Be secure like a boss—the true geek passwords

I

nternet news sites have been going crazy over how vulnerable our passwords are, these days. Hackers are having a relatively easy time accessing databases of passwords by the millions.

The cool thing is that even if they have the password, it’s protected by something called a hash. Hashing basically means that the password you type is translated into a long and messy string of text (check out this explanation for more details) that can’t be read by the naked eye.

There’s a way around it, though: if a hacker has the hashed password, they can use brute-force guessing. Basically, a password cracker can guess the password, run it through the hash algorithm, and see if the result matches with the messy hash they stole. If it matches, they know they have the correct password.

Especially smart crackers make custom PCs specifically for this brute-force method. They stack together tons of GPUs (used for graphics processing, normally) and have them rapidly generate millions of guesses—millions—per second. Faster than a supercomputer could have done it, just ten years ago. They, in essence, start with guessing “aaaaaaaa” and seeing if that matches, then “aaaaaaab,” then “aaaaaaac” and so on, until they get a match.

Needless to say, the longer your password is, the better. So what’s the best way to make a very secure password?

If you ever go into IT work—administering computer networks and stuff—you’ll probably be required to have a ridiculously long password. Something like 30 characters. Oh, and it gets better. It has to have upper-case, lower-case, numbers, and symbols. And some people have trouble memorizing a 10-character password—that’s why they do something stupid like “password11.”

And, let’s be clear: that’s a stupid password. We don’t like throwing that word around, but right now we mean it.

But our intentions are pure: we want you safe. When you start having credit cards and online bank accounts, secure passwords are a huge deal. A huge deal. So start getting good habits now.

But we digress. The best way to make a secure password is not to make a password at all. Instead, you make a pass phrase. Observe:

I'm in LOVE with eating 12 donuts.

Notice that we have symbols, upper and lower-case text, and numbers. And it’s long.

Come up with a long pass phrase like this, and you won’t have to worry about being cracked, because longer passwords require exponentially more time to guess. Think of it like this. If you have a one-character password, there are something like 94 things your password could be (including everything on your keyboard). But if you have two characters, it’s 94*94. Our pass phrase is 34 characters. Do the math and tell us what 98^34 is. (hint: it’s big)

(That’s the last time you’ll ever see us blockquote a sentence about donuts, by the way)

It pays to be on the right side of cyber security.

screenshot of BRAIN virus in action

This is what BRAIN looks like, on an MS-DOS machine.

We linked to a mini-documentary about the first computer virus a while back, called BRAIN. It’s a pretty benevolent virus made by two Pakistani guys, way back in 1986.

 

Not all viruses are that benevolent, though. And the people who make them aren’t as friendly as the kind-hearted guys who made BRAIN, who gave their contact info in the virus itself so people could contact them if infected.

Today, a few notable groups on the internet have been responsible for a lot of big-time hacking and causing a lot of trouble. A lot of those people got arrested, recently, and rightfully so. They were doing something called DDoS, which is basically attempting to shut a website down by flooding it with more users than the servers can handle. Some of them may also have been responsible for hacking the Playstation Network a while back.

Engineering, including software engineering (and one could argue that hackers ‘engineer’ their way past security), is about helping people and making the world better. Increase the awesome. Decrease the suck. These cybercrimes are neither of those.

Some people claim it’s about the thrill of solving puzzles. But that’s not true. If it were, these people would stick to sites like notpron (“the hardest riddle available on the internet”), which do require coding knowledge to solve, and instead use their coding powers to do things like programming quadrotors or finding a new use for their Kinect.

Here’s a pretty good video about the history of viruses, a quick rundown an what the big ones do, and a few examples of viruses. You can see that they used to be lighthearted, for the most part. Not so much nowadays.


He talks about being prepared, and protecting against cyber criminals.

Ask your CS teacher what he or she thinks about hacking. They’ll probably tell you something like “don’t.”

Seriously. If security is something that intrigues you, better to work on the side of good by using the same skills to find flaws in the system you’re supposed to protect. That’s called Information Systems Security (just read up on the certification subject matter; look interesting?).

If you’re looking to get certified, look into the Security+ certification. It’s only 100 questions with few other requirements. If you do well they’ll probably waive the recommended 2 years experience. Stuff like this looks good on a resume.

And there’s really good money in ISS. Which is a bit better than jailtime, isn’t it?

Government to hand out internet IDs

As hackers get more and more advanced, and passwords are easier to crack (especially with how simple the most commonly used passwords still are) because of it, something needs to be done to make sure people stay secure and identifies don’t get stolen.

image of Howard Schmidt

This is Howard Schmidt, President Obama's Cyber Security Administrator. He's not the only one, but he's got a hand in this initiative.

Google has recently adopted a two-stage login, which you can use if you want and have a cell phone, which does just that. This is the kind of security feature a lot of government buildings use. Basically, so long as you have your cell phone, nobody else can log in as you.

The US government is coming up with another way to do it. Under the National Strategy for Trusted Identities in Cyberspace (NSTIC), which works under the Chamber of Commerce, there might soon be another way. Basically, you verify some credential (probably something like a public key, which Linux users might be familiar with) with someone in person, and then can use that to log in as the ‘real you’ anywhere on the internet–assuming that place on the internet supports the proposed system.

Read the final draft of the NSTIC document (pdf).

A system like this has both a good and bad side:

The good side is that it’s run by the Chamber of Commerce, which is a government branch pretty much dedicated to private-sector business. That means the official purpose of NSTIC is to give you security when you buy things online, and ensure that nobody else can buy stuff under your name. It could also make logins more convenient and, because your information would be stored in that credential (you would get to decide just how much of your information is in it) it could make signing up for a new account much faster. Also remember that this system would be entirely voluntary.

But, because it’s a government system, that means the government is technically in control of your internet access. And if we wound up in a world where this ‘real’ identification system were required everywhere (even if it’s not required to sign up, it everyone uses it you pretty much have to), they could pretty much track everything you do, and shut you down instantly for whatever reason. That’s the bad side, though it’s not exactly likely to happen.

There’s also a video out about it, too. Check it out.

Read what I read: