can use that in order to generate strong passwords and, while short, they’ll be unique for each site. Unfortunately, since these passwords are stored in the browser they can be extracted by any malicious software that manages to make it onto the device or compromise your browser Sync account, where password managers generally use much stronger encryption.

Websites are still catching up to the reality of password managers

Long passwords, 300 characters or more, are not a problem for your password manager, but they’re probably a problem for the site. BofA limits your password to 20 characters. Yahoo limits your password to 128 characters. Facebook allows much longer passwords, but only requires 6 characters and character case isn’t treated as significant so entropy is significantly reduced, especially for shorter passwords.

Some websites and app logins don’t allow you to copy & paste in the password field which means that they often don’t play well with password managers. Others (like AT&T and Yahoo) refuse to allow certain characters in passwords, so randomly generated passwords have to be manually munged instead of allowing them to be truly random.

Nevertheless, failing to use a password manager means that you’re not using random passwords at all, and are likely reusing passwords to your own peril.

The solution is to get a password manager now and immediately start working to migrate your accounts to it. Almost every password manager today offers password analysis to warn you of weak, reused, and known compromised passwords so you can prioritize changing the passwords for those accounts.

What’s your favorite password manager?

Conventional Wisdom on Solid-State Drives

Every time I post about solid-state drive’s (SSDs) there’s always a nay-sayer warning about their “short life” and limited usability. It’s a huge misunderstanding of SSD wear-leveling and endurance to assume that a thousand program/erase (PE) cycles somehow implies that the drive is of less persistent value than a conventional drive. This is wildly inaccurate.

The Old Way

Conventional drives store their information on revolving platters and use magnetic arms to read and assign magnetism to specific locations on each platter. The arms are fragile. The movement of the platters is subject to environmental forces. A drop of only a fraction of an inch can toast your conventional drive. An hour in the car in front of Starbucks or the moisture that makes it through your laptop bag when walking between classes in the rain can kill it. Some are even faulty by design (planned obsolescence) or even if they’re not, can suffer from a random failure at any point in their life from dust or exposure to magnetism or even sunlight. This is the fatal flaw with moving parts. In any entropic system stuff will inevitably go wrong. The endurance you hope for is that gamble that it either won’t be you, or at least it won’t be now.

There have been dozens of studies of both conventional and solid-state drives. Most studies on conventional drives essentially conclude that some are better than others, but that they will all fail randomly at some point. Unfortunately, when it comes to conventional drives there’s really no guaranteed way to know how long your specific drive is going to last.

Even with the best SMART data you can never really plan for when the conventional drive is going to fail. You can look at the brand or model and estimate in months or years, but actual operational time will vary even between devices from the same factory made at the same time in the same room. You just can’t plan for it.

New Tricks

Solid-state drives, however, do not suffer from the randomness of not being able to know for sure if the drive will even survive it’s first year. Due to their lack of vulnerable moving parts, vastly improved tolerances and predictable wear-leveling values, they have a calculable life that can not only be guessed, but very effectively planned and measured. You can pro-actively track with the drive’s own self-diagnostics in order to identify, if not the very hour, at least the week that your SSD will no longer be able to be written to (the data will usually still be readable).

SSDs provide several measures of their PE values to determine drive longevity. TBW and DWPD are basically different faces of the same number of writes before the drive will begin to fail. This can be measured in hours or bytes, but the meaning is consistent between presentations: if each block can be written 1100 times (which is a pretty close approximation based on current market values) then a 250GB drive could have 275TB written to it during its reliable life. A 960GB drive would be able to have just over 1PB (petabyte) written during its reliable life. If you measure the actual writes to your current drive over a couple months (with PerfMon or SMART) you can see exactly how long it would take you to consume that amount. The drive won’t exactly crash and burn on that day, it will just fall out of the vendor-tested effectiveness in a “how many licks does it take to get to the center of a Tootsie Pop” way. Many SSDs will safely write twice as much data or more. You know, as long as you don’t bite into it. 😉

SMART

Every drive for the last 20+ years has supported some level of self diagnostics (SMART), but the detail provided by SSDs is fantastic. SMART provides potentially hundreds of flags to identify, track, and observe various drive usage and diagnostic information. SSDs provide self-diagnostics through SMART that enables you to see their actual writes, reads, and life. Get an SSD and use it a couple months, and you can effectively estimate its life for your actual usage.

