Why do you need a secure password
Emails are one of the most frequent mode of communication. When you sign up for an email account you have to agree to the “terms of service” of the email provider. If you read the Terms and conditions carefully you will find that if an abusive or threatening email is sent from your account you will be held responsible. So even in case your password has been hacked and someone else has sent the email from your account you will have to bear the consequences of any legal proceedings. Next, if your email contains sensitive information about your business or personal relations, which if went public can ruin your reputation, or cause monetary loss in business, you need a secure emailing experience.
What are the methods of cracking a password
Password Guessing
This method can be applied only by a person who has gathered much personal information about the victim. It is usually hard but keeping in view the most common methods people use for creating passwords it is possible. Majority of the people make simple passwords like their own name followed by their birthday e.g. Zakir0612 or their loved ones with their date of birth like, ayesha2203 etc. These are weak passwords and can be very well guessed by persons in close contact of the victim. Now a day this is also possible by finding friends on social networking sites like Orkut , Facebook etc. The users provide a lot of information on these sites and someone can approach the victim merely by sending a friends request, this become one of the methods of cracking weak passwords. Name and DOB combinations of the person or their loved ones becomes extremely easy on these site.
Brute Force Attacks
A small piece of code can be written which constantly feeds dictionary words, of any language, plus a combination of numbers in the login screen. With newer CPU, the programs can feed a very high combination per minute. If the passwords are weak as shown above, it will not take much time for it to be cracked. Theoretically any password can be broken by this methods, but practically the time is the limiting factor. If the password contains a combination of small, capital, numbers and special characters, and has about 20 characters in total, it may take years for the brute force to crack it down.
Phishing
First an email reaches the victim which directs it to the fake site. The method of faking a web page and login screen to user is known as phishing. This is most commonly employed to gain access to a users bank account. Most of the banks have their own sites which provide a host of services to its users. Gaining access to a bank account is a very lucrative option for a hacker because it may help him gain a lot of money without any hassles. Faking a website is a very easy job. Open any website in your browser and click on View > Page Source in Firefox or View > Source in Internet explorer. Open notepad and paste this code in it. Save the file as name.html and see it yourself. Some of the missing graphics that you see can be easily completed a by a hacker.
Pharming
First we had phishing, now we’ve got pharming — a newer buzzword in Internet scams and a computer attack threat that’s especially dangerous for people who use home networks. Why? Because even the best anti-virus software and firewalls can’t detect or stop pharming once it hits your system. “Phishing” is when you get what seems to be a legit email inviting you to click a link that takes you to a website that also looks genuine. In fact, it’s a spoof, set up to look like your bank or Pay Pal or some other site you trust, that asks you to key in your user name, password or other important information. Then they’ve got you; you’re hooked and ready to reel in! But here’s the killer… “Pharming” happens when you actually do key the correct address into your browser and still go to a spoof site. Now, that is scary.
| In Depth |
When you type a website address into your browser — let’s say www.softwareuniverse.wordpress.com– the browser, via the Internet, contacts an international computer directory (DNS) server that looks up this name and converts it to a sequence of numbers, which is actually its real Web address. This special sequence is called an Internet Protocol (or IP) address and every website and computer has an IP address, even yours, that uniquely identifies it on the Internet, just as your phone number uniquely identifies you. |
Key Loggers
Key loggers as the name suggests makes a log of all the keystrokes that a person types on his/her keyboard. If a key logger is installed on a system there no way to hide your data. For the myriad of options and wonderful services of a key logger, just have a look at the following pics that were taken after installing a key logger. I opened my text editor OpenOffice.org Writer to type some text for my students in Final year B.D.S.
Fig 2: Text typed in OpenOffice.org
Fig 1: Key Logger Log File Information
Now I opened the Key Logger log file just to be amazed by the amount of info it has gathered. See Fig 1
The calendar on the left shows the date, Below you can see that the method of logging is Keystrokes. Other options available are Screenshots, Websites and clipboard. Analyzing the log file it can be deduced that a program was launched named OpenOffice.org. A file named Untitled 1 is open (Green Text) . The Date and time are as 3/19/2008 -9.34:17 PM. Then all the text that was type written in the main program is also captured and displayed in (Red Text). It does not stop here, it also tells that the file was saved at this time certain time with the name of Dental Caries. Save me Lord!!!
Some more Logger Brutalities
The log file can be sent to a predefined email or even loaded on and FTP server, provided the appropriate settings have been made. See Fig 3
Fig 3: Delivering log files to ones account using key logger.
Here you can see Email settings. You can set a certain time interval, subject, email address, Host Port etc. Here you can also see a tab FTP Delivery. Is anything still left?
How to safeguard against key loggers
Every program has a process which can be seen in the processes window. Some specialized programs can be used as well as windows itself, but windows task manger has very poor description which makes it difficult to understand the actual process. Anyhow Press Control + Alt + Delete. Window pops up Windows task manager. The process with an extra S i.e. winlogons.exe instead of winlogon.exe is the key logger process.
Fig 4: Windows Task Manger Processes Tab, Very little Information
A more sophisticated approach would be to use a program like process explorer which provide a greater description See Fig 5. It shows the winlogons.exe process, and most important is the path C:\Program Files\Free KGB Key Logger\winlogons.exe which tells the whole story.
Fig 5: Process Explorer shows the process with the path and the program name
Creating a secure password
It has been said that “ A chain is as strong as its weakest link”. So whatever be the might of the software, the strength of all the data will rest on the strength of the master password. In order to create a secure password that is long, complex but easy to recall, there is a memory trick.
