Archive for March 2011
2
Creating Secure Passwords That You’ll Remember
1 Comment · Posted by Brian Hare in Uncategorized
There are 4 things that make a good password.
- Hard to bruteforce – It should be a certain length and/or contain certain characters.
- Hard to guess – It shouldn’t contain personal things, such as a birth date.
- Uniqueness – It should not be the same as all your other passwords.
- Unforgettable - You should be able to remember it off top of your head , and never write it down.
I am going to address each element of a good password in order, and show you my technique in accomplishing all 4 of these things, and allowing you to add your own little twist to suit your needs.
Hard to bruteforce
What doe’s bruteforce mean? Well it’s a technique that crackers use to figure out your password. The name goes well with the technique because what they do is have some software “guess” every possible combination your password could be. Lets say they think your password is lowercase letters and consist of atleast 3 characters. The software will then try to guess your password by brute force, that is it guesses your password to be aaa, and tries it..if it fails it moves on to aab, if that fails, aac…until it reaches zzz, and then it will move on to aaaa and start all over. It keeps doing this forever until the cracker gives up.
Depending on the protocol which is being bruteforce, each guess could take anywhere from 0.01 seconds to 1 second for online attacks, like your accounts. Or, if the attacker was able to get inside and retrieve the file with your password in it, then a modern PC could do as many as 10 million password guesses a second. This is why many sites require you have atleast 8 characters for your password, and that is the typical drop off for when a bruteforce attack takes many years to complete. The more combinations there are, and the more characters in your password, the longer it would take to bruteforce.
For example, the cracker knew you only used lowercase letters in your password, no numbers, no uppercase, no symbols. That would mean 26 letters, you would then take it to the expotiential of your number of characters in your password. So a password consisting of just lowercase letters with 5 characters assuming a delay of 0.01 seconds would take 26^5 * 0.01 seconds, or 26*26*26*26*26*0.01. You will be surpized to know that’s only a little over 33 hours, less than a day and a half. If we just add 3 more characters to the password (26^8), it goes from 1.3 days to 66 years! Yes, 3 little characters can make that much difference.
This is of course if the attacker is trying to guess your password through an internet protocol such as FTP, SSH, or HTTP. If the attacker has access to a file with your password in it, refer to this chart for times: http://www.lockdown.co.uk/?pg=combi. Which state a modern PC could find a 5 length password instantly, and a 8 length password in a little under 6 hours. Again, this is only for password that have known requirement of only alphabet characters (26 possibilities).
It is advised that your password contain atleast 8 characters, or use more than 26 combinations by including uppercase, numbers, symbols. uppercase (26), lowercase (26), symbols (~34), numbers (10). If you had one of each of the categories and your password was 8 characters long. you would have 7.2 Quadrillion (96^8) possible combinations…thats around 1.6 million years to bruteforce through an online protocol or 23 years through a encrypted file.
Hard to guess
The second technique and third techniques there are used with password cracking are dictionary, and social engineering attacks
Dictionary attacks are similar to bruteforce attacks, but instead of trying to guess every possible combinations the software will have a list of words (the dictionary) it will try. The most popular dictionaries contain the most common passwords (Top 500 most used passwords Warning: contains vulgar words). So the computer runs down the list of words in the dictionary and attempts to see if that is the password. If your password is common, or an english word that it will be likely to be guessed quickly. A lot of techniques include a mix of dictionary and bruteforce, where it would try each word in the dictionary, but then add a suffix or prefix. Such as a dictionary with animal species, it would try alligator, 1alligator, 2alligator…alligator1, alligator2 …elephant…elephant1 elephant2, etc.
Social Engineering is just a fancy word for manipulating people to gain knowledge. Such as getting to know the victim and acting as their friend to get information such as birth date, favorite food, mothers maiden name, etc. This doesn’t include just being friends with the victim, but also things like calling them at their house and acting like fraud protection service, saying there has been a compromise and they need to the last 4 of your social security. It also includes not talking to the victim directly such as acting as a investigation bureau and calling a victim’s Internet Provider for address information based on their IP address. If any of this personal information is used in a password, it will help the attacker.
Social Engineering is typically where an attacker starts. They will enter all your personal information into a dictionary, along with popular passwords and common english words. They then perform a dictionary/bruteforce attack, trying combinations of letters, numbers, popular words, and personal information. The combination of all these methods usually (probably 90%) end up in an attacker obtaining access to the site they are trying to enter. Many times people use the same password for everything, so once an attacker has the password to a site you signed up for 3 years ago and forgot all about, they now have the password to your email, your bank account, everything you share that password with. This brings us to the next important thing;
First off, we are going to tackle the problem of having the same passwords for all your apps/sites. The reason why this is insecure is that if a cracker/hacker was to gain knowledge of your password for 1 site, they would automatically try that password on other sites.