For example, my current C: is a 240GB Kingston SSD. As of the writing of this article the drive has been in use for 937 days (2.57 years), and has only been restarted 72 times (roughly twice per month – usually for software updates or installation). It’s written 18,925 GB (<19 TB) in that time, which is about 20.2 GB/day. With the magic 1100 PE number we can safely assume it’ll be able to write about 264 TB in its life. This means that this drive will likely survive another 33 years at my current usage. Give or take.

Now it should be noted that I’m not the typical person, and I do tune the crap out of my hardware (and the hardware of my clients) to ensure we get both the best experience and the best value out of our hardware. I’m not a gamer, but I run more varied applications and services than anyone I know, keeping a lot in RAM and minimizing page file usage to prevent unnecessary writes. This is to say that the typical person with a stock install may only get a “mere” ten to fifteen years out of similar SSD – for a computer where most of the rest of the hardware will be unsupported in 10 years. Task-based users (email + web + Word) could get centuries out of it if tuned properly. Hardcore gamers may only get a couple years, but they will be fantastic years.

I love the performance of my SSD, but believe me when I say I hope I am not still using this drive as my C: drive in 30 years. New developments are made every year and I plan to offload this one into one of my workhorses when I upgrade my primary rig. 🙂

True Wisdom

Should everyone use an SSD as their operating system drive? Yes. Should it be used for everything? No. You wouldn’t haul manure in a Porsche 911, would you?

I use SSDs in all my computers, but for some tasks I use conventional drives as well. I even use a few drives I know are defective but that have great caching capabilities. For example, I do a lot of video transcoding – converting and resampling video to improve quality and performance. This can write as much as 2 terabytes per day on one of my machines. That would kill my Kingston SSD in just over 4 months, so for these I use cheap conventional drives that are disposed of when they inevitably fail. The SSD runs the apps, but the conventional drive acts as a read/write canvas for transcoding. It works very well. But why don’t I just use an SSD anyway – they’re faster, right? Because the performance for video transcoding with FFMPEG is capped at the speed of the CPU anyway, so it’s never going to be bottlenecking at a disk read or write operation on a conventional drive, making use of an SSD a waste of valuable resources.

The choice is yours, of course, but don’t base your decision on whether to buy a solid-state drive on uneducated FUD.

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

New Year, New Fears: Meltdown and Spectre

Happy New Year!

By now you’ve heard about Meltdown and Spectre, the two new CPU vulnerabilities that are getting 24/7 airtime on every news channel.

This is going to really hurt Intel, as it essentially means that a 2 GHz processor is going to effectively run at 1.4 GHz after it’s patched. A 4 GHz processor is going to effectively run at 2.8 GHz. That’s the kind of performance hit that hard-core gamers and industry professionals are waking up to today, and will encourage many to consider alternative CPUs in the future. Unfortunately, while the one issue (Meltdown) only applies to Intel CPUs the other one (Spectre) affects almost every CPU that has been tested.

Meltdown and Spectre are two separate design flaws in the CPUs that mismanage how access to memory handles are controlled. Older hardware and operating systems will never be patched to address these vulnerabilities, and the patches that are currently being pushed for the Intel (Meltdown) flaw have a very high failure rate (as much as 20% for some hardware) often resulting in unbootable devices. My advice is to wait a few days for other people to be the guinea pigs, then install the updates after you get the all clear.

Neither of these affects only Windows. The vulnerabilities are hardware-based, but the current workarounds for them are being pushed into the operating systems to prevent them from being abused.

Meltdown affects every Intel CPU available today, which means that while many Windows computers are affected, every supported Mac is impacted (they’re all using Intel CPUs), and phones and other devices that use Intel chips are vulnerable as well.

Spectre affects just about everything. If your vendor isn’t supporting the device anymore, it will never be patched and the device can never be secured. Every computer hosting every website is affected. Every server. Every phone, tablet, desktop and laptop in the world is affected by at least one of these vulnerabilities. It seems that the only devices immune are certain security devices (dongles) or devices with very limited capabilities. If it can run software, it’s vulnerable.

