Your passwords may be no longer secret

Since I don’t blame anyone for not reading all the way to the bottom, I will insert at the top, that Dave continues to do well. We just had a couple of days of rainy weather with heavy clouds. But today dawned clear again. There is now snow on the mountains for the first time this season.

Yesterday, some industrious people in the marina hired a small bus for 16 of us to go to Antalya for the day. We had kind of a late start and an early return, but all of us got a lot of shopping done in the big city. And got to yak yak en route. Now for the very important, and extremely annoying reason for this post.

It you would please take a moment to read this:
http://bits.blogs.nytimes.com/2013/11/12/adobe-breach-inadvertently-tied-to-other-accounts/?nl=technology&emc=edit_ct_20131114&_r=0

Basically, the story is that Adobe’s secret servers were hacked. The truly gigantic amount of data that was stolen regarding personal accounts and passwords was posted online for essentially anyone to download and snoop around in. Whatever password information you had on anything that has anything at all to do with Adobe, is probably no longer secure. That may not seem like the end of the world, however, many people use the same password for several accounts. If that is your situation, anything that uses the same password that you used with Adobe, and by Adobe I mean anything at all that Adobe has anything to do with, is now known to bad people.

They also know who you are and can fairly easily go down the list of all the easy to rob accounts that you might have, trying your Adobe password, or simple variations, to see if they can get into your accounts.

Much of this can be automated by a robot, and they only need to break in to one account out of thousands to make it very profitable.

And, as hundreds, or thousands of people have suggested, do not use easy to guess passwords for anything. Personally, I do use a simpler password for something that I can’t imagine could ever hurt me if it got hacked. Like my subscription to the Ingrid Sailboat Blog. I try to use a strong password for bank accounts and the like. If all of my bank accounts were suddenly empty, I would be very sad indeed.

And, one excellent suggestion on how to create a hard to guess password, is to use a passphrase, rather than a password. That is, rather than use your birthday, or your street address, use the initials of some memorable phrase.

For example, Lucky Strike cigarettes, used to have the phrase, “Lucky Strike means fine tobacco.” And the packages carried the abbreviation, “LSMFT” which when I was in high school, we changed the meaning to, “Ladies’ shoes make funny tracks.”

“LSMFT” is not a word, although since that particular combination of letters has been widely used, it may be in a dictionary somewhere.

It is my understanding that a common way to break a password, is to have a computer program try all the possible combinations until it breaks it. It uses some sort of dictionary of the most likely combinations to try first.

It seems kind of obvious to me, that the defense against this, is to only allow you a small number of mistakes per day. For example, if you cannot type in the correct password within six tries, Internet access to your account is closed for 24 hours. Usually, you can call them and convince the human that you are really you, but their robot will not let you in if you make too many mistakes.

This seems like such an elementary defense, yet obviously is not widely used or the dictionary attack would not be so successful.

I use one of the free, but highly regarded, password databases, to keep my gazillion passwords organized on my computer. It has a very strong password to keep you from getting in, and is supposed to be quite thoroughly encrypted. Of course, if the people designing it, are bad people, and it is automatically, secretly sending my information to some archvillain somewhere, then I have a slight problem don’t I?

If you really think about all of this stuff, it gets pretty complicated. Therefore most people don’t really think about all the stuff, because it makes their head hurt. This is wonderful news for the modern-day crook. Especially the clever one. Fortunately there are not very many of those.

But when my credit card information was stolen a few years ago, as far as I could tell, the credit card company and the local law enforcement, did not think it was worth their trouble to go after the person that stole the information, even though we knew exactly who it was beyond any doubt.

I appreciate that a court case would cost them more than the perhaps $6000 that they stole. But, it was surprisingly easy for them to steal it, and if nothing even annoying happens as a result of it, then why won’t they do it again every chance they get?

But, from my perspective, the stolen money was instantly replaced into my account by my credit card company, so I let the matter drop. However, I still question the wisdom of ignoring thieves when you know precisely who they are.

Dave

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s