Distributed Denial of Service (DDoS) attacks have hit the mainstream news again recently in stories about attempts by [insert shadowy US government organisation here] to bring down the Wikileaks website after its release of the initial cablegate records.
Reports rightly focus on the attacks themselves and their effect on the Wikileaks site, rather than the BotNets behind many DDoS events or the other malicious ends to which they can be put. However, it is interesting that the technology being used to hinder the Wikileaks distribution is the same used by criminals to gather private information on a massive scale, for release to the highest bidder.
In early 2009 some researchers at the University of California, Santa Barbara managed to take over part of a BotNet being used to steal private information such as passwords and credit card numbers. You can see Richard A. Kemmerer, a member of the research group, explaining the 10-day exploit in this Google talk. As part of the experiment, the group analysed encrypted passwords stolen by the BotNet to see how easily each user’s data could be cracked. They found that of 173,686 unique passwords discovered, just under 58% could be cracked within 24 hours (56k – about 32% – were able to be cracked within 65 minutes). Further analysis also revealed that 28% of people reused the same password on multiple domains. So, there are some relatively easy pickings for BotNet creators to harvest and on-sell.
The results aren’t particularly surprising; we are a pretty lazy bunch in general and there are so many points online and offline at which passwords are required to access content. The effort required to generate different memorable, but secure, passwords is high. Yet, the risks associated with not having strong passwords are rising as we move more of our digital lives to the cloud. So, here are a couple of ideas I’ve gathered for generating memorable, strong passwords with minimal effort.
- Create an acronym from a phrase. For instance, “Please Let Me In To Twitter So I Can See Some Tweets” would translate to “plmittsicsst”. You can vary the phrase easily enough for different sites. When combined with symbol or number replacement and a sprinkling of upper-case letters, this can generate strong passwords quickly. So, our string above could become “Plm!tt%!c%%T” if we capitalise the first and last letters and replace i and s with the shift symbols for 1 and 5 (which look like i and s).
- Create a password base that you use everywhere, then mix in a site-specific password with that. For example, you could take the first and last two characters of the street you grew up on along with the last two digits of your old student ID to get a base (e.g., “adde32”) then append the reverse of the consonants from the site name to this (e.g., “rttwt” for twitter). Sprinkle with symbol replacement and you get “$dd#32rttwt”. For good measure you can add a prefix and suffix symbol to add extra security “#$dd#32rttwt#”
- Use a password manager that generates random passwords :)
You can test out different approaches to get a feel for how secure the passwords you generate are at this site: http://howsecureismypassword.net/. Obviously, you shouldn’t put any of your real passwords in, but you can use it to test out ideas using fake details or phrases.
ShortURL to this post: http://wp.me/pnqr9-4D