Jun 03 2015

Next Steps In Password Security

It used to be that you had one or two passwords. They rarely, if ever changed. You may have even had it written down on a Post-It note, placed securely next to the very PC it protected.

Nowadays? Even if you are not a sysadmin, odds are you have half a dozen (or more) accounts and passwords, covering everything from e-mail to Facebook to online banking and trading accounts.  Odds are, you have a file somewhere to keep track of them. Or, you make use of one of the many apps that offers to need one password to keep all of your other passwords stored safely.

I used to not be a fan of the app to manage passwords, until one of my InfoSec colleagues gave a brief presentation and made me a believer. The benefit in having a singular password repository actually is not in the simplicity of needing to know just one password. It’s actually in having all of your passwords pre-typed, so that if you are ever compromised and the hacker opts to use a keylogger, they would not be able to log your username and password because you don’t have to type it in. It may be a small benefit, but it is one many often overlook.

Beyond that, what can you do to enhance password security? Everyone knows now to add in numbers, special characters and mix up upper and lower case letters. Password now becomes Pa55w0rd!. It remains easy enough to remember, but harder to guess and harder to use known password cracking tools on (ie, no dictionary attacks).

But what if that wonderful single app…that single repository…that…single point of failure, holding all of your user names and passwords, gets compromised?

What if you had software that would open with an incorrect master password, and based on the hack, it would generate multiple copies of password vaults, leaving the hacker to wonder which, if any, were the actual passwords? Such a development has happened, and it is called NoCrack.Any encrypted file, if opened by a wrong password, would provide what looked like real passwords to the hacker-so he or she would not know if they had success until they actually tried to use them. It used to be, you’d get one encrypted file that, unless opened by the proper master password, would be a file of gibberish. With NoCrack, any encrypted file would generate seemingly valid password information that could only be confirmed by actually trying them. It would help obfuscate your actual password vault and it’s contents, giving a user an extra layer of defense in the event of a serious data breach.

In a world where you can’t have too much security, adding something like NoCrack to your password protection bag of tricks, once available, would be a smart move.