Now I know what you are thinking, if you are like me you probably have hundreds of sites you visit with accounts, there is no way you will be able to remember 100 different passwords. Well, there is. One of the ways I do it is by incorporating the name of the website/software into the password.
No tags
One of the most annoying things to me is when a website will attempt to “improve security” and think they are helping out the end-user by requiring a password to be a certain length, contain certain symbols, or pass a strength meter– but then get lazy on their coding and cannot/won’t allow for special characters such as ^%#, etc.
For one, it should be totally up to the user what password they have, if they want to use the password “pass”, then let them. It’s their own fault. I totally support those password strength meters, but I don’t think you should require them to be strong. This leads to users having to have completely different passwords for numerous things which then lead to them forgetting them, or worse yet writing them down on paper. How is that improving security at all?
The same could be said about requring a user to change their password every X days, or requiring them to have special characters in their password like it cannot start with a number or must have one capital letter.
I understand wanting your users to have strong passwords, especially if your promote that you require all users to have 1 letter, 1 lowercase, and 1 uppsercase a potiential cracker might be put off as bruteforcing a-z,A-Z,0-9 takes a whole lot longer than just a-z.
One of the worse examples of a password field I have seen is strangly enough from one of my personal bank accounts. They require 1 number and 1 uppercase letter, and atleast 8 characters. Seems pretty normal and good practice so far right? well the password cannot contain any special characters and cannot exceed 14 characters. Why? I guess, maybe i’ll understand if your lazy and dont feel like escaping and account for special characters in the passwords, but why limit it to only 14 characters?
As an amateur software programmer, and power end-user here is my list of Do’s and Don’ts for web designers:
DO:
- Create a real-time password strength meter. Don’t just base it on just length, but also on variety. A 10 character password consisting of just numbers can be cracked very very very fast compared to 8 character password consisting of upper and lowercase letters, numbers, and symbols.
DONT:
- Require them to have a strong password, only give them the information about how strong/weak it is.
DO:
- Require a mininum length for the password. The highest miminum i’d ever require would be 5. The lowest I’d ever require is 3. A 1 character password would be laughable.
DONT:
- Never require a high mininum length such as 7 or 8. Yes, I know 8 characters is the dropoff between a bruteforce attack to take 1 day to 1 year, that doesn’t mean you should require it. If your users pick easy passwords, that’s on them.
DONT:
- Set a maxium length for a password. I know this is hard to do sometimes, as having a 200 character password would wreak havoc in a lot of systems. I think the lowest maxium should be around 20 or 25. I personally use a 15-17 character password depending on, so they do exist.
DO:
- Allow for a-z A-Z 0-9 and `~!@#$%^&*()_+-={}|[]\:”<>?/.,;’. Don’t be lazy and avoid the symbols because it requires more coding/escaping on the backend. I probably wouldn’t allow for foreign characters or alt-codes, but it would depend on how well the backend could handle it. See my idea on a website specifically designed for this: ________
DONT:
- Require special squences or characters such as 1 lowercase and 1 uppercase, or must begin with a letter. I know it’s more secure, but don’t force it on users.
DONT:
- Expire passwords after so many days. I never once met someone who ever liked this idea, not even techs because it results in people writing passwords down and/or forgetting them, which results in more support calls/help. If you do end up expiring passwords, allow for the exact same password as before. And especially don’t store their last X passwords in order to determine if it matches one of the old.
Anyways, this post is becoming too long, I originally had planned to touch on how to make the perfect password scheme for end-users but I now will have to break them up into seperate posts.
See “Creating Secure Passwords That You’ll Remember” : http://www.brianhare.com/wordpress/2011/03/02/creating-secure-passwords-that-you%E2%80%99ll-remember/
No tags
Recently I had some issues with correctly escaping my MSTP command I detailed HERE. During the process of testing the escaping, I realized there wasn’t any sites dedicated to numerous escaping techniques and/or testing strings. Normally what I do when I want to test some escaping is i’ll just go through the keys like so `~!@#$^&*
That works to get an idea of which characters are being escaped or not but there are ways in which certain patterns or order you write some chracters that may end up breaking some escaping techniques.
For example with any type of BASH command, you want to make sure the user input escapes semicolons, as a user could use it to break the current command and run something malicious.
I know SQL especially has had many vunerabilities in the past when certain squences are injected. The benefit for SQL database software like MySQL is that their product is specific to one task, and they can perfect their escaping functions to avoid many of these vunerabilities, however open-ended languages that are for numerous tasks such as PHP, BASH, PERL, etc all are too broad and have many escape functions but none of them work for every situation.
