Passwords and Security

Most people nowadays have passwords protecting their user accounts on their Macs. Even a weak password is better than no password, but a strong password is better. The weakest passwords are easy to guess, like your last name, address, the number 1234, the word password, or similar things.

You’d be surprised at how many customers come through with 1234 or password as their protection. Or even worse, the password hint will be the password. 1234 or password are usually the first two things I try if someone can’t remember what they set as a password. The strongest passwords are those that are very long (16+ characters) and made up of random unrelated words, like “correcthorsebatterystaple.”

For an example of how secure specific types of passwords are I’m going to give examples and show you how long a basic computer would take to crack it.

The password 1234 would take approximately 0.02401 seconds to crack. This is on a computer using its CPU (not GPU based cracking), with basic software cracking methods running 100,000 passwords a second.

Someone using letters, numbers and symbols is in a better situation. A password like l33th4×0r would take approximately 6 years to crack.

correcthorsebatterystaple would take 2.888 × 10^21 years (if I’m remembering my math studies right that’s 2,888,000,000,000,000,000,000,000 years) under the same situation as the first two examples. If you go this route keep the password length at around 16 characters, four words should be sufficient. Generally the longer the password the more secure it is; repeating 1234 four times doesn’t count!

I used the Wolfram Alpha network admin assistant app for the iPad to calculate these cracking times. Be aware that as computers develop, and software becomes more powerful those cracking times are only going to decrease. It is also possible to use graphics processors to run password cracking software and these are significantly faster.

So the moral of my rambling is: set a password, make it a string of four unrelated words that you can easily remember, don’t use the same password for your Mac as you do for your email or other websites. Every place you need to have a password for should have a different password!

While Macs are not as vulnerable to viruses as PCs, you can still get hacked—especially if your home wireless network has no password or you use your computer on public Wi-Fi. It’s easier than you think to spoof a Wi-Fi connection and grab all the data coming and going from your computer. Finally, NEVER do personal banking from an unprotected or public Wi-Fi no matter how secure your passwords are.

Similar Posts

  • So here we are, almost to the end of February. The snowfall they predicted for New Hampshire seemed to stay well north of Manchester, giving us a slight dusting. The scant inch we got in some areas on Friday blew away in the gale force winds we got on Saturday. Vermont, on the other hand, got enough snow that Small Doggers from both stores were hitting the slopes.

    As we count down to the March 7th Apple announcement, the rumors are flying fast and furious. “iPad 3” is topping the search lists, with “iTV” a close second. Or perhaps another iPhone? Hmm, tough call there…

    This week’s Tech Tails brings you articles about Password Security, whether to repair or replace a defective computer, and some information about the upcoming OS X, Mountain Lion. With OS X 10.8 coming out in a few months, we’ll be sure to give you details as we get them.

    Thanks for reading!

    Glenn
    “*glenn@smalldog.com*”:mailto:glenn@smalldog.com

  • Repair or Replace?

    A lot of customers, when considering whether to repair their Mac or simply replace it, will ask me what the average lifespan is of a Mac. This question cannot be easily answered by an average span of years. The answer to this question is completely conditional upon a number of factors.

    To me, the lifespan of a computer is when it has reached a point at which it is no longer functioning properly, and the cost to repair it is comparable to the machine’s value. At this point, in my opinion, it would be a wiser choice to invest in a new computer, rather than repair this one. This is a choice many customers have to make at some point(s) in their life, and it’s never a very easy one.

    Although it ultimately comes down to your individual budget, there are a few useful references and standard questions you should ask yourself to help you make this decision. Aside from the obvious websites that can be referenced to determine the value of your machine (eBay, Amazon), one website I typically check is “*EveryMac.com.*”:http://www.everymac.com Like the title says, they have a listing for every Mac, as well as model specifications, and an estimated current value range. I’ve noticed that their estimate values are generally a little higher than the specific model actually sells for, but it’s a good ballpark figure. Obviously, looking for your Mac’s model on a website like eBay will give you a good real-world value, it just may take a little more time/consideration (is it an auction? how much time is left?)

    One question you should ask yourself is how much this computer has cost you in the past. If you just had a major repair performed not too long ago, that’s definitely something to consider when making the decision of whether or not to repair your Mac. If this is the first issue you’ve had in a few years of use, then it may very well be worth keeping it running.

    The most important question I believe you should ask yourself, when making this decision, is how the Mac has been working for you. When a computer reaches a certain age, it’s inevitably going to face compatibility issues. Whether it won’t work with your brand new mobile device, or certain applications cease in their ability to be updated, causing further compatibility issues with things like websites or file formats. These compatibility issues should definitely be a considered factor when making your decision.

