What technologies compromise security/privacy and why
Summary and examples
If anyone can gain frequent access to where a password is stored it can
be compromised because they can try many times.
As at Oct 2007 (IMHO) the very weakest technologies are:
e-mail, Wireless routers and PCs plus any mobile technologies such
as 'phones, PDAs, Laptops etc..
That is only my opinion (IMhO) - hackers and their specialist counterparts are
in thousands of constant battles on a global basis to tip the balance and
there are constantly new winners and losers.
At one extreme:
1. Your PC. If anyone has physical access they only need 5 minutes to
boot the PC from a CD and extract the stored password which they can then
process either 'there and then' or when they have access to their own cracking
The former takes just 15-20 minutes (of your PC time) for alphanumeric
passwords less than 15 characters long!
The latter is only a question of how much the hacker wants the password.
Their first 2 attempts are likely to be:
- Alphanumerics less then 15 characters long - very simple and when run
from a hard drive rather than a CD will take less than five minutes.
for a brief description of how bad it is.
If that fails...
- Alphanumeric and specials - total less than 15 characters.
Depending upon the hacker's PC, Hard Drive space and investment in
hacking tools/Databases this would take between an hour and overnight.
If the latter fails they will simply use an Internet service to crack
the password for less than 20 dollars if your PC
is an attractive target.
The critical factor here is that a PC can try (tens of) thousands of times
per second which means that they can use brute force to try every
possible combination of increasingly large character sets.
At the other extreme:2. Your e-mail address. Internet Service
Providers (ISPs) should have tools and procedures in place to stop login
attempts that are too frequent but they don't want to alienate
real customers and may well allow 10 attempts in 10 minutes.
Bear in mind that they will almost always offer e-mail as a FREE
service and you can pretty well guarantee that on that basis they
almost certainly offer NO WARRANTY that they will safeguard your
e-mail service and all of it's contents!.
Particularly if you have used your account name as an address
(very, very bad idea!) that means that anyone who has that address will
be able to easily find out how to login ONLINE - i.e. they can take
over your e-mail REMOTELY! in terms of a web page at which to try various
Because each ISP will hopefully have rules about password attempts the
hacker may use his PC to automatically try one (password) per minute but
in that same minute might try that same password on 1,000 other
e-mail addresses that he has access
to from the millions available on a CD for 30 dollars.
As the speed is so much slower the hacker is much more likely to use
dictionary-based guesses with the obvious transpositions of numbers
and letters that users assume will make such guesses more difficult.
Once a hacker can login to your mail as you then he or she can of course
not only see your existing e-mails and what companies you already have
relationships with but also they can initiate new interactions and take
the small chance that you will access your mail at 2-5am when they can
delete any traces without you ever seeing them!
Bear in mind that if an ISP is compromised or your have used a password
on a low-grade web site then it is likely that the fate of your password
is sealed with the predictability of the former example - i.e. simply a
question of when and not if your password can be known.
The range of technologies that are either seriously at risk and/or CREATE RISKs
Expanding the list above (see summary) with the basic aspects of risk:
- e-mail is the classic example of being at risk and creating risk.
As my example above demonstrates - anyone with a simple password that
is a name or just a common word is severely at risk - especially if their
account name is used as an address.
The excrutiating double-whammy about e-mail is that so many web sites
use it as a means of verifying your identity!
That isn't just a problem with existing accounts you may have with retailers
but one day you may start receiving bills from twenty more!
This is the reason that banks rarely use e-mail for any purpose
other than marketing.
- Wireless routers are unfortuately almost as bad! and a double
whammy too! Their problems are (at least) twofold:
- There is a method of attack which can be launched by simply browsing a
web site that is malicious and if the router's login username
and password have not been changed from the supplier's defaults then
it can be hacked to allow it to be remotely managed after which
it is 'game over' for anyone who uses a PC via that router!
- Many routers are still set up to use an old method of securing the
transmission of your data between PCs and the router even though they
MAY be capable of better.
If you use the old protocol (or worse still have no protection!)
then someone can become part of your local network within 2-3 minutes if they
have a laptop with some very basic and available hardware and software.
The problem with the latter isn't just a problem with stealing bandwidth
but they can also elevate themselves to the #1 above and with the same
consequences for anyone that uses that router!
For anyone wanting to understand why it is 'game over' then consider the
fact that almost all router installations give it the job of translating
web site addresses to actual Internet numbers (IP addresses).
So www.barclays.co.uk et. al.may not be who you think they are!
possibly worse - how about downloading your updates to XP from microsoft.com!
See Wireless security WPA not WEP for more details about the problem and possible solutions.
- PCs also have immediate double-whammy status because they are
the centre of so much of what we do online and if yours is compromised
then your problems could even be worse than the router scenario above!
The good news is that there are well-established >tools
and techniques to avoid the problem but the bad news is that they
often rely on YOU to actually:
- Initiate in a competent manner - maybe employ a professional
- Regularly maintain, service and perhaps renew any tools/products
- Above all to be vigilant and KNOW enough when a risk
is too high to be taken and what and when makes a difference.
So although someone with physical access to your PC is extremely
dangerous (as in the example a long way above) anyone who has Windows XP
with Service Pack 2 and all subsequent fixes plus quality firewall and
antivirus programs that are also up to date are USUALLY safe!
The exceptions - i.e. at higher risk are at least any of the following:
- PC has been setup for remote desktop which is very different from remote assistance!
Remote desktop doesn't need you to initiate the take-over of the PC!!!
- Any user of the PC uses Peer to Peer technolgies such as any flavour
of 'Messaging' (e.g. MSN messenger) or file sharing for songs or videos
One final thought regarding PCs - bear in mind that if your's was stolen
or you upgraded your PC and allowed the old hard drive to leave your
possession without being profesionally wiped then just consider the
problems you could have in either scenario!