If you’re a stock market enthusiast this is a good time to invest in mobile hardware vendors – wait a week or so for people to start bailing out in fear and the price to drop. Then buy their ignorance and in a year you’ll be thanking me. There may not be an immediate return, but as chips are released in the next 8-18 months that resolve these problems, security-minded companies and governments will be buying in bulk to replace every single device they currently employ. Talk about a huge surge in purchases later this year. 🙂

I don’t put a lot of stock in what anyone from the government says, so I will defer to the Intel VP who says that the “unfixable” Spectre flaw can be resolved with a firmware update on most supported devices. I assume the same is true for other vendor chips affected by Spectre. Unfortunately, this means it’s still going to be a long-tail fix, since firmware updates can take months to be released for each supported chip and years to be fully addressed, and unsupported hardware will never be fixed. The Intel SA-00086 vulnerability (initially reported in February 2017), for example, which impacts the last 4 full generations of Intel CPUs still has not received patches for most currently supported hardware. Likewise, it’s quite unlikely that Spectre will be fully addressed on existing supported hardware within the next couple years.

Replacing your device isn’t a solution, either, since hardware that isn’t vulnerable simply doesn’t exist yet. We need to hope that operating system vendors will correctly and fully address these problems on current hardware in the very near future.

Now for the good news

If you’re maintaining your devices – installing operating system, application and driver updates, and you’re removing outdated and unused software, and you’re not installing untrusted third party applications that are either unmaintainable or unsecureable, and you have not been installing “bad” programs (warez, fake, or malicious) – then your computer is really at no greater risk today than it was last week. Both of these vulnerabilities require an evil application to be run on your device to be exploited. They are not remote exploits that automatically bypass the other security precautions you may have in place (unlike SA-00086). Remove everything you don’t want or need on your device, don’t install untrusted apps, don’t ever click “yes” in a popup without reading it and understanding the implications, and you’ll probably be OK. Really.

For anyone else that’s not already using my service: If you don’t want to do this all by yourself – let me.

KRACK Attacks: Protocol Insecurity

The KRACK Attacks are a great example of why updates are important. Wireless networking has been around over 45 years with many encryption and security layers being adapted over that time. The variation most commonly in use today, Wi-Fi with WPA2, is about 13 years old. Thousands of people have reviewed the protocol documents. Vendors across the world have implemented the protocol as it was designed and it is in active daily use on billions of devices (yes, billions with a “b”). However, a relatively minor flaw in the design of the greeting/handshake allows an evil third party to essentially hijack any Wi-Fi network.

At least 6 months ago a series of vulnerabilities in all wireless protocols (including the most secure current wireless protocol, WPA2) were discovered that allowed for an evil third-party in range of your Wi-Fi network connection to emulate it and hijack your access to the connection to be able to siphon or change information between you and the Internet. These vulnerabilities also make it possible to intercept and alter “secure” traffic (such as HTTPS encrypted connections) by way of it’s MitM scope on some networks and devices.

Every vendor’s hardware that was tested was found to be vulnerable. The thing is, if they obeyed the protocol it would literally be impossible not to be vulnerable.

Several months ago the person that discovered the issue contacted different vendors to alert them of the problems and they are actively coordinating security updates this week to address them. FreeBSD patched it months ago. Microsoft patched it last Tuesday. Some Android devices have been patched over the last couple weeks, while others may never be. Security updates for ChromeOS should be released next Tuesday. Apple’s patch for iOS, macOS, tvOS and watchOS is planned for release “soon,” but every version of macOS and iOS are affected and not all are still supported (in other words – only some Apple devices will receive patches). Hardware vendors are gradually releasing updates for supported devices.

What should you do?

Patch or replace your hardware. All of your hardware: your routers, modems, phones, tablets, laptops, desktops that have Wi-Fi support, even your light bulbs and irrigation systems.

If a patch is not currently available for your hardware, hound the vendor until it is, or replace/avoid that hardware (and vendor).

If your hardware is no longer supported by the vendor you will not receive security updates to address this vulnerability. Most hardware still in use today is beyond it’s support period (aka “end of life/EOL”), so will never receive a security update to address this vulnerability or any other. Really. It’s probably time to replace that “perfectly good” wireless router you picked up “only 5 years ago” at a “helluva bargain” that “still works.” It’s annoying, but important to check the vendors site when purchasing hardware to ensure that it’s supported by them. Most vendors support their hardware only 5 to 10 years after a modem was initially released. Most people buy hardware at least half-way through this period, significantly reducing the applicable support period.

