The Good, the Bad and the Ugly of password practices
Internet has taken a preponderant place in our lives and most of us regularly purchase goods on Internet or use Internet banking. The access to the services we use is protected by a password and humans are not good at managing passwords:
- Most of us will reuse the same password on many services (combine this with the fact that people also use the same email address to log in into said services and you get an explosive mix when security is breached on one service).
- Most of us will use weak passwords, basically as weak as the service will allow. Not only our passwords are weak they’re also extremely predictable.
To address those issues you need to use strong unique passwords. By strong I mean that your passwords should be:
- long (let’s say at least 25 characters)
- a mix of lower / upper case letters, digits and symbols
- randomly generated (by a random generator not by you typing random keys on your keyboard)
By unique I mean that you should never reuse a password. You should set a different password on each service. As we tend to use many services and tend to log in from multiple devices (home and work computers, smartphones, tablets..) it makes it impossible to remember all those strong passwords.
Google has recommended the use of sentence and substitution, something even stronger has been advocated by xkcd. But this doesn’t work. I use over a hundred different services, how could I remember a hundred different sentences? Common substitutions (the one you will use) are also well documented and will be attempted by the attackers to guess your password. Other experts have advised to get rid of passwords altogether, but this opinion is unconventional to say the least.
Want it or not we’re stuck with passwords for the predictable future. Luckily there is a solution: it’s called a password manager. With a password manager you’ll only need to remember one password (the master password), all the other ones will be entered automatically for you in the login forms. I use 1Password, but there are other products on the market: LastPass, KeePass, RoboForm… Most of those products are not free but I’m sure you’ll prefer to drop a few dozens dollars every few years instead of seeing your online (and sometimes offline) life ruined.
Now that I’ve addressed password best practices on the users’ side it’s time to mention the other side. The services that you use should do everything they can in order to protect your password. There is a lot to say in this area but I decided to address the features that are easily observable:
- passwords requirements: services shouldn’t restrict the length of our passwords (at least not smaller than a few dozens characters) or the characters’ set that we can use (this would reduce the entropy)
- proper use of HTTPS
- reset password feature
Due to the Heartbleed vulnerability I decided to change some of my passwords recently. To my surprise many well known services impose some strong restrictions on the passwords users can set. Shall we get started? The offenders are ordered from worst ones to the most benign ones.Continue reading
Why You Should Not Use Chrome Extensions
Google Chrome Extensions have been launched officially in January 2010. Their goal is to extend the browser by providing additional features, for example you could add a weather extension and then be able to see the weather’s forecast in your city in one click. Extensions have become widely popular and you’re now wondering what could be the issue with them.
Much more power than expected
Google uses a system of permissions to determine what an extension will be able to do once installed. Those permissions are divided into three alert levels: high, medium and low. So far, so good? Not really, even the low level allows an extension to harvest your browsing history and the content of your clipboard.
In this case the exploit is fairly limited, you need the user to be copying / pasting the email and password for this to work (the extension would also collect everything that the user is copying and pasting). Whats about the medium and high level alert? This is where the real fun start, at this level of trust extensions can do whatever they want!
A medium alert level extension can generate HTML elements on a page. It could perfectly hide a login form, replace it by it’s own, harvest your credentials and submit the hidden login form. A high alert level extension can do similar things but on your computer! This means that it could take your picture via your webcam, browse your hard drive looking for interesting files…
You would think that all of this is hypothetical and Google would certainly remove any malicious extension, but in this case you would be wrong.Continue reading