OK, I’m starting to get repetitive with these password posts, but I promised in my last post that I would mention some ways to keep track of all your passwords.

As you probably know already, the less places you share your passwords between, the more secure you are. So, the most secure way to manage passwords is to never repeat them. So, if you have accounts on 15 different websites, and 5 different computers, and you have security in mind, you should have twenty different passwords you use on a regular or occasional basis, and you should be changing those passwords regularly (hopefully quarterly, or semi-annually at least).

At best, I think I can probably keep track of around 8-10 passwords at a time, and even then I start to confuse them, and have to try a few passwords on some sites before I get it right. I hold very little hope of remembering 20 passwords for very long. In fact, between personal and work-related accounts, I probably have closer to 40 or 50 passwords to manage.

So how do I keep track of my passwords? I write them on a yellow Post-It note and tape it to my monitor, of course.  That’s secure, isn’t it?  Well, if I wanted to be a little more diligent about keeping my passwords secure, I would use a tool such as KeePass Password Safe.

KeePass is a secure database for your passwords.  It is also Open Source, and free to download and use.  It allows you to create groups for your passwords so you can be more organized, and it also allows you to enter in the address of any website you have an account on, and auto-type the username and password when you load the site.  The entire database is encrypted using standard algorithms such as AES, TwoFish, or Rijndael.  You can also use either a password, a key file (stored on a USB key or hard drive), or a combination of the two to restrict access to the database.

I highly recommend this tool as a way to keep track of your passwords in a secure manner.  And since it’s free, you don’t have to spend any money to try it out and see if it works for you.  Check it out here, KeePass Password Safe 

As a follow-up to my previous post about creating good passwords, I thought it would be helpful to mention an article that shows some of the bad habits in password creation.  In Note to MySpace Users: Get Better Passwords, Brian Krebs discusses a phishing website that targeted MySpace users.  The site was used to obtain the usernames (which in MySpace’s case are email addresses) and passwords of close to 60,000 people.

On top of that, the list of usernames and passwords was stored as a text file on the phishing website, which security researchers were able to grab and analyze.  Here is the list of the most common passwords used:

password1 (106)
abc123 (73)
swimmer1(43)
iloveyou1 (41)
monkey1 (40)
****you (37)
123456 (33)
myspace1 (32)
****you1 (32)
i(32)
password (27)
babygirl1 (25)
iloveyou2 (24)
football1 (24)
danny12031986 (23)
blink182 (23)
princess1 (22)
freesh**4me (22)
16188s (22)
123abc (22)

This is revealing for a number of reasons.  First of all, the most common passwords used on MySpace are far from unique, and far from complex.  Most of these passwords would be easily guessed or cracked.  Since this post is a few months old, these people obviously haven’t been following my advice, as they wouldn’t have seen it yet.

 Secondly, it shows how easily people can be fooled by phishing websites that look authentic.  As this was from a few months ago, hopefully the introduction of in-browser anti-phishing tools in Internet Explorer  7 and Firefox 2.0 should help reduce the likelihood of this happening again.

And lastly, it provides a good justification for using different passwords on different sites.  If someone is able to get your MySpace password, no big deal, right?  It’s not exactly a critical site (to most of us, anyway).  But many people use the same password on many sites, including online banking sites.  So obtaining your MySpace password could be the key to all the sites that you share that password between.

Hopefully this scares you enough into making sure those passwords are strong, unique between sites, and that you pay attention to potential phishing scams.  Soon, I’ll give you some ways to help manage your passwords.

How do you create a good password?  It’s a common question, and there are a number of different approaches to this problem.  Understand that using strong passwords is critical, whether you are creating a password for your home computer, your online banking site, or any other type of web site or forum.

So what constitutes a strong password?  The standard definition of a strong password is “choose a password at least 8 characters in length, containing letters, numbers, and special characters.”  In case you’re wondering, special characters are usually the ones above the number keys on your keyboard, plus characters such as spaces, commas, periods, and the various other symbols on your keyboard. 

