Account security!
April 7, 2009Lodur over at Matticus’s post about password safety got me thinking. Parts of my day job involve computer security, so I’m going to go over some of the basics and tell you all what I do.
First off, as Lodur said, using a word for your password is bad mojo. Account crackers have virtually unlimited means to guess different words or combinations, and if you use a word in the dictionary, chances are they will eventually guess it, log in, shard all your gear, sell the shards, and move your cash to one of those gold spamming characters.
Next issue is how often you use your password. If your comment login for wowinsider is the same as your WOW login, all it takes is for a blogger to make a mistake and your password becomes essentially public. Bloggers make mistakes- we started blogs, didn’t we? More to the point, every site you re-use a password on is another vector for someone to get the keys to your whole online life.
After password re-use and password guessability, your largest risk is only a risk if you take it: sharing your account. I don’t care how cool your brother is. If you give him your password, he’s statistically most likely to burn you. Maybe not deliberately, but statistically. I’m going to be called a jerk for this one, but nobody, not even my beloved wife, knows my password. I would take my trust in her intentions to the grave, but if a mistake is made and my account gets ruined, I want it to be MY mistake. Never share a password.
Another issue is stagnancy. If you have a completely private, hard to guess password that you only use for WOW, but you haven’t changed it since 2004, you’re risking your account. The chances of some long shot hack in any given month are rare, but the longer it’s been since a password change, the more likely you are to be on some hacker’s list of accounts with known passwords.
That’s the theory, onto the practical stuff. What can you do to alleviate some of these issues? First off, memorizing multiple hard passwords is something only autistic savants can do. Create a weak stupid password you don’t care about, and use that to comment on wowinsider. More importantly, categorize all your logins by how important their security is.
Now all the logins you really need to keep secure should have unique unguessable passwords. How can you do that? The miracles of open source software come in here: go get Keepass from sourceforge.
Keepass is a wonderful little tool that gives you a master key to your online life. You create a key file, and you can add logins to it. It’s not something you want to use for really high importance stuff (online banking, paypall, etc) but for something like WOW, it’s ideal. Please note- this will not help you with some of the vulnerabilities I outlined above. You still have to change your public passwords once in a while, and never share them in order for this to be worth it. Some other helpful hints- there’s an option for the program to clear your clipboard once you’ve pasted the password. Enable it, but be aware that it won’t work if you have some other sort of clipboard manager program. This helps avoid keyloggers and clipboard scanners. It’s not perfect, but it puts you in the top 1% hardest to crack accounts, and that’s good enough for me :)
The important thing about keepass is that your master key should be hard to guess, and never used for anything but the keepass database.
Making this one hard to guess password is important- what I suggest to do is take two words you can remember, interleave the letters, and add two numbers in random positions. So, “dps” and “scrub” become “sdcprsu65b” It’s going to be hard to remember this, so practice typing it out for a few minutes once a day for a few days.
Once you have a keepass file created, creating a key is easy. Just click on the “new” button. Here’s a sequence of screenshots for the process:
This is the box you get when you create a new login. The only thing you need here is to click “gen”, however putting a title will help you remember whether this is your WOW or WordPress account.
This is the cool part! Every password will have restrictions. I don’t know what they are for WOW as they only publish the minimum requirements, however I am assuming they accept letters, numbers, the “_” and “-” characters, as well as special characters. If they don’t, just untick whatever box they don’t support. Every site everywhere should accept numbers and letters though. As for the maximum length, go wild. Put as many characters as you want, but for all intents and purposes, anything above 16 is unbreakable except by the NSA. My Google password has over 30 characters. Collecting entropy I’ll explain later, so click on “generate”.
Here you’re going to do something called “seeding”. Generating a random number is something humans are terrible at, and something computers are incapable of. Pseudo-random numbers, however, serve our purpose. Pseudo random number generators will always generate the same random sequence of numbers with the same “seed”. If your “seed” number is sufficiently random and unguessable, the number generated by the pseudo-random number generator will be actually random. Why is this important? For WOW, it isn’t. For the NSA, they know all the good pseudo-random number generator algorithms, and can often infer patterns if the same seed is used more than once. Solution? Collect entropy! Click on “use mouse as random source”, then wiggle your pointer for all you’re worth over that dot pattern. Unless you’re really precise, you won’t even know what random seed the program will get from this!