- Mobile technologies such as 'phones, PDAs etc. will always give some
'pretence' of security despite them being almost unanimously incapable of
anything of substance.
Devices that rely on a managed service for most of their operations
(such as a mobile 'phone) can easily have those services witheld but
the physical devices and of the data that you have stored on them
should be regarded as 'freely available' within a few hours or at least days
of such a device being stolen.
What are the consequences of your password(s) being compromised?
For most people the highest risk items are those that I highlight above
as being a 'double whammy' because of the impact as described.
By far the greatest risk is that of escalation through your hierarchy of
assets with the most likely and highest prize being your financial
dealings with investment companies, banks, building societies et. al..
see How to manage passwords on the topic of keeping your passwords in zones of
trust which you keep very much isolated.
That's all for now folks... more when I get time... Brian R
Some detail below on various topics - maybe they need a different page...
Why low-medium quality web sites and technologies pose so much risk!
The wider aspects of password management are truly expansive because
of the constant fight between those that want to secure them versus those
that want to crack them and the ever-changing techology as well as the
fact that the scenarios of use can be totally different.
Computers have to store their own 'key' against which they can check that
the password you provide provides a match.
The very weakest approach is that the key that they
store IS the password! - e.g. 'beckham99' is stored as-is.
This method is in use today but only by very low-medium grade web sites and
technologies, however this IS still a BIG EXPOSURE because if
anyone uses the same or even very similar password with
these sites or technologies as they do with any that have resources
at risk then that is a nightmare waiting to happen because all PCs,
web servers and even 'quality computers' have some exposure to the copying
of their databases of passwords being copied - note that they don't
need to be stolen to cause immense damage - just a minute with a memory
stick is sufficient!
Unless you are certain to the contrary,
the only safe assumptions that you can make are:
- It is possible for an attacker to copy the database of passwords from
any system that your use - PC, web site, 'phone, PDA etc.
- Apart from the most competent and trusted companies you cannot be sure
that the storage of passwords is adequately encrypted - anyone wanting to
understand the nuances of the word 'adequate' should read below.
The points above are the primary basis for the adoption of levels which
you must keep very, very distinct in terms of the password algorithm and
the secrets that go into the password.
for more background information.
From that page you will also learn of the advanced techniques that are
close to 'unstoppable' in certain scenarios - a hardware key logger in an
Internet café for instance.
Encrypted passwords - mathematically uncrackable aren't they?
The basic problem is that if the rewards for hackers are high enough
then they will be funded by 'serious' criminals to make cracking possible.
The case of XP passwords is a good example - billions of PCs run XP and it
has a fundamental flaw that XP doesn't add anything unique to a password
(lmhash) before encrypting it with a well known algorithm.
Hackers have spent weeks creating what are called 'Rainbow tables' which
are then used to reverse-engineer any alphanumeric XP password (in lmhash) less
than 15 characters long in a matter of minutes and worse still it
is freely downloadable in a form that can be burnt to a bootable
CD which makes it ideal for any PC that you can physically access.
However, on the more serious side if there can be one - the method is
really only limited by the size of the tables so
criminals or even 'kids' can download the 43GB needed to crack
passwords which have the full range of characters from a keyboard
with success rates claimed to be 99.9%!
"If you want to buy my complete set of tables (30 tables, 60Gb !) for 100USD (New price!)"
More modern (than XP lm) encryption methods - are they any better?
Again the drivers are resources, risk and reward because the techniques
are now well established.
If you restrict yourself to lowercase letters and numbers in a password
then the 'industry standard' MD5 encryption alogrithm was crackable
for an 8 character password in less than 40 minutes as of October 2005!
All that was needed was a 36GB table - not very big even then!
That means that by now (2007) there will be PCs 'out there' with
many thousands of GB (mine currently has just 1500) capable of cracking
any 'standard' MD5 encrypted database with key lengths of 10-12 for
lowercase+numeric and maybe uppercase too for 8 character passwords.
Is this a problem that I need to worry about? you may ask.
Unfortunately yes because for the past 4-5 years MD5 has been
used at huge numbers of web sites 'as-is' and therefore there is a
plethora of encrypted data which is now crackable with relative ease!
Again this is part of the justification for 'levels' of password trust
- most banks will have been well-aware of the future problems of MD5
and similar technologies and planned ahead so their data when stored
on a hard drive will not be a 'standard' MD5 because at the very
minimum they will have introduced something unique to their site / business
to the password - adding what is referred to as 'salt' or 'seed' and
therefore nullifying the use of generic Rainbow tables.
Even better methods to 'harden' password strength as you can
may well be used at these financial sites
BUT the problem is that across all of the web,
I doubt that 5% of web sites that store user names and passwords do
anything to harden passwords and they will be a plain, unsalted MD5 hash.
Hence if you use the same password on multiple sites then
you are exposing all of them to compromise, even those that you regard
as trustworthy and competent because you ARE the weakest link as
that game show says.
So the risk here does not stem from the banks themselves but with the
'ordinary' web sites that are probably regarded by most people as being
trustworthy and competent - unfortunately the latter will not be true for
a huge number of companies that do business on the Web and therefore
YOUR password at their site may become compromised.
Tools you COULD use to see how weak your systems are
The most popular tool by far for 'amateurs' is Cain and Abel, documented at:
because it is free, downloadable and well packaged.
If you take a look at what that can do then you have to assume that there are
other people and projects that can do a lot, lot more and that is pretty scary.
Links and other information last validated on 27th October 2007.
Please use the Contact us page to suggest any additions or revisions.