This definition is perfectly fine, but gives you little guidance on how to structure a password.  It can often lead to difficult-to-remember passwords, such as I$hg7p3V*!.  It can also lead to passwords that seem secure, but in fact are very easy for password crackers to break, such as P@ssword1.

There are two approaches to password creation that I consider to be good options.  The first one is to think of a phrase, such as “My dog Spot likes to eat dog food.”  You can take the first letter of each word and turn that into a memorable password such as “Md$ltedf05.”  As long as you remember the phrase, you will remember the password, and anyone else looking at it will find it incomprehensible.

Another approach that I feel is even better, if a bit typing-intensive, is to forget about passwords entirely and consider passphrases.  This approach creates even stronger passwords, but you will probably end up typing 15 or 20 characters in a password.  Take the example above.  Instead of taking the first letter from each word, just use the whole phrase as your password.  So your password would be “My dog Spot likes to eat dog food.”  This password contains all the elements of a strong password except for numbers, but it also is considerably longer than your standard password.  I would challenge any password cracking program to break that password.  The only limitation to this method is that certain applications and web sites have a maximum password length, so you may have to choose shorter phrases, or go back to the previous method for these sites.

Does anyone else have any password best practices that they want to share?  I’m open to any other methods that can create strong passwords that anyone can use.  Weak passwords are a serious risk and should be addressed in any way that you feel comfortable.

If the applications remembers your password it has to store it somewhere, usually in a file in the disk or in the Windows’ registry. Most time it’s encrypted so you can’t look directly at it, but this encryption is useless as the program has to recover it some time, something other applications can also do.

The advantage of this is if you forgot you instant messenger password you can recover it easily. Just download MessenPass and it will find all the stored passwords for your user. Remember, only for your user, not for other users in the same computer.

The disadvantage is someone can get in your account if he has access to your computer when you are logged on, and can also recover the password.

The best option is to choose a good password and not to store it in the computer, inputting it each time we want to logon.

From | Quands.cat.

Sometimes, people not using the administrator account for a long time forget the password for that account and can’t login with administrator privileges to install software or update drivers. This is a big problem, which is usually resolved by formatting the disk and reinstalling Windows. By doing this you lose a lot of time and have the possibility of erasing important files if you are not careful enough or don’t have correct and update backups.

Luckily there are other options for recovering the administrator password. The one I like the most is the use of a recovery CD which allows to edit the password without modifying anything else, so you don’t need to risk losing data or settings in your programs.

I have used many times Offline NT Password & Registry Editor and it works like a charm, allowing me to change the administrator password without a problem. I’m going to explain how to do it.

In first place, download the CD image and burn it to a disk, which you will use to boot your computer. Once it has booted you will be presented with a menu like this:

=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
 1 :   /dev/ide/host0/bus0/target0/lun0/part1    2043MB  Boot
Please select partition by number or
a = show all partitions, d = automatically load new disk drivers
m = manually load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]

Here you have to select the hard disk drive where Windows is installed. In most cases, you will only have one disk so you can pick the default selection and it will work right away. It then asks to load drivers, but unless you have a very strange hardware use autoprobe (the letter d).

Once this has been done the system finishes booting and looks for where the password is stored in the harddisk. It should find only one place, so you can accept the default selection and it will show the menu asking which action you want to do:

Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :

In this case you want to reset the password so pick the default selection (number 1) and it will show another menu asking for an action:

Loaded hives: <sam> <system> <security>

What to do? [1] ->

You must also select the default option (number 1) and you will see a list of all the users in the system with their RID, a number which identifies each one:

===== chntpw Edit User Info & Passwords ====
RID: 01f4, Username: <Administrator>
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator]

If Administrator is the default option you can press Enter to select it and change its password or you can even make the password blank which, by the way, is the recommended option.

* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *

To do this press * key, confirm the change and press ! to go back to the main menu. When you are there tell the program you want to quit with the q key and it will ask if you want to save the changes, so say yes. Then all the changes will be written back to disk and when it finishes you can reboot the system into Windows (remember to take out the CD).

When Windows boots again, you can login into Administrator account without any password. It’s recommended that you assign a new password to it from the management console, and the process is finished.

Usually, the best method to get it is social engineering, and the other ones are used when this doesn’t work. I think it’s essential to know how this methods work, not for using them, as it’s illegal and unethical, but to protect ourselves from someone trying to use these on us.

So, let’s get a look at the list again and then we’ll talk about some methods which don’t really work:

• Trying basic passwords
• Trying passwords used in other sites
• Social engineering
• Keyboard logging
• Passwords stored at ISP
• Sniffing
• Recovering it from another account
• Breaking into the user’s computer
• Bruteforce
• Stealing files with NetBIOS

It’s really easy to find documents in Internet which explain how to get a Hotmail password by sending an email to an automated password recovery service, with a combination of our username, the username we want to get the password AND they usually also say we must enter our password. This is only a trick used by some people to get YOUR password, not to recover the one you want. If you send one of these emails then someone will receive it and as it contains your username and your password he will be able to get into your account.

There are also some programs which promise to be able to recover someone’s password. These are also useless and probably dangerous, as they try to do the same as the “automated password recovery” and usually ask for your own password. Don’t fall on this trick.

So, to finish these series of posts, never trust any easy method to get someone’s password and remember to protect yourself and your password with a good security policy. In each post, I have explained some of the techniques to protect us, so apply them wisely.

Many of these techniques com from NNLNews, a security newsletter in spanish. Not that they invented them, but they did a good job of recopilation. I’d like to thank them for their work.

In this case the technique is a combination of some the last ones but applied to the shared disk. Most times this shared disks don’t have any protection applied to them, not even a password or the password is blank, so reading its content is as easy as connecting to them with the network browser.

Other times, the shared disks have a password protecting them, but it’s not uncommon to be able to find this password in a few tries. We can also try to do a bruteforce attack with programs like NetBrute, which have an scanner than can find all computers with shared disks and have a version of the programs that allows bruteforcing passwords.

If we want to protect against this attacks, we must check carefully whether we have shared disks and only enable them in case it’s essential. If we have to enable them, we should get a strong password, ideally made from random characters and long enough.

But, first of all, we must know what bruteforce is. This is a technique that simply tries all possible passwords from a list until it finds the correct one. The list may consist of some selected words (for example, words extracted from a dictionary) or we can try all possible combinations of letters and numbers with different lengths. Chrootstrap has a good explanation about this.

Fortunately for us, this is a very noisy technique, leaving a lot of logs in the server and easily detectable so not many people are going to try this. Furthermore, most e-mail providers won’t allow use the use of this technique, blocking the account for some time after a few tries, although this can also be a double-edged sword, as if the attacker repeats this for a long time we wouldn’t be able to use our account.

Having access to another computer can be really useful to apply some of the other techniques explained, like installing a keylogger or sniffing the network data. To hack into a computer, you need some information about it, like the operating system used, the services it is running,… and if some of these services is vulnerable you’ll need to find an exploit for it. Not an easy task.

There is not a single way to protect from these kind of attacks but a firewall is a first step to do it.

In the first case, if we know which account will receive the e-mail with the password we can try to recover it from there if it’s easier than the one we want. Maybe it’s another account which we already have to password or we can get access easily to it.

In the second case, we can try to guess or get to know the answer to the question. Usually, these questions are really easy to answer, for example “mother’s maiden name” or “name of your pet”, and with a bit of investigation we can recover these passwords.

If we want to protect from these attacks, we must choose a hard to answer question. Depending on the email provider we are using they will let us choose the question or we will have to select from a predefined list. If we can choose it it will be easy to enter a really difficult question. If we have to select one from a list we can enter a totally unrelated answer, taking care of remembering it just in case we need it later.