Always use TLS/SSL. If the sites you visit don’t support HTTPS, don’t use them or at least contact their webmasters to request HTTPS support.

Avoid wireless connections. Yes, really. Even if this had never occurred, understand that every wireless network is inherently insecure. Emulating your network the way the KRACK Attack operates is only one way to hijack it. There are many other risks in all forms of networking, from old, insecure, and unsupported network equipment that can be easily compromised to unmaintained and unsecureable hardware that joins the network. While a wired network generally contains all traffic within the cables that make up the network, a wireless network, by definition, broadcasts all network traffic for any evildoer within range to capture and record. While they may not be able to exploit that encrypted information today, it’s likely that similar vulnerabilities will be discovered that allow them to decrypt and abuse that information sometime in the future. Avoiding wireless connections reduces this risk.

I thought this only affected my router?

No. This vulnerability is a protocol-level issue, which means that every single wireless device in the world that was designed to obey the protocol is impacted. All of them. Patch or replace.

Many protocols have weaknesses that are eventually addressed with minor and sometimes major changes. SMTP – the protocol used to send email – didn’t require any form of authentication at any level for over 20 years! The geeks that think this stuff up are awesome, but we can’t anticipate everything.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

 

Why you should delay iOS upgrades

Today is September 9th, 2017 and iOS 11 was released! Yay! This version has several new features that Apple fanboys are going gaga over. It’s exciting, it’s new, and in about a month you should install it on your device. For years I have advocated that major iOS upgrades should be delayed at least 3 weeks. Why? Math.

This simple timeline demonstrates Apple’s history with patches for iOS upgrades:

1.0.1 was released 32 days after 1.0.0. It was a security update.
1.1.1 was released 13 days after 1.1.0. It was a major stability update.
2.0.1 was released 14 days after 2.0.0. It was a major stability update.
2.1.1 was released 3 days after 2.1.0. It was a security update.
3.0.1 was released 44 days after 3.0.0. It was a security update.
3.1.1 was released the same day as 3.1.0. It was a security update.
3.1.2 was released 29 days after 3.1.1. It was a major stability update.
4.0.1 was released 24 days after 4.0.0. It was a major stability update.
4.3.1 was released 16 days after 4.3.0. It was a security update.
5.0.1 was released 29 days after 5.0.0. It was a security update.
5.1.1 was released 61 days after 5.1.0. It was a security update.
6.0.1 was released 61 days after 6.0.0. It was a security update.
6.1.1 was released 9 days after 6.1.0. It was a major stability update.
7.0.1 was released 1 day after 7.0.0. It was a security update.
7.0.2 was released 7 days after 7.0.1. It was a security update.
7.1.1 was released 43 days after 7.1.0. It was a major stability update.
8.0.1 was released 7 days after 8.0.0. It was a security update – and was so bad they pulled it.
8.0.2 was released 1 day after 8.0.1. It was a major stability update.
8.1.1 was released 28 days after 8.1.0. It was a security update.
8.4.1 was released 44 days after 8.4.0. It was a security update.
9.0.2 was released 14 days after 9.0.0. It was a security update.
9.2.1 was released 133 days after 9.2.0. It was a security update.
9.3.1 was released 10 days after 9.3.0. It was a major stability update.
10.0.2 was released 10 days after 10.0.0. It was a stability update.
10.1.1 was released 7 days after 10.1.0. It was a security update.
10.2.1 was released 42 days after 10.2.0. It was a security update.
10.3.1 was released 7 days after 10.3.0. It was a security update.

11.0.0 was released today. How long do you think it will be before they release their mandatory security update?

With history as our guide, we can safely assume it’s going to be roughly 26 days before they release whatever security update is required of the first major release of iOS 11.

Looking at the numbers we can also see that fixes for major updates are released on average 21 days after the initial major version (n.0.x), where minor version fixes average closer to 30 days after the release of the minor version (n.n.x). If we remove the outlier (9.2.1) because it’s over 4 months and double any other period, the averages become 20 days for serious patches to major updates and 22 days for serious patches to minor updates. Again: 21 days – three weeks – becomes the minimum average for your safety.

That means you should expect a security update for iOS 11 around October 10th, 2017. Be patient. The privacy you save will be your own.

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/