Wednesday, September 2, 2009

Reviewing Quality of Password Protection in Popular Applications

We pubished a new article "Reviewing Quality of Password Protection in Popular Applications" on our site. This is a tale of how it took the leader of the programming industry 20 years to create a reliable password protection. We reviewed password protection schemes implemented in the most popular applications such as Word, Excel, Access and others.

Read the article here.

Wednesday, August 5, 2009

Picking the Right Password

The task of picking a strong password is not as easy as it may seem at first. It is believed that the right way of picking a password is picking a long password of randomly generated characters, preferably not letters only. At the same time, it is acknowledged that the vast majority of users do not follow this recommendation, picking easy to typing and remember passwords like "qwerty".

It is not a problem to generate a long password; there is a huge number of generators for producing strong passwords - this function is available in literally any password manager (e.g., Aurora Password Manager). However, the use of strong, automatically generated passwords creates a new problem: unable to memorize them, users either write them down, often in the most inappropriate places, or simply forget them, and that often leads to serious problems and the need to use password recovery software (not always successfully).

At first, let's think, what length a password should have in general, and what requirements does it have to meet. First of all, it should be understood that the reliability of a system in whole is determined by the weakest of its components. You can generate a prodigiously strong and long password, memorize it and use it, but, for example, if you use it for protecting databases in Microsoft Access of a version older than 2007, that password can be recovered instantly. The length of the password won't do any good for you, simply because the password protection in Microsoft Access before version 2007 was realized absolutely ignorantly and unprofessionally and didn't provide any real protection. Therefore, if the software doesn't have the reliability, a long password won't save you. Unfortunately, very often password protection (and security issues in general) is considered as something of minor importance. The result of that is the outrageously ignorant realization of it. As a case in point, we could consider the IT market's leader (not for a while yet) - Microsoft Corporation, which it took 20 years to finally create a more or less reliable password protection in their lead product Microsoft Office (still not in full and not in all its products).

But even if the system is reliable, there are still many ways to obtain the password even if it is strong enough. First, that's the human element (writing a password on paper that's near the computer is just one example). Second, that's spyware all kinds, keyloggers that record all key presses and not only those. If you, while being far from home, visit an internet caf? to use online banking, be aware that the password you enter there can be easily stolen. Moreover, it wouldn't necessarily be the administration's malicious intent - often the security in internet caf? is maintained at a low level, and a spyware application can be installed even by a visitor.

And finally there are two universal methods for breaking a password, which are applicable in literally all cases, but which, fortunately, do not guarantee the success (provided that the password is selected properly). The first method is dictionary search. Second - exhaustive search of all possible combinations of characters; this method is also called bruteforce attack. Besides, there are different variations of these methods. For example, when searching by dictionary, it's also possible to check not only whether or not a certain word suits as password but also try checking different modifications of it: word with trailing digits, word with typos, password composed of two words, etc. Different variations and optimizations are also applicable to the exhaustive search.

Dictionary search goes quickly enough; however, the success of this method is guaranteed. If a sequence of characters that is not a word (and even a modification of it) is picked for a password, dictionary search will be unable to break your password.

As for the exhaustive search of all characters - this method guarantees the success; any password can be broken with this method. This fact lies at the heart of Dan Brown's famous book "Digital Fortress". Like since it is possible to break any password, it means that one could spend a lot of money, build a supercomputer that calculates really, really fast, and that's it - it will crack all passwords like peanuts. Fortunately, that's not true. To put it more precisely, theoretically that's true; however, practically the matter rests on time. How much of time and resources can a malefactor afford to spend on breaking a password? There are three factors that determine the time required for that: first (and most important) - password length, second - password "width", in terms of the characters that can be present in the password: Letters only? Latin characters only or Cyrillic too? Lowercase only, uppercase only or, maybe both? Digits? Other characters? Third factor - search speed. For example, the hardest for breaking password applications are WinRar and Office 2007 (Word, Excel, OneNote, PowerPoint; in Access 2007 things with security are much worse, and in Outlook everything is just as monstrously bad as it was 20 years ago) - in these applications the search speed is very low. On the other hand, the password search speed for a password-protected ZIP archive can be 100,000 times higher! Thus, the same password can turn out reliable enough as well as completely unreliable - depending on where it is used. For example, a password to a ZIP archive, which can be broken within just one hour, when used with WinRar will require over 11 years of calculations.

