Hopefully by now, most people have heard about Heartbleed. No need to panic (click here for steps to take if you haven’t already), but it was a serious issue in the tech world. If nothing else, it’s really shone a light on all sorts of computing security practice vulnerabilities. Many experts have suggested now is a great time to update passwords you use online.
When I started studying computer science in college, the older students often talked about this “hacking challenge” that one of the professors liked to do in his course on operating systems. It didn’t seem real…a challenge where the goal was to hack into a system? When I finally found myself in the operating systems course, I discovered just how real the hacking challenge was.
There were two parts: In the first part, we students took on the role of the defenders. In real life, most of us are defenders trying to keep hackers away from our private data. For this challenge, we were defending a system from attacks by the professor. In the second part, we assumed the role of the attackers. We were the bad guys trying to get into a system that the professor was defending.
In the defending role, the only thing at stake was pride and bragging rights. In the attacker role, in addition to pride and bragging rights, a hefty number of bonus points were offered up as added incentive. We were successfully able to defend the system against the professor’s attacks, but only barely. We underestimated his deviousness, and a key logger was nearly our undoing.
The more interesting part was when we assumed the ‘attackers’ role. As in love and war, nothing (within the rule of law) was off limits. There were a number of “checkpoints” we could reach in compromising the system, and we received points for each unencrypted password we were able to successfully identify. Each identification was met with exasperated groans from the professor as we called him to report it. The ultimate prize was an encrypted file that we needed to find and decrypt. Ultimately, we were able to compromise the entire system including the root password, and given more time, we were on our way to recovering and decrypting the encrypted file.
What did I learn from this challenge? I was taken by complete surprise how devious and clever we all became trying to break into that system. I also learned just how easy it was to break reasonable length passwords. Dictionary words? Might as well just hand your data to us on a silver platter. Proper nouns? No problem. Numbers added in? No problem. Weird characters? Slight inconvenience, but still doable. In many cases, we didn’t even bother being clever at all. Computational power and speed has become so ubiquitous and cheap, “lazy” brute force attacks on some more common hash and encryption algorithms are almost trivial. Just three or four of us requisitioning about 15 computers in a lab to do our bidding for a few hours was all it took.
Full disclosure: We had physical access to the machine in this situation. No one wanted to be responsible for us picking locks or otherwise trying to get into a locked office. Physical access allows attackers to bypass many of the network security speed bumps. The machine was also running a version of Linux, which uses similar security features and technologies to OSX. Windows is (or was) theoretically even easier to compromise. I expect newer versions don’t use the easily breakable hash algorithms of versions past.
So what would I recommend? Good complex passwords are important, but if it’s so complex you’re just going to write it on a post-it and stick it to your monitor, it’s too complex. There are tools to help keep track of your passwords, and I’ve used things like Keychain Access to help with that, but ultimately, the longest, or most complex password you can memorize is the best policy. Many companies and organizations use a password expiration policy, but these policies are somewhat outdated. They cause frustration for users and admins, and discourage people from memorizing passwords (more post-its on monitors). Nowadays if someone gets your password, they aren’t going to wait. They’re going to start looking for where it will work immediately. I know I would.
My personal recommendation is to go for the longest password you can, as that’s what I do. The web comic XKCD had a great strip about long passwords a while back. Another good idea is to check if your favorite password shows up in any password leak or common passwords lists.
Disclaimer: The hacking exercise described here is an example of white hat hacking). We were authorized to hack into the system as part of a learning exercise. You should never willfully hack into any system or attempt to steal passwords from anyone. For one, it’s highly unethical, and in many cases, it’s also illegal and could result in heavy fines or jail time. Even grey hat or activist hackers often find themselves on the wrong side of the law.