No doubt you have often heard consultants, security people and experts of various flavors expounding on the importance of “good” passwords. There is very good reason for their concern, because easily guessed or easily cracked passwords are the #1 reason for various forms of identity theft online.
So why is it that literally millions upon millions of people don’t heed the advice?
I have a theory that if people understand the basic reasoning behind any particular recommendation, they are more likely to appreciate its importance and actually act on it.
So, putting that theory to the test, I’d like to demonstrate at a very basic level just how easy it would be for almost anyone to start reading your e-mail without your knowledge and without having to gain entry to your PC to do so.
Oh, and please note that whenever I use the word “hacker”, I’m using it very loosely indeed. In the context of this article a “hacker” could be a work colleague, nosy spouse, boy/girl friend (or ex) or the kid next door, not necessarily some shadowy code-genius holed up in a Moldovan basement. While young Percy’s proud mom might like to boast that her clever son & heir “knows all about computers”, more often than not his real knowledge is fairly elementary. Living on Facebook and Twitter and being a hotshot games player does not an expert make. And that’s the whole point — genius not required.
As I will demonstrate momentarily, weak passwords put you at the mercy of anyone with basic knowledge and the will to persevere.
There are many types of information that you would prefer not to share with the world at large, and many ways for a hacker to attempt to access that information. We’ll look at just one way, because access to your e-mail will reveal a lot about you to an intruder with larceny on his mind. So, as an example, I’m going to show you how to hack yourself.
Basic Elements
If they have ever given it any thought at all, most people would assume that for someone to read their e-mail the miscreant would need to have access to their computer, either physically or by “hacking in”.
Wrong!
They can get access to your mail the same way you do — from your service provider’s mail server. Whatever your e-mail client program (e.g. Microsoft Outlook), if you’ve ever set up an e-mail account yourself or taken a look at one that is already set up for you, you will know that just three pieces of information are required for mail access:
- Mail-server name
- Username
- Password
Let’s take a brief look at each of those three pieces of information.
Mail Server: I don’t want to get buried in jargon here, so let’s just say that incoming mail comes from something called a POP3 server. POP3 is an acronym for Post Office Protocol version 3. The acronym is all you need to know, and then only because outgoing mail is handled by a different type of server: SMTP for Simple Mail Transfer Protocol. POP3 in — SMTP out. But the really important thing is that there is nothing secret about the names of mail-servers. Anyone who knows your e-mail address can easily determine the name of your mail-server. Just Google for:
provider-name POP3 server
Example: verizon POP3 server
As you can plainly see, very easily discovered.
|
NOTE: The information and examples in this article apply specifically to “real” POP3 e-mail accounts, such as might be provided by your host or ISP, or that you can create if you have your own domain. Some free services do not provide conventional POP3 e-mail accounts and as such there is no POP3 server associated with those accounts. |
Username: In the vast majority of cases the Username (a.k.a. User ID or Login Name) is also very easy to determine, because more often than not it will be either the full e-mail address or the first part of the e-mail address before the “@”. Often you will not be given the option (when establishing the account in the first place) to make the User ID different to the e-mail address. More often than not your service provider’s system will automatically allocate the e-mail address as the User ID.
Password: With most accounts this is the only part of the puzzle that the would-be hacker won’t know in advance, so this is really the only factor that protects your privacy. Are you starting to see why it’s so important?
OK, let’s leave the theory behind and get into a little practical work.
Mounting the Attack
For this demonstration to be effective you will need to have at least one e-mail message sitting on your provider’s mail server awaiting collection by you. It might be an idea to send yourself an e-mail, then quickly close your e-mail program so the messages isn’t downloaded automatically by your Outlook or whatever e-mail program you use.
The next thing you need to do is write down those three items of information I mentioned above. In the following examples I will use these fictional account details:
1. POP3 SERVER: mail.mailserver.com
2. USERID: me@mydomain.com
3. PASSWORD: secret
Now open a Command window (a.k.a. DOS shell). You should find it somewhere under your Windows Start menu, maybe somewhere like:
Start –> Programs –> Accessories –> Command prompt
If you can’t find it, click on Start –> Run, type in the word “command” (without the quotes) and click the OK button (see image below).
Now at the prompt in the DOS window, type this…
telnet mail.mailserver.com 110
…pressing the enter key after the “110″. There is a space after “telnet” and another before “110″. Of course in place of “mail.mailserver.com” you will type the name of your own mail server. 110 is the port number typically assigned to the POP3 service. Only very rarely will you ever find the port number to be different.