First make a sentence that you can relate with yourself e.g. “I am a strong man who makes unbreakable passwords”. Append your bank account number ( or any other long digit number which you have a record of and use it more often ). Append another number e.g. You enrollment or you spouse’s phone number etc. Once again make a sentence like “AND NOW I HAVE A SUPER STRONG PASSWORD WHICH CAN SURVIVE THE BRUTEFORCE ATTACKS”. Note the capitals. So your final sentence is something like this “I am a strong man who makes unbreakable passwords00987895676543456865432AND NOW I HAVE A SUPER STRONG PASSWORD WHICH CAN SURVIVE THE BRUTEFORCE ATTACKS”. After this make a short form of the above sentence by keeping all the initial alphabets of the word used. And yes finally you have a super strong password “iaasmwmup00987895676543456865432ANIHASSPWCSTBA”.
The reason for using both small and capital is that by the available brute force attacks it becomes too hard to crack a password that has a combination of small letters, capital letters and numbers. Now As you have come across a basic idea, you can use your own imagination for making various combination of letters and number, as well as sentences, that best suits you and more important it is easy for you to remember but not for others. Now its your very own humble responsibility to remember the master password because once forgotten, you may end up losing all your data in the KeePass. And yes the easiest way to remember is that open accounts on about 300 most favorite sites and forget the password once. It would be the last time you have ever forgotten anything in life.
If you use a master password, you only have to remember one password or passphrase , as described above. KeePass has some basic protection against brute-force and dictionary attacks. If you forget this master password, all your other passwords in the database are lost, too. There isn’t any back door or a key which can open all databases. There is no way of recovering your passwords.
KeePass Password Safe
Creating a new file
Fire up KeePass. Click on the File > New. As in Fig 6
Fig 6: New File Menu to create a new database file for storing passwords
As soon as you click on New, you get a window that prompts you to enter the Name of the file, By default it is NewDatabase, but you may change it according to your wish. At this very point of time the location of this file can also be decided. As in
Fig 7: The above half shows the chosen location while the lower half shows the file name which is to be used for saving. This (New Database) is the default name.
Saving leads to another step which asks you for a master password. Here comes the role of the Securely created master password above.
Feeding Master Password
You can now feed this strong and easy password into the provided column as in Fig 8
Fig 8: The master password window. Enter the master password in the appropriate column
The second part of the Fig 8 is Key File / Provider. When you check in the check box two more buttons appear i.e. Create and Browse. Here you have to click on create button. This will open up an entropy collections window. Now you have two options to create the key file. You can move your mouse vigorously and haphazardly in the black and white dotted area or type randomly on the keyboard. See Fig 9
Fig 9: Entropy collection This is used as source for generating Key File
When the bar reaches green, the process is completed Click OK. Once again a save window appears and prompts you for saving the file and choosing the location. The most important aspect here is that always make two backup copies of this key file as soon as you create it. One on another partition and on on any removable medium e.g. a pen drive, USB Hard drive etc. Loosing the key file is equivalent to forgetting your password. There is no way to recover it. No back doors. Click OK.
A new window pops up for Database setting. For the first time users I suggest to leave all the setting as it is and just nod your head in acceptance by pressing the virtual OK. These database settings can also be edited after the creation of the database in fact whenever you wish. If you are curious enough, Just keep reading. Lets first have a look at the database settings options. Database name and Database description are optional , if you wish you can fill these entries. If you plan to keep the same user name for all your new entries you can specify a user name in Default user name for new entries at the lowermost column of the database setting window. See Fig 10
Database Settings
Fig 10: The database settings window with the General tab opened. The settings here are database name, Database description and Default user name for new entries
The next tab in the database settings is the security of the database. You can set the encryption algorithm, which is used to encrypt the database. All encryption algorithms offered by KeePass are well-known standard algorithms, regarded as very secure by the cryptography community. These standards are used by banks for example. All of the algorithms are unbroken; there is no “best” algorithm. If you don’t know which algorithm to choose, use the Advanced Encryption Standard (AES, Rijndael) algorithm.
Key transformations is a very important parameter in protecting your password from hackers. When the master password is entered it subjected to 6000 cycles by default to convert it to a final key which is used by the database. This is important because if a hacker tries to break the password, for every single single guess or dictionary attacks that number of transformations round will be necessary. You can specify the number of transformations, increase if you wish. This will be taxing on the hacker because of the time spent. Another very very important aspect to this is the Delay. A 0.5 second delay in opening the database means two per second, which renders dictionary and guessing attacks very inefficient . In order to check how many rounds your computer can do the transformations per second, click on the link in blue written 1 second delay. The result will be displayed in the box above it. See Fig 11
Fig 11: The security window helps you specify the type of encryption algorithm, number of Key transformation rounds and Compute 1 sec delay
The password or other fields of the file can be read by some other other program by directly dumping the memory. KeePass offers protection from this by encrypting the fields before writing it to the memory. All or any of the fields can be protected, but the smartest fastest and most useful way is to protect the password in the Protection tab.
Fig 12: Prevention of the fields of the database to be read from the memory dump. Preventing the password only will suffice, Preventing all will take time for database upload and save.
He compression settings tab provides two options. One is uncompressed and the other is GZip. It is wise to compress the database in order to save space. GZip is an excellent compression method with very fast speed. Leave this option to GZip.
Finally the creation of database is finished. You can now see a window with NewDatabase file opened and already there is an entry, Sample Entry. Here you can also see predefined groups. These groups are made in order to keep the data organized and remove the clutter even after making a few hundred passwords. By default the categories are General, Windows, Network, Internet, Email and Home Banking. See Fig 13. It is flexible enough to let you create as many groups and subgroups as you want.
Fig 13: This is the new file It has 6 default groups. More groups and subgroups can be created. Existing groups can also be deleted and renamed if required.
Now you can start creating entries in the appropriate group. Happy mailing.
Watch out the next post for more protection tips.
Blogged with Flock
