This is outside of my normal posts, but its been jumping out at me for the past couple of months so I thought I should post something about it. I can't say this any more clearly than if you are using your pets name, STOP! Also don't use your kids name, your spouse's name or anything similar, unless you want to get pwned as that will almost certainly happen at some point if you continue this really terrible practice. Also, be sure to not use any of these passwords as well as they are the most common passwords. If you are currently doing any of these practices, then read on!
Note that this is a huge subject and this read addresses only a very small fraction of the entire story. I'm purposely avoiding a lot of the more complex issues here to avoid clouding up the goal of having people realize that things have changed with regards to passwords and they need to change with them.
The basic levels of encryption that are being used by sites is generally too good to be able to break so the way most passwords are broken (outside of social engineering) is by brute force. Brute force is used by iterating through an entire list of the most common passwords much larger than the above hoping to eventually hit the magic combination that will let them into your account. At the end of the day, if your password is in one of these lists you are certainly susceptible to exploitation and you consider taking action to protect yourself from attack
There are multiple ways to better protect yourself that are currently in widespread use. What we are doing is making the brute force method described above so distasteful for your account that its not possible to break it in a timely manner. If we do that, you are reasonably safe from these types of attacks. Look at the ones outlined below and consider using at least one if not more of them to make your online presence a lot more secure. Here is a really good overview of them if you are interested in digging into them a bit further.
This has been around for a long time and something that I initially used back in the 90s. Its better than using a dictionary word because its not going to likely be in any password dictionary. The weakness in this is that currently the length that most users go with is not sufficient. Its pretty simple to use though, just think of a long phrase and then take the first letter out of each word in the phrase. A short example would be "My dog is blue and has fleas". In this case (don't actually use this) the password would be "mdibahf". You can then make this more secure by adding capitalization, numbers, and characters in the phrase. So something like "mD1b&Hf" could be your password. This way you just have to remember the phrase and through repetition you will remember the actual password. As I mentioned the recommended length of passwords has increased recently as the computing power has increased. Currently, you really should be looking at 16 or more characters. If you want some examples of these types of passwords, you can try look at this online generator which is quite nice
These are becoming more popular and are really nice to use especially given the recommended length of passwords and wanting to use different passwords on different web sites. I would recommend giving them a try if you have not already done so. Password databases allow you use a single password to access all of your other passwords that are stored either locally or in the cloud so that they can be shared across multiple PCs. Browsers currently have their own brands of these as well if you happen to use Firefox or Chrome. I personally have grown fond of Bitwarden and have used it for some time. It's nice because it supports both web access and access via a smartphone. It is a cloud solution and therefore does allow you to share your passwords across multiple systems easily. It is open source and they have shared their security audit that was performed in in 2020 so you can see how they fared. They do offer a free option that comes without two factor authentication (described a bit later). For anyone that spends significant time on the net, this would be a good option.
I've not heard of this prior to reading the article, but it is a very secure method of creating a password. It is a two step process, the first of which is locate a diceware word list. The exact list you decide upon is based upon the number of dice that you plan to role. Here is a five die list. The standard recommendation is five dice. Secondly, you need a locate a dice rolling application online. The site random.org has a nice dice roller application as an example.
The sequence is to do the following:
The sheer number of characters in this pass phrase is what makes it very secure. The length will make it problematic for use in cell phones, but where a keyboard is used, it isn't a difficult operation.
Finally two factor authorization. You may see this written as 2FA in a lot of places. It can also be called Multi Factor Authentication (MFA). This is adding a secondary authentication method as a requirement once you have passed the first method, usually a username/password combination. It will likely be combined with one of the above listed methods as it is generally always an "add on" method of security used in addition to another method.
Just like password generation technologies, 2FA also has methods that are better than others. Currently the recommendation is to us an application on your device rather than an SMS message which was pretty standard prior. An application like Authy will go a long way to making your life more secure.
The way Authy and similar devices usually work is the following (Assuming the application you are logging into supports Authy).
Once you have 2FA configured for an application, whenever you log into a site and provide your credentials another window will appear asking you to enter a code. Its normally a six digit number. That number can be found within the Authy application for that account just configured. There is a time limit of normally 30 seconds for each code before it changes. The code in the Authy application is entered at the prompt in the application and the login process is completed. Since each application has its own 2FA configuration, this is targeted at the individual application level.