    Like I said, your individual budget is the most important when deciding whether to repair or replace your Mac, but it’s always good to take these conditions into consideration when making such a big decision.

    “__Image source__”:http://applelaptoprepairs.co.uk/apple-mac-repair.htm

  • OS X Mountain Lion: Protecting You from Yourself

    In addition to the obvious new apps like Reminders and Messages, Mountain Lion includes several “behind the scenes” features. One of the important ones is Gatekeeper, an attempt to help protect users from “bad” applications on the Web. Back when MacDefender was causing hair loss in support groups, Apple released a security update that would keep a list of known rogue applications and warn you if you attempted to run an application that appeared on that list. Gatekeeper takes that one step further by adding a set of options to better handle applications based on where they come from.

    Currently, OS X will alert you that an application came from the Internet, and make sure you want to run it. (You might see this and reply “Of course it is, I just downloaded it! Stupid warning message!” What if a rogue application downloaded a hacked copy of Address Book that was modified to send your contact list to a spammer? The next time you tried to run it, OS X would tell you that “Address Book is a program downloaded from the Internet.” THAT is why the warning exists–to make you stop and think.)

    Instead of just popping up a warning message, Gatekeeper will first attempt to validate that the application came from a trusted source, and if it did, the application will launch normally. If it could not be verified, then you will get the same familiar warning. By using this method, that “stupid warning message” should pop up a lot less often.

    Gatekeeper has three settings, found under Security and Privacy: Mac App Store, Mac App Store and identified developers, and Anywhere.

    ** The first option is self-explanatory–you can only download programs from the App Store. Any other application would be rejected. It has been said in several articles that this is the default setting, but when I did an upgrade and a clean install, the setting was “Anywhere.”
    ** The second option adds applications from developers that have been issued Developer ID’s from Apple’s Developer Program. A Developer ID adds the ability for a developer to digitally sign their application, which not only identifies who wrote it, but proves that the code has not been altered in some way.
    ** “Anywhere” offers no protection other than from the blacklist that already exists in Snow Leopard. If you download a program that is known malware, it will be blocked, but anything else is allowed.

    A common way of spreading malware is to download a legitimate program, add code to it, then repackage and redistribute it. Another way is to imitate someone else’s installation program, such as the fake Flash Updater that was floating around some time ago. You think you’re installing Adobe Flash Player, when really you’re putting dangerous code on your system that can allow someone to steal your private data. Gatekeeper will check the app’s “digital signature” and verify that it is valid. If someone changes the code, the digital signature is no longer present, and Gatekeeper will reject the program.

    Is Gatekeeper perfect? No, but it’s also still in beta, so there is time to improve it. I have seen a lot of comments that imply that “*Apple is trying to lock down the OS*”:http://gizmodo.com/5885837/this-is-how-apple-will-block-unapproved-apps-with-mountain-lions-gatekeeper by only allowing applications that came from the App Store. While that would be good in that all apps would be verified safe, a lot of independent developers don’t like the idea of Apple taking a percentage of every app sold. There is the fear of the small time developer being squeezed out.

    Another possible problem is that there is nothing to stop someone determined to distribute malware from joining the Developer Program. They get their app into the Mac App Store, Gatekeeper says “this is a verified developer” and allows the program to run, and people get infected. The associated Developer ID would be used to trace the app back to the developer, the developer would be banned and all their apps would be removed from the App Store, but not before a bunch of people had their private data stolen by a trusted application. The damage is already done. The only solution to this is better vigilance on the part of Apple’s App Store approval process. They need to do more than a few automated checks before stamping “Approved” on the app.

    Apple has stated that the functionality of Gatekeeper is already built into OS X Lion 10.7.3, so if you want to see how it works, simply use the Terminal command:

    sudo spctl –enable

    To disable it, replace “–enable” with “–disable”

    (Note – each parameter is supposed to be preceded by two dashes, not one. Our blog is turning two – signs into one long one. The command won’t work as it appears; please use two dashes in front of “enable” and “disable”.)

    This feature is so developers can see how Gatekeeper will react to their applications. It is not intended as normal usage for an end user–since the majority of applications out there are not using digital signing via Apple’s Developer ID, Gatekeeper is quite likely going to reject everything you download, even though there is no actual problem with the app itself. Many news sites are using this to point out that Gatekeeper is fundamentally flawed because the support is not yet out there. Gatekeeper has to be told what is good and what is bad, and like Joshua from WarGames, it hasn’t learned yet!