January 10th, 2015 Brian Herzog
A patron came up to the desk and asked for me specifically (I was in the office at the time). She said she needs help with her computer, and hoped that I could fix it for her.
The abbreviated version of the story is that her laptop was having problems, so she took it "to the shop" to have them fix it. They said they did, and she never tried it to make sure - she just put it on a shelf and didn't use the computer.
For a year.
Now, a year later, she wanted to use her computer again, but can't remember the password. And can I help?
At least she knew that she had Windows XP, which is something. She didn't have the computer with her, so she said she'd come back the next day.
Which gave me a day to research how to reset or bypass a Windows XP user password, because I had no idea - and it sounded like something that should not be an easy thing to do. However, I found all kinds of websites with all kinds of complicated methods of discovering or resetting the password, including putting password recovery software on a boot disk. Then I found this kid's video:
That seemed easy and straightforward, so I figured I'd try it first - too easy in fact, but, as much as I wanted to help the patron, I didn't think we could really offer support beyond this. Downloading hacking software to a boot disk seemed a bit drastic.
So she came in the next day, and I was shocked that the kid's technique worked flawlessly. Partly because I didn't expect it to be so easy, and partly because it doesn't seem at all safe that it is that easy. But then, this was on a very old laptop with XP.
At any rate, the patron was happy she had access to her computer again - and of course thought I was a genius. I gave her a little talk about updating the anti-virus and getting a year's worth a security updates before she use it normally online, and also told her that XP is no longer supported and maybe think about getting a new computer. She said she got along for a year without a computer at all, so she'll see how it goes.
With a little luck, she may still enjoy XP for years to come.
Posted under Uncategorized | 1 Comment »
October 1st, 2014 Brian Herzog
This weekend on Twitter, @itsokayihaveabook linked to a great article on the current thinking for choosing a secure password. I don't keep up with this stuff all the time, but every so often I will check in to see what the developments are. If you only read one password security article this year, this is a good candidate.
I liked this one because it wasn't just preachy-talky on why good passwords are important - he explains how password hacking works, and gives advice based on that to create better passwords.
Some things not to do:
- don't use words: password guessing software crunches through multiple dictionaries at unbelievable speeds, so even nonsensical word combinations will eventually be guessed
- don't use personally-identifiable information: many aspects of our lives are online, and hackers will use everything they know about us when guessing passwords - so don't use addresses, phone numbers, birthdates, schools, mascots, relatives' names, etc
- don't be common: there's lots of standard passwords (like pa$$w0rd, temp1234, i<3book$, etc) that are incorporated into password-guessing - even though it looks tricky to the eye, if other people are using it, chances are the hackers will try it
- don't reuse passwords: with corporate-level security breaches, even a good password might be compromised through no fault of your own. But if you use the same good password for all your accounts, once the hackers get it from Home Depot or Target or where ever, then it's much easier for them to get into your PayPal and Amazon and bank accounts
So here's what he feels you can do - the "Schneier scheme":
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal.
The entire article is worth reading. But his bottom-line takeaway is kind of scary: "Pretty much anything that can be remembered can be cracked."
I'm going to start recommending this technique when helping patrons set up email accounts. Thanks Jenny!
Update 10/3/14:
A reader sent me a link to another article, Why you don't need long, complex passwords. I sort of referenced the gist above, but it does a much better job of spelling out another major vulnerability. Thanks R. E.!
The bottom line of all of this seems to be that living is inherently dangerous, so live well and don't worry too much about it.
Posted under Uncategorized | Comments Off on Creating Better Passwords By Knowing How They’re Cracked