Once you’re done, you’ll have this screen. The highlighted part tells you how strong your password it. Green is good. The number of bits is basically based on the number of characters you picked. Here’s the one I generated to take these screenshots: “hK6FrE;zjkfy*Y=(4″8S”. Dictionary attack that, stupid gold farmers!
Next up- the blizzard authenticator. The only time this will help you is if someone has your login, but not the key fob (the little code generator they ship us). This means that you can use it to restrict friends who you’ve shared your login with from using your account, but you shouldn’t be doing that anyways. Other than that, the authenticator is useless. Anyone good enough to crack your password can probably crack your home address, phone number, or email, and as far as I know, that’s all Blizzard needs over the phone to deactivate the requirement for the authenticator. This is called a “back door” and is used to make the system more usable- imagine how horrible you’d feel if you lost your authenticator and had to start a new account. Unfortunately, it’s also what makes the system next to useless.
Okay, well I’m going to go and soak my fingers- I think this might be the longest post I’ve written thus far. I’m sure I missed some stuff too, but I’ll be responding to comments as the come, so ask away.
euripidesoutdps
jurgwena
Faeghleis
lemli
eidotrope
Nice response! =D
Thanks :)
Nice post, very informative :)
I also have done a lot of computer security and one of the tips I have given my users is to pick a phrase you will not forget and base passwords on that. Making it an easily remembered phrase helps prevent that sticky note with a password written on it under the keyboard (the bane of security staff everywhere).
So a simple example would be: WoW has taken over my life and I will never be free!
Take that phrase and pull out words and first characters: WoWhtomlaiwnbf! (Uses WoW and the first character of each word plus the punctuation. For short phrases you can use all the words – see examples below.).
Then take that series of characters and do some simple substitutions (btw, substitution should NEVER be used on dictionary words alone, password crackers use it too! A random phrase like above is pretty safe though.)
So for this example I am using the following (simple) substitions, feel free to create ones that you will remember.
o=0 (zero)
i=1
a=@
I always suggest using the same ones for all your passwords, so if you substitute the > (greater than) for a g in a password try to do it in all of your passwords so it is easier to remember. Keep in mind as stated in the article that some systems will have restrictions so be prepared with alternatives.
So now our easy to remember phrase becomes: W0Wht0ml@1wnbf!
That is a password any security staff would be proud of and all you have to remember is your phrase and substitutions. Always try to include one upper case character and one punctuation and you will be better off than the guy who uses only lower case. Hackers will go for the quickest and easiest accounts to crack, so make it hard for them.
Some other examples (and don’t ever let me catch you using these) are:
The quick brown fox jumped over the lazy dog.
Tqbfj0tld.
I like ice cream?
1Lik31c3cr3@m?
Elf babes are hot!
31fB@be$@r3h0t!
Awesome tips! Thanks!
“First off, memorizing multiple hard passwords is something only autistic savants can do.”
Go take an alphanumeric string thats around you and use it.
computer serial numbers, rarely guessable, almost always alphanumeric.
Car number plates, Use a pair of old ones together, already memorised
Use every second letter of the title of a book on your shelf.
There are no limits on it, and most of them you can look at your shelf, or the back of your desk, and check it :)
Yeah, I also included the method I use- take two words and a number, interleave digits. Makes it immune to dictionary attacks.
“that’s all Blizzard needs over the phone” – I would be very surprised if Blizzard didn’t ask for the credit card details you payed for the account with, and if a hacker did have that information, you have a lot more to worry about than your WoW account ;).
Yes, paying with a credit card certainly does add a level of security, however getting credit card info is no harder than stealing a wow password. Neither of which should be trivial, yet we know both happen.
There would be one other thing I would recommend not to do : playing in a cyber coffee.
The only time I got hacked was when I had to play in a cyber coffee waiting for my internet to work at home ^^