Holiday Inns hacked-lessons

https://www.infosecurity-magazine.com/news/holiday-inn-hotel…

Yeah - another major firm had multiple system intrusions.

Two object lessons:

Personal:

Don’t gratuitously give any information that you don’t have to. Doctors regularly ask for your Social Security Number. Simply don’t give it. Web sites ask for your home, office and mobile phone numbers - give one if you absolutely have to.

Use a different complex password for each account.

Don’t let sites retain your credit card number.

Don’t stay permanently logged in to Facebook, Google, Microsoft etc. Remember, while there are absolutely convenience factors to the “free” services provided by guys like these, there is no free lunch and you are constantly feeding information to them - and at some point one of them will be hacked and your information spread across the universe. Until companies are made financially responsible for consequential damages of their negligence, they will not arbitrarily spend “excessive” money on security they “don’t need”.

Commercial (or sophisticated personal):

With ransomware and other malware so prevalent, embrace the ‘3–2–1 rule’: have at least three copies of data, on at least two different media, with at least one copy offsite (offline). Data should be backed up regularly and automatically where possible to ensure quick recovery and restoration.

Keep all disk drives (except those secured off-site), encrypted. I keep my off-site copies in a bank safe deposit box.

In the case of a hotel, systems are very complex and often include external suppliers, for example, for heating systems, booking systems, CCTV, access control and so on. Our home networks are quickly heading in the same direction with the general adoption of the Internet of Things with smart doorbells, surveillance cameras, smart lighting, A/V systems, and so on. The manufactures of these devices are more interested in building them quickly and cheaply - rather than spending a lot of time or money on providing a constantly upgraded level of internet security. As our phones and PC’s are generally a part of these networks, they become vulnerable to attacks which are sophisticated enough to circumvent the security of a $10 light bulb.

Convenience is great, but you only get the chance to make a mistake once.

Jeff

Use a different complex password for each account.

The strength of a password depends on its length, not on its complexity, barring guessing games (birth dates?).

The Captain
typically uses length 12, letters & numbers

The strength of a password depends on its length, not on its complexity, barring guessing games (birth dates?).

Just like Bridge. Length over strength.

Use a different complex password for each account.

This is why I use password management software to generate, encrypt, and save a different secure password for each account. My preferred password manager is KeePassXC, because it’s free, open source, and available for Linux, MacOS, and Windows. I prefer Linux, but if I’m forced to use MacOS or Windows, I can use this same tool and not have to hunt around for a replacement.

The password manager I use is Password Safe (https://pwsafe.org/). One of the reasons is because I trust its authors and the other is because there are versions available for Windows, Mac, Linux and Android. It’s simple to use, small, secure and so on.

As has been pointed out, the longer a password is, the better. It’s also important to expand the required character set by including at least one each of upper case, lower case, number and symbol. simplifications like sequential letters or numbers on a keyboard, dates, English (or other) language words or names and so on should be avoided. Also to be avoided should sections of previous passwords and especially strings previously used us user names.

Jeff

It’s also important to expand the required character set by including at least one each of upper case, lower case, number and symbol. simplifications like sequential letters or numbers on a keyboard, dates, English (or other) language words or names and so on should be avoided.

I know everyone says to do this. And I know many sites enforce this rule.
And I do it for all my passwords that require it or are of any importance.

But, my question is, if someone is using computer to try and guess your password, why does it matter?
Wouldn’t they have to assume you are using upper/lower/numbers/special and try guessing with all these characters anyway?

Are there really sites out there that allow guessing more than 5 or 10 times before they lock you out for some time period before guessing again?
And if a site is hacked and gets a list of usernames and passwords it doesn’t make any difference how complex your password is…right? (Of course, considering this might/will happen you do not want to have the same password at, for example, an easily hacked news web site and your bank)

Note: of course you don’t want to have a password that is just your birthday or pet’s name since someone who knows you could guess this in one or two tries like happens on TV shows.

Mike

But, my question is, if someone is using computer to try and guess your password, why does it matter?
Wouldn’t they have to assume you are using upper/lower/numbers/special and try guessing with all these characters anyway?

Exactly. Longer and simple is better than shorter but more complicated.

https://xkcd.com/936/

Are there really sites out there that allow guessing more than 5 or 10 times before they lock you out for some time period before guessing again?

Two points:

You are right, no one is going to try to hit a site with a brute force attempt to steal your credentials. It’s far easier to hack the site and vacuum up everyone’s credentials and then try to sort out where to try them. OTOH, if, for example, your retail (piece of crap) router was hacked by a Russian team (as happened to hundreds of thousands - or millions - of them a couple of years ago), they would be able to spend the time to try to crack your credentials from within your network.

Yes, you are also right that a brute force crack would have to assume that your character set included numbers, special characters, etc. - so why bother? Well most of them start their brute force crack with lower case, followed by adding upper case, then numbers and finally symbols. I guess if you use all symbols for your password it might make some sense, but adding all these components will extend (dramatically) the time it takes to do a brute force crack as each character now has roughly 75 possibilities rather than 26 of them.

But don’t let me stop you from taking the lazy way out

Jeff

Yes, you are also right that a brute force crack would have to assume that your character set included numbers, special characters, etc. - so why bother? Well most of them start their brute force crack with lower case, followed by adding upper case, then numbers and finally symbols. I guess if you use all symbols for your password it might make some sense, but adding all these components will extend (dramatically) the time it takes to do a brute force crack as each character now has roughly 75 possibilities rather than 26 of them.

But don’t let me stop you from taking the lazy way out

Or you can simply add more letters to the end. Mathematically does the same thing. Length over strength, as they say in Bridge.

But, my question is, if someone is using computer to try and guess your password, why does it matter?
Wouldn’t they have to assume you are using upper/lower/numbers/special and try guessing with all these characters anyway?

The gibberish part of the password is to foil humans. The machine could care less what the characters mean to humans, all it knows is ones and zeros. The way to overload the machine is to double the number of RANDOM ones and zeros and double it again and again. It’s brute force. The password will be broken in time but the idea is that the time to do so is so long that it no longer matters. This is one reason to require new passwords every so often.

The Germans and the Japanese assumed their codes were unbreakable. Big mistake. The Allies took great care fool the Axis to believe their codes had not been broken sometimes at great sacrifice. The history of Alan Turing and Bletchley Park is fascinating. Operation Mincemeat was gruesome!

https://www.google.com/search?client=safari&rls=en&q…
https://en.wikipedia.org/wiki/Operation_Mincemeat

“In wartime, truth is so precious that she should always be attended by a bodyguard of lies.” Winston Churchill

https://www.brainyquote.com/quotes/winston_churchill_111291

YT6uB44E5r390TN8joJc1iU0DQp4v0y8z8902PEsuuX9f5h751lAUc2o9jCt
a.k.a.
The Captain