Did you say passwords honey? What is that?
El Lite©quality hacking

HOW ARE THEY GETTING MY PASSWORD?

There are at least four ways that hackers can get your passwords:
  1. They intercept your email when your password is sent to you.
  2. They use a password cracker to learn your password.
  3. They use "web spoofing" to see everything you say online, including your passwords.
  4. They use Java applets to access your hard drive if you keep passwords there.
I'm going to run through all of this quickly, with links to more technical information. From recent incidents at GeoCities, it's clear that I need to get this info online now, rather than fret about perfecting this page:

1. They intercept your email when your password is sent to you.

It's not that difficult to intercept email. I'm not going to cover the "how it's done" here, just take my word for it. (I'll try to make time for the how-to info, later.)

If you receive an email with your password in it, change your password immediately. Since early January 97, our family has been receiving unsolicited letters from GC lately, "reminding" us of our passwords. We know what's going on. We try to change our passwords at least daily. Whether or not you're getting this kind of unsolicited email, it's a good idea to change your passwords frequently.

To protect the rest of your mail, PGP is free and it's a very good idea for email that you want to remain private. But most web servers and web masters don't use PGP to send password "reminders." Sorry.

2. They use a password cracker to learn your password.
There are two main kinds of password crackers available today: There's the old-fashioned kind, which is what you saw in the movie, "War Games," that slowly checks every password possible from the entrance to the site. The problem with those is that many services note when someone makes too many errors in entering critical access data, and they shut down the site. The newer crackers go into the program you're working, and find the passwords from the inside. The problem with these is that you have to get the cracker into the site, undetected. And you've got to be using a competent program. And know that it's going to get in and out without setting off alarms or leaving a trail straight to you.

Many hackers try manually cracking first. They'll try, say, a dozen likely passwords to see if any of them work. There are actually lists of the 100 (or more) most-used passwords. Intelligent hackers read through everything they can learn about you, and then use likely passwords, such as your kids' names, your school nickname, your birth date, and so on. (If you're a Star Trek fan, don't use "makeitso," or "beammeupscotty." ) Also, if they already know another one of your passwords, they'll try them first; many people use only one or two passwords over & over at each site.

Don't use simple passwords. As it says in The Pass phrase FAQ - Part 2 (which I recommend everyone read), a simple password that appears in the average English dictionary will take about an hour or less for a hacker to crack.

Use foreign words if you can remember them. Mix in numbers. Spell funny. Like, wares = w@R3z. Make your password as long as possible. Change it often. Daily, if you are nervous and if you have the time.

3. They use "web spoofing" to discover your passwords... and more.
This one is a new game in town. One version uses Java, but the JavaSoft folks insist that you don't have to have Java to do this one: Basically, you go to a site and then every place you go after that, is routed through that page's server. An easy, non-malicious example of this is the Anonymizer. Basically, when you type in a URL, the request goes to the other person's site, and that person requests the page, views it, and then forwards it to you. Ditto your replies, such as if you are filling in a form or entering your password.....the middleman SEES ALL.

The bad news is, this will eliminate the password crackers, because it's a FAR simpler way to get passwords.

The good news is, the process is still very visible on your monitor. They can use JavaScript to conceal the stuff on the scroll bar, but they can't do anything about the "Location" URL on the top of the screen. And, if it says anything more than the URL that you had in mind, it alerts you that you've got a middleman there. (This may only be a temporary transparency.)

For more information on this process, check out the superb technical info at Princeton University's "Web Spoofing" page, or the more technical Java-based version at Berkeley's "Web Graffiti" site.

Meanwhile, read your screens as you surf. See what's on your hard drive now & then, and check for Java Trojans if you can. Or, for a simple but extreme solution, recommended by many security advisors: Turn off the Java and JavaScript enablers in your browser. You'll find them in Netscape in Options --> Security Preferences --> Java, JavaScript boxes.

4. They use Java to access your hard drive.
It's old news that hostile applets can be used to get full read/write access to your hard drive, with certain Netscape and MSIE browsers. If you record your passwords anywhere on your hard drive, including in a password-keeping program, you're asking for trouble.

I keep my own passwords in a 3x5 file box, using file cards for the more permanent notes, and 3x5 pieces of paper (cheap by the pad at office supply stores) for the passwords I change regularly. If it's too difficult to think up a series of new passwords all the time, consider rotating through a series of passwords that you've noted on cards, not on your hard drive.

The bottom line is, there's no real security on the Internet. Sorry. However, if you take basic precautions such as backing up your data on a Zip (or other) drive, backing up your pages in your page editor, changing your passwords regularly, and so on... well, you don't have to lose sleep over security issues.

This page hosted by GeoCities Get your own Free Home Page
1