Simiarly, not only have I had issues of finding the best ways to escape things, but also I am always googling for a good regex for email validation from HTML forms.
I am a big fan of web 2.0 type websites where the whole website is based slowly on a single task. Therefore, I think there should be a website where users can submit and improve on the best validation techniques for common tasks. This would include not only escaping harmful characters but also regex for validation.
The idea of the site would be all about escaping and testing escapes and input validation for certain languages. It would be heavy on user submission and almost act like a wiki.
Alot of resources are a bit outdated as far as regex go as well. For exmaple not many email validation allows for periods or plus signs that gmail will let you use. One of my biggest pet peeves is when people don’t bother with correctly escaping/validation complex password forms either. I believe every character on the standards QWERTY american keyboard should be allowed in password fields. Including chars like @$#*^, but probably none of the special alt-codes, as thats a bit overkill.
As far as I know, there is no central place where all types of input validation is kept. There are good libaries that try to take care of it for you, for example one that I have used before was JQuery’s Validation plugin. However, javascript is still clientside only, you still want to double check everything on the serverside with PHP or similar serverside language.
No tags
I’ve always attempted to block TOR proxies from my server because the proxies can be abused and used to jump bans on some custom software that I host. Recently I found an official TOR blacklist for exit nodes located here: https://check.torproject.org/cgi-bin/TorBulkExitList.py.
I assume they require you to put in an IP address to give better results which exit nodes have access to your server. What isn’t really documented either is that you can also specify which port to check on as well by adding &port=###, where ### would be the port number you wish to see. This is greatly benefitical for me because the custom software runs on an irregular 9998 port.
Blacklists are great but they aren’t very useful unless you can actually use them on your server and block the IP addresses. Therefore, I wrote the following BASH script:
#!/bin/bash
IPTABLES_TARGET="DROP"
IPTABLES_CHAINNAME="TOR"
WORKING_DIR="/tmp/"
# get IP address of eth0 network interface
IP_ADDRESS=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
if ! iptables -L "$IPTABLES_CHAINNAME" -n >/dev/null 2>&1 ; then #If chain doesn't exist
iptables -N "$IPTABLES_CHAINNAME" >/dev/null 2>&1 #Create it
fi
cd $WORKING_DIR
wget -q -O - http://proxy.org/tor_blacklist.txt -U NoSuchBrowser/1.0 > temp_tor_list1
sed -i 's|RewriteCond %{REMOTE_ADDR} \^||g' temp_tor_list1
sed -i 's|\$.*$||g' temp_tor_list1
sed -i 's|\\||g' temp_tor_list1
sed -i 's|Rewrite.*$||g' temp_tor_list1
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=80" -U NoSuchBrowser/1.0 > temp_tor_list2
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=9998" -U NoSuchBrowser/1.0 >> temp_tor_list2
sed -i 's|^#.*$||g' temp_tor_list2
iptables -F "$IPTABLES_CHAINNAME"
CMD=$(cat temp_tor_list1 temp_tor_list2 | uniq | sort)
for IP in $CMD; do
let COUNT=COUNT+1
iptables -A "$IPTABLES_CHAINNAME" -s $IP -j $IPTABLES_TARGET
done
iptables -A "$IPTABLES_CHAINNAME" -j RETURN
rm temp_tor*It basically downloads the official blacklist and another blacklist that I found and extracts the IP addresses from the files, sorts them, and gets rid of any duplicates they may exist. Then it adds a DROP command to IPTABLES under the specified IPTABLES chain.
I suggest that you set this script to run hourly or daily depending on your needs with cron.
I also have written a custom progress bar to indicate how far along you are. The progress bar code and example using the TOR proxy blocker can be seen at this post: http://www.brianhare.com/wordpress/2011/03/02/bash-progress-bar/
No tags
Recently I rewrote one of my Bash Shell Scripts that blocks TOR proxy exit nodes. It does this by doing numerous DROPs in IPTABLES and because of this, it take 1 minute or so to go through all of them. I decided that it would be nice to have a progress bar display in the shell while it was running to give me an idea how far along it was (You can see the final script at the bottom of this post).