2FA is considered very secure as even if someone somehow does compromise your password, they would not get access to your account unless they could also do the 2FA portion. If you have the ability to use 2FA on any accounts, do so... its one of the most secure simple ways to help ensure the bad guys aren't getting into your stuff.
Hopefully this quick overview was helpful. There is a lot involved in security, but you need to take it seriously and at some point you need to just jump into the water and start to swim. Maybe reading this can give you the courage to climb up onto the diving board.
Until the next blog, don't talk about it...
How many times have you wanted to upgrade the OS but found that it's not going to be as simple as you wanted or thought? This is especially true when you are going to a major version upgrade, but sometimes can even impact you on minor version upgrades.
If you haven't seen this occur, take a look at trying to upgrade a CentOS or RHEL6 system to version 7.X. You will very quickly see something relating to "recommended upgrade procedure is to reinstall from scratch". There is very little that I find more annoying than that. Why can't an OS simply upgrade, when it doesn't require a change if file system or similar? Also, on most systems, once you do upgrade the is a lot of dust left laying around that is no longer used by the system. My only response to this stuff is that the developers are too lazy to come up with a system that actually handles this for you. If you are someone who like me is frustrated at this, take a look at OpenBSD.
Below is an upgrade of one of my OpenBSD systems that I copied the process right from the terminal to show how simple it can be when the developers care about making it simpler. OpenBSD has always been pretty simple, in the past a version upgrade was performed using a boot USB stick, but now its even simpler.
Log into the system as root, and execute "sysupgrade -r"
milliways$ doas sysupgrade -r
SHA256.sig 100% |*****************| 2141 00:00
Signature Verified
INSTALL.amd64 100% |************************| 43550 00:00
base66.tgz 100% |*************************| 236 MB 00:22
bsd 100% |*************************| 18250 KB 00:05
bsd.mp 100% |*************************| 18336 KB 00:05
bsd.rd 100% |*************************| 10058 KB 00:04
comp66.tgz 100% |*************************| 72109 KB 00:11
game66.tgz 100% |*************************| 2745 KB 00:02
man66.tgz 100% |*************************| 7418 KB 00:03
xbase66.tgz 100% |*************************| 22092 KB 00:06
xfont66.tgz 100% |*************************| 39342 KB 00:08
xserv66.tgz 100% |*************************| 15757 KB 00:05
xshare66.tgz 100% |*************************| 4482 KB 00:02
Verifying sets.
Fetching updated firmware.
Upgrading.
Connection to milliways.wilcis.com closed.The system reboots automatically, and then it installs any firmware upgrades necessary. Once it comes back up, simply run the syspatch command which will apply any security or enhancement changes to the new version
Log into the system and run syspatch:
milliways$ doas syspatch
doas (roger@milliways.wilcis.com) password:
Get/Verify syspatch66-001_bpf.tgz 100% |****| 102 KB 00:00
Installing patch 001_bpf
Get/Verify syspatch66-002_ber.tgz 100% |****| 660 KB 00:00
Installing patch 002_ber
Get/Verify syspatch66-003_bgpd.tgz 100% |***| 181 KB 00:00
Installing patch 003_bgpd
Get/Verify syspatch66-004_net8021... 100% |*| 64839 00:00
Installing patch 004_net80211
Get/Verify syspatch66-005_sysupgr... 100% |*| 3023 00:00
Installing patch 005_sysupgrade
Get/Verify syspatch66-006_ifioctl... 100% |*| 381 KB 00:00
Installing patch 006_ifioctl
Get/Verify syspatch66-007_inteldr... 100% |*| 21468 KB 00:06
Installing patch 007_inteldrm
Get/Verify syspatch66-008_mesa.tgz 100% |***| 5598 KB 00:04
Installing patch 008_mesa
Relinking to create unique kernel... done;
reboot to load the new kernel
Errata can be reviewed under /var/syspatchDust is always a problem in every OS I've seen. Dust being old files that are no longer used by the OS post upgrade, but are not removed as part of the upgrade. Most OS's don't even mention it, because.. well space is cheap apparently. They could be an attack vector though if someone had access to a box. OpenBSD also handles this by listing all of the old files that can be manually removed. Every release comes with a page of upgrading instructions that include a section called "Files to Remove". Simply go there, copy the sections and paste them into a terminal... done.
Normally after removing the cruft, I upgrade the installed packages using
$ doas pkg_add -uivReboot and you now have an upgraded system to the latest version... to coin Staples.... That was easy!
Until the next blog, don't talk about it...