Monday, January 01, 2007

How safe is your password?

Recently as most of the people know some of the passwords of the myspace users was compromised by using a fake login page. And this is just a drop in the ocean when you take into account the phishing attacks that have been so rampant on the net lately along with the vast amount of Trojans that have been making the rounds.

This article at the securiteam website clearly shows how some basic techniques can be used to steal passwords especially at a website like Myspace.com and how the passwords were compromised. Also, it was not long back a Digg user posted some user name and passes of Myspace users.

Clearly it has come to a stage where not just using complex 8 character or alphanumeric passwords is gonna safeguard the Internet users from their passwords being hacked.

Even the Firefox version 2 had a flaw in it's password manager which could allow malicious people to collect the passwords of the unsuspecting users. Till now Firefox has not taken care of this vulnerability. This was known as the Reverse Cross Site Request vulnerability.

Recently I read an article by Bruce Schneier and according him among the list of the stolen myspace passwords there were even some 32-character password: "1ancheste23nite41ancheste23nite4."

Other long passwords were "fool2thinkfool2thinkol2think" and "dokitty17darling7g7darling7."

All that effort put in to get those long and complex passwords didn't succeed to keep it safe in the end. All because someone managed to fool the users into believing that they were actually logging in through the myspace when actually what was happening was that all the passwords were being stored in a fake server set up by the attacker.

Also according to Bruce Schneier the following were the 20 most common passwords used among the 34,000 compromised Myspace user passwords:

password1,
abc123,
myspace1,
password,
blink182,
qwerty1,
fuckyou,
123abc,
baseball1,
football1,
123456,
soccer,
monkey1,
liverpool1,
princess1,
jordan23,
slipknot1,
superman1,
iloveyou1
monkey.

Among these the most commonly used was password1

So in these days were security exploits are rampant along with phishing attacks there are also a wide range of password hacking tools available for free on the net. Tools like Access Diver, which is actually supposed to be used by security personnels to test their network are being used widely by hackers for various attacks like bruteforce, dictionary attacks etc:- Also, available freely and widely are tools like Brutus, Caine & Abel etc:- Add to it Trojans and keyloggers especially the christmas themed malwares and the New Year themed Postcard.exe trojan that have been making the rounds.

So the users have no other option but to build a strong defense. And how can you build a good defense? Ok, let me give you some input:

  • Use browsers with antiphishing tool bars like Firefox 2 (but disable the Password manager in FF2 because of the RCSR vulnerability I mentioned earlier) and Internet explorer 7 or Opera's new 9.1 browser with Real time Anti-fraud technique.
  • Also one can use Netcraft's Toolbar to protect oneself from the malicious websites. It was a Netcraft Toolbar who spotted the fake website that was stealing passwords of the Myspace users.
  • One can also use Mcafee's site advisor tool. You download it here.
  • Disable Java, Java scripts, cookies, Active X in your browser as much as you can.
  • Use complex and different Passwords for each sites using Password generators and Password storing tools, some of which even does the encrypted auto filling. You have a look at some of the best Password related tools here.
  • Anti-trojans-- Get a good Anti-Trojan. Read this article I wrote for more information.
  • Antispywares--You will find a list of some of the best Anti-spywares with a review here.
  • 27 steps to prevent viruses-- Read this article to get an idea about how one can protect themselves from getting a computer virus.
  • Anti-Rootkits--Check it out here.
And above all always use your judgement. Happy and safe surfing folks.



Google