I started to look around for some BASH scripts that have a progress bar and I found 2 notable ones; the first one is called Bar and the second PV (Pipe Viewer). These were nice but I actually needed something that was more based on strictly elements in an array. I reused some code and then optimized it a bit and I got something that is not only very customizable but also will resize the progress bar depending on the window size, much like WGET’s progress bar. The code is here:
lib_progress_bar() {
local current=0
local max=100
local completed_char="#"
local uncompleted_char="."
local decimal=1
local prefix=" ["
local suffix="]"
local percent_sign="%"
local max_width=$(tput cols)
local complete remain subtraction width atleast percent chars
local padding=3
local OPTIND
while getopts c:u:d:p:s:%:m:hV flag; do
case "$flag" in
c) completed_char="$OPTARG";;
u) uncompleted_char="$OPTARG";;
d) decimal="$OPTARG";;
p) prefix="$OPTARG";;
s) suffix="$OPTARG";;
%) percent_sign="$OPTARG";;
m) max_width="$OPTARG";;
(h) lib_help;;
(V) echo "$lib_script_name: version $Revision$ ($Date$)"; exit 0;;
(*) lib_usage;;
esac
done
shift $((OPTIND-1))
current=${1:-$current}
max=${2:-$max}
if (( decimal > 0 )); then
(( padding = padding + decimal + 1 ))
fi
let subtraction=${#completed_char}+${#prefix}+${#suffix}+padding+${#percent_sign}
let width=max_width-subtraction
if (( width < 5 )); then
(( atleast = 5 + subtraction ))
echo >&2 "the max_width of ($max_width) is too small, must be atleast $atleast"
return 1
fi
if (( current > max ));then
echo >&2 "current value must be smaller than max. value"
return 1
fi
percent=$(awk -v "f=%${padding}.${decimal}f" -v "c=$current" -v "m=$max" 'BEGIN{printf('f', c / m * 100)}')
(( chars = current * width / max))
# sprintf n zeros into the var named as the arg to -v
printf -v complete '%0*.*d' '' "$chars" ''
printf -v remain '%0*.*d' '' "$((width - chars))" ''
# replace the zeros with the desired char
complete=${complete//0/"$completed_char"}
remain=${remain//0/"$uncompleted_char"}
printf '%s%s%s%s %s%s\r' "$prefix" "$complete" "$remain" "$suffix" "$percent" "$percent_sign"
if (( current >= max )); then
echo ""
fi
}
if [ ! -z $1 ] && [ $lib_script_name = "lib_main" ]; then
"$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "${10}" "${11}" "${12}" "${13}" "${14}" "${15}"
fiHere are some examples to demostrate how it works:
# [#########################################..........................................] 50.0%
for i in {1..100}; do
lib_progress_bar $i 100
done# [@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@__________________________________________] 50.0%
for i in {1..100}; do
lib_progress_bar -c '@' -u ' ' $i 100
done
# (****************************** ) 50 percent
for i in {1..754}; do
lib_progress_bar -c '*' -u '-' -d 0 -p ' (' -s ')' -% ' percent' -m 75 $i 754
done
#|******.......|-- 50.00%
for i in {1..100}; do
lib_progress_bar -c '*' -u '.' -d 2 -p '|' -s '|--' -% ' ' -m 25 $i 100
done
# [######################----------------------] 51.43%
for i in {1..1241}; do
lib_progress_bar -d 2 -m 55 $i 1241
done
Finally, here is a real-world example showing how to use it for blocking TOR nodes:
#!/bin/bash
IPTABLES_TARGET="DROP"
IPTABLES_CHAINNAME="TOR"
WORKING_DIR="/tmp/"
# get IP address of eth0 network interface
IP_ADDRESS=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
if ! iptables -L "$IPTABLES_CHAINNAME" -n >/dev/null 2>&1 ; then #If chain doesn't exist
iptables -N "$IPTABLES_CHAINNAME" >/dev/null 2>&1 #Create it
fi
cd $WORKING_DIR
wget -q -O - http://proxy.org/tor_blacklist.txt -U NoSuchBrowser/1.0 > temp_tor_list1
sed -i 's|RewriteCond %{REMOTE_ADDR} \^||g' temp_tor_list1
sed -i 's|\$.*$||g' temp_tor_list1
sed -i 's|\\||g' temp_tor_list1
sed -i 's|Rewrite.*$||g' temp_tor_list1
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=80" -U NoSuchBrowser/1.0 > temp_tor_list2
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=9998" -U NoSuchBrowser/1.0 >> temp_tor_list2
sed -i 's|^#.*$||g' temp_tor_list2
iptables -F "$IPTABLES_CHAINNAME"
CMD=$(cat temp_tor_list1 temp_tor_list2 | uniq | sort)
UBOUND=$(echo "$CMD" | grep -cve '^\s*$')
for IP in $CMD; do
let COUNT=COUNT+1
lib_progress_bar $COUNT $UBOUND
iptables -A "$IPTABLES_CHAINNAME" -s $IP -j $IPTABLES_TARGET
done
iptables -A "$IPTABLES_CHAINNAME" -j RETURN
rm temp_tor*
No tags
