Tuesday, December 27, 2011

Password Security

Alright, let's talk about something that needs to be addressed; something fundamental... your password(s).

Passwords should be like ugly winter Christmas socks, the length should be long, the design should be complex, & should never be used for more than one event.





Let us tackle each of these qualities separately.



1) Length

Two years ago, I would of told you that a password 8 to 10 characters long would suffice.  In today's standards, that won't even get you in the doorway for password length requirements.  Things have changed once the years of 8 character password.  For one, computer processing is so much faster & more affordable.  Attack methods have changed as well.  It used to be John the Ripper would brute force an alpha numeric 8 character password would take days, now it just takes 5-10 minutes with the help of L0phtCrack & a nice rainbow table.

Passwords
"Th1sl0ng
 should
 "N0w b3 th!s l0ng & th1s c0mp13x!!!
... including spaces.  So, an eight character password 5 years ago should now be the equivalent of a 34-character complex paraphrase.

2) Complexity

Speaking of complexity, passwords should not be just a word and some numbers before or after it nor should it contain any information I could Google or search Facebook about you.  It should be a long phrase or even a sentence that has items you and only you could know & remember.

That means no pet names, no child's birth dates or years, & no high school mascots.

Example:
Th3 w@t3r b!ll f0r M4y 2012 w@s $121.01

3)  Never Use The Same Password


You -
"All these rules & passwords I need to remember.  You mean I can't use 'password123' for my Facebook, Gmail, Hotmail, Twitter, & Flicker account?!"

Me -

"No."
In this instance, sharing is NOT caring.  Why do you want to share your ugly Christmas socks with someone else?  So why would you share the same password with other accounts?

You -
"So, how do you expect me to keep up with all my passwords because you KNOW I love me some interwebs?"
I'm glad you asked, kinda.

I'd suggest an encrypted password manager like KeePass or LastPass.  These password managers will allow you to store all your passwords, usernames, websites, & notes all in an encrypted database.  All you have to do is remember one complex password to log into the application.

KeePass: 

  • Can be installed on Mac OSX, Windows, & Linux.  
  • You can setup passwords to expire forcing your to change passwords to various accounts on a regular basis.
  • It can also generate complex passwords for you, all you have to do is copy and paste into the login form.
  • Can be portable via USB flash drive.

LastPass:
  • Has the same features of KeePass(See above).
  • Online based so as long as you are near a computer or smartphone with an internet connection, you can access your passwords.
  • Has browser plug-ins like Firefox and Chrome that can auto fill login forms with the touch of a keyboard combination.


Thursday, December 22, 2011

Stop Online Privacy Act (SOPA)













This bill that is currently in the House is a very hot topic in Washington DC and across the web.


What is it supposed to do?

The bill's core agenda is to protect intellectual property from online piracy.


Who could it affect?

Anyone with an online presence.  That means those that publish online content & those that consume online content.


Why should I care?

Anyone could be liable for facilitating, transferring, enabling, or referencing pirated content or content that doesn't have the author's permission to be shared.

Here is an example:
Johnny is doing a blog post on sites to avoid that hosts pirated movies searches in Google.com for Ironman movie torrent and gets a hit from www.fakesiteforpiratedmovies.com.  If Johnny links the site and references that the latest Ironman movie being torrented there, given the wording of the bill, all parties in that example could be liable.  That means, Google.com & the fake movie site would be blocked.  Johnny would be sued or serve jail time just for linking or referencing the site!

The bill's vague wording would also incriminate anyone that lies about themselves online.  Isn't that what makes the web THE WEB?


What the hell do I do about it?

Here are a few things you can do:
  • Write your representative
  • Boycott those that are lobbying for or supporting SOPA
  • Keep track of SOPA-related news and events
  • If the bill gets passed, you could still access a blocked site via IP address since the bill only would block the "incriminating" domain name.

Here are the companies that are supporting SOPA.  Lets start by voting with our dollars.

Tuesday, December 20, 2011

Here It Is

Finally, I mustered up the the free time to create this blog.I've been wanting to start this blog for a really long time now.  Hopefully, I'll be able to keep this blog on a regular basis.

What is this blog all about?

Information Security
It's about the ever morphing world of information security.  I work in the field of infosec and as anyone else in the profession knows, there is always something to read about, learn, & keep up with.  This blog won't cover everything in infosec, but the topics that will be covered here will be useful and informative.

Technology
I am also a gadget geek (albeit a limited gadget geek via lack of cash) so covering all aspects of technology is always fun an exciting to me.  Anything with an electronic pulse will always be on my radar.

The Interwebs
Ahh, the World Wide Web.  From a website about the Tree Octopus to a Pop Tart encapsulated kitty cat flying through space with a trailing rainbow playing on YouTube for a 10 minute loop.  Yeeeeah, my goal is not to cover the extreme ends of that spectrum (although, a meme or viral video once & a while doesn't  hurt), but to cover the middle of that like the best web services to find stuff to do when you're bored or Top 5 free streaming media sites.

Well, that's a quick overview of what's to come, until then I'll see you next post.