By the way, in these examples only your password is case-sensitive. The commands themselves can be upper or lower case.
After you press enter you may briefly see a “Connecting to…” response as shown above, then the screen clears and displays a welcome message, the wording of which may be slightly different to that shown below.
Now type each of the following lines in turn, pressing the Enter key at the end of each line. Again, you will of course be using your own actual login credentials that you have written down:
USER me@mydomain.com
The mail server responds with an OK message
PASS secret
Again the mail server responds with an OK message
Here’s what it should look like on the screen:
If any of your entries are incorrect you will get error messages, but if all is OK to this point, type the word STAT followed by a press of the Enter key.
In the screen-shot above STAT has returned the STATistic that there are 37 messages awaiting collection, with a total size of 9,159 bytes (approx 9k).
Now type this, again followed by the Enter key:
RETR 1
That’s an instruction to RETRieve message #1. If the STAT command has reported the presence of more than one message then you can type a higher number after RETR.
In the screenshot below I have commented out some information in the interests of privacy, but there it is — e-mail message #1 laid bare for the hackers inspection, and he never had to go anywhere near your PC.
Each message retrieved is terminated with a dot as circled in the bottom left.
If you type STAT again you’ll see that the message count is the same (or higher if new messages arrived in the meantime). Thus you know that although the message has been displayed it was not deleted after display, so the owner of the e-mail account will never be any the wiser that someone else has already read the message.
To terminate the telnet session type QUIT followed by the Enter key, and to close the DOS window type EXIT followed by the Enter key.
How At-risk Are You?
So to summarize, two thirds of the information that an intruder needs in order to be able to read your e-mail is public knowledge, so the only thing keeping his nose out of your e-mail is your password.
Are you now thinking: “well nobody knows my password so I’m safe“?
Well, even if there weren’t special programs readily available for cracking away at passwords, there is still the fact that so many people use unsafe words and phrases. Just go to Google and search on this phrase:
most common passwords
Is your password on one of those lists? If so, you are a sitting duck just waiting to be plucked, as every would-be hacker has a list of the most common passwords.
And further, anyone who knows you personally can extend the list with personal details about you,. Using such details for passwords is equally irresponsible, yet so often used:
- Name of mother/father/child/significant-other/etc
- Name of favorite pet.
- Some part of your address — street/suburb/etc.
- Favorite celebrity, sport/sports team, etc.
- And so on…
But even if you don’t find your password on one of those lists, if your password is a real word or a sensible phrase you are still at high risk. There are any number of programs readily available that can mount what is called a “brute force dictionary attack”. To such programs any passwords comprised of real words, sensible phrases or even common misspellings are a breeze to crack.
You might want to make a mental note that security researchers have determined that the inclusion of punctuation characters in a password makes it significantly harder to crack, but that addition alone may not be enough.
A Couple of Problems
There are two fairly obvious problems with using long secure passwords:
- You should never use the same password over and over again, so coming up with new, random and reliable variations can become tiresome;
- The longer and more complex a password, the better from a security perspective, but remembering such passwords is practically impossible.
And a Simple Solution
An excellent solution to both of these problems, and one I have relied on for many years and continue to recommend to anyone who will listen, is a browser add-in called RoboForm. If you have already heard of it but aren’t using it then you have completely missed the point.
It would take a rather lengthy article to do full justice to RoboForm, but in the context of this topic it provides two features which are especially useful.
Password Generator
The first of those two features is password generation. A button on the browser’s RoboForm toolbar pops up a small dialog which generates passwords that conform to any limitations you may have preset.
Clicking the Generate button on the RoboForm toolbar pops up a window like that in the screen-shot below.
In the password generator example above, RoboForm has automatically generated this very complex password:
83Gc#@*8bF3ET7Zt
As you can see, that password conforms to the format in the lower half of the window — 16 characters long, a mixture of upper and lower case letters, plus numbers and some special characters thrown in for good measure. The option to “Exclude similar characters” means that RoboForm will not use characters that are visually similar and could thus be confused with one another, such as I or O (the letters) with 1 or 0 (the numbers).
Now obviously that’s a very safe password, but how on earth would you remember it? And just as obvious is the fact that entering it would soon become very tiresome. No problem, because RoboForm has…
A Long Memory
The second RoboForm feature that aids us with complex passwords is its ability to remember what password you used on which website. See the Save button on the toolbar in the diagram above? Each time you re-visit a web page where a password is required, RoboForm will offer to fill in the User ID and Password fields. It can also fill in entire forms of information, but that’s another story.
The only password you have to remember is one you assign to RoboForm itself, which keeps all your stored passwords safe.
For anyone who ventures onto the Internet and who is concerned about safety and security online, secure passwords are absolutely essential. And that in turn makes RoboForm a must-have security tool with great productivity benefits as well.
Don’t offer up your e-mail account for open inspection — or your net banking credentials or any other.
Click Now for a Free Trial of RoboForm
Comments welcome…
{ 6 comments… read them below or add one }
I have been an avid fan of yours for some time and have assisted many of my clients in implementing sound security according to the hackers nightmare.
My question is about the software that is out there to hack someones password.
I would like to demonstrate this to some of my clients and would like a recommendation of a software that would be applicable to your post.
Also if the software that is out there can hack passwords as easy at it seems why is Roboform so effective according to you? I do use it and my master password is over 50 characters long but it seems like there are software programs out their that claim to be able to work any way.
I look forward to your response.
Thanks Mark
Hi Mark.
I’m pleased you’ve been able to assist others with their security as well. We can never have too many people waking up to their vulnerability.
On the question of password cracking, I very intentionally did not mention any product names and I don’t intend to make any recommendations in that direction.
I know your motives are pure and I understand what you’re trying to do, but I have a long-standing policy of being very careful that I don’t offer any encouragement to those who might be tempted to the dark side.
I can’t do anything about them finding their own way there, and of course search engines offer an easy starting point. I don’t think I’m giving away anything that isn’t already quite obvious by saying that Google searches for the likes of “hacking tools” or “password cracking tools” will turn up enough to get started with. But of course there is always the risk that the searcher himself is being targeted by a cyber-crim’s website!
The manual telnet approach as I described it isn’t really a practical attack method unless the target is using a simple real-word password of the type that appears on those lists I mentioned. If you have the patience and can eventually guess the password it will certainly work. The purpose of that article was to wake people up to just how vulnerable they are if they do use simple passwords.
For “professional” use you will need more automation, which is certainly available.
The thing about the security of a password is not whether it can be cracked or not, but how long it will take. I don’t have a problem with using a password that will continuously occupy the resources of a hacker’s computer for a couple of years. He won’t have the patience and I’ll have changed it several times anyway.
Now nobody on the outside knows for sure, but if you are being targeted by the likes of the NSA then any password you come up with will probably be cracked in short order. That’s just an educated guess based on the fact that we’re talking about an agency that could inventory their mainframes by the acre rather than by the unit. Any organisation that can throw that much processing power at what is basically a mathematical problem, is going to be pretty much impossible to beat.
However, none of the agencies that are capable of employing those sorts of resources is going to be interested in the passwords of 99.999% of us.
A mathematician might want to get into a discussion about what is truly random, if anything, but for *almost* everyone else on the planet that’s a hypothetical consideration of no practical interest. There is one site (http://www.random.org) that claims to base their number/character generation on atmospheric noise. As for RoboForm, I have no idea what the basis is for their random number generation — something based on Mersenne primes probably, as are many pseudo-random generators. I just know you’re not going to crack the monster mixed-character password that protects my router, and you’re not going to get a chance to inspect hundreds or thousands of consecutive passwords of that length to solve the formula.
The great thing about RoboForm is that it has everything you need wrapped up in the one application, all easily accessible on your browser toolbar. Set the parameters as complex as you like, generate the password, have RoboForm remember it and even associate it with the correct form/login/website/whatever for your next visit.
Could it be cracked? I’m sure it could.
Does it matter? Not really.
This was a terrific article, as are all your articles. This one was particularly helpful, useful, and educational. And I always find your reminders about the Microsoft updates helpful, even though I’m set up to get the update notifications automatically. Sometimes your reminders are just confirmation for me, other times they remind me in a timely fashion to run the updates if I hadn’t yet. I’m so thankful that I purchased the Hacker’s Nightmare and subscribed to your “Computer & Online Security” email updates.
Thanks for the kind words Norm. That’s exactly what the update reminders are intended to do — act as a memory jogger.
Nice articles, worth studying, and good stuff to share at schools.
mon
Hello, i think that i saw you visited my blog thus i came to “return the favor”.I am trying to find things to improve my site!I suppose its ok to use some of your ideas!Simply want to say your article is as surprising. The clarity in your post is just spectacular and i can assume you’re an expert on this subject. Fine with your permission let me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please continue the enjoyable work.
{ 1 trackback }