The dependence of time from password length is exponential. That mathematical dependence is known for the fact that at the beginning it grows not very fast, but it grows faster and faster as it goes further. Many worldly paradoxes are based upon that fact; for an example, take a look at the following problem. Would you rather choose get one million dollars at once or get one cent on the first day, two cents on the second day, four on the third and so on, doubling the previous amount every next day for one month (30 days) instead? It would seem, the second option is much less paying - after all, only a week later from the cents you will move on to one dollar, whereas a week is a quarter of the entire time span allowed! On the 15th day - the middle of the allotted term - you're going to have just a bit over three hundred dollars, while in the first case you'd have a million! But keep on calculating - on the twentieth day you're going to have 10 thousands, and on the thirtieth day the amount due to us will be 10 millions! This example is directly related to the bruteforce attack. If the password consists of English characters only, picking a one-character password is nothing - there are only 26 variants. For a two-character one the number of options rises to 676 - also not all too many. Five characters - 11 millions. That will cause some difficulties with the breaking if that is, for example, a password to a Word 2007 document. But in case of simpler variants no problems or special delays will occur. Breaking a password of 9 characters - almost unbearable job in case of Word 2007 or WinRar, and even with the fast variants (like a password to a ZIP archive) breaking such password will take noticeable time.

You can take advantage of the online password calculator and estimate how much time it will take to break a password depending on the parameters you provide. The calculator is available at www.LastBit.com/pswcalc.asp

Or maybe Dan Brown was right? And cool secret services, having mobilized all their resources, all supercomputers of the world, have become able to break your sacred password? Besides, the progress in the computer industry advances with seven-league strides, the computing power of the computers grows fast and if not now, in some time that will become a reality? No, it is practically impossible to break a good password with the exhaustive search.

Here's a digression about physics and mathematics, almost without formulas and absolutely not terrifying. There is a very amusing and unexpected deliberation that limits the possibility of breaking a sufficiently long password by exhaustive search. Suppose the super-mega-computer of the future has been created. It is perfect; its computing power is incredible. Will it be able to break a long password by exhaustively searching all variants? It turns out that no, it won't. Nobody has cancelled the technical progress, and it is very likely that computers of the future will perform much faster than the ones we have these days. But even those computers submit to the laws of physics. And what those laws read is that changing the state of any system inevitably requires energy. When searching passwords, the state of the system will change with each new variant. Even if we take the absolutely smallest possible change, it turns out that, for example, searching for a 28-character password will require as much of energy as the sun has not produced for as long as it has been existing. Certainly, this deliberation is true only if the exhaustive search of all variants is the only way to break the password.

So, if you are positive about the reliability of the software, you have protected yourself (for as much it can be done) from spyware and other password theft channels - to protect yourself from the dictionary search and exhaustive search of all characters, for the password you need to pick a sequence of characters that is not a word (or a variation of a word - misspelled word, word with digits, etc.) Besides that, the password is to be sufficiently long, and it is very much desirable to include symbols in it, not only letters and numbers. Different demands will be made to the password depending on what it is going to be used for. You can use Password Calculator for estimating the time required for breaking it. And the most important is that you are to be able to memorize the password without writing it down.

There is an easy way to make up easily remembered and yet strong enough passwords. Take some phrase for the base; that can be a line from a song, a quote, a saying - whatever. The point is that you need to be able to remember it; that will be the base for your password. On the next step, from each word of the phrase take, for example, 1-3 letters (depending on the length of the phrase) and form the password. As the result, you will have a long enough set of characters, which is nevertheless easy to remember and restore. For example, would it be easy for you to remember the alroletoro password? Now, how about remembering it written this way: "All roads lead to Rome"?

To fortify the password even further, you can separate the letters with a character and/or make up a rule for interlacing uppercase and lowercase characters. Unfortunately, this method can't be recognized as absolutely reliable: if the malefactor knows that you use it, he can take advantage of that knowledge and search common phrases. But anyway that is much better than the traditional passwords used by regular people.

Yet another common mistake consists in the fact that many people have one-two-three favorite passwords that they use in all cases of their lives. Here troubles can lie in wait for them. For example, when entering a password at some Web resource, you actually give it to the owner of the resource. In the majority of cases, you don't know who that person is, how careful he is regarding to storing passwords, and how the password management is organized at all. The most evident and frequently used way (although it is not secure) is storing logins and passwords in the database in the open format (if a Web resource features the recovery of a forgotten password and simply prompts for your e-mail and sends the forgotten password to it, that's exactly the case where the method takes place). In this case, your password becomes available to at least the owner of the Web resource, his employees, and employees of the company providing the hosting services. Besides that, the owner of the Web resource can simply sell it out (certainly, along with users' private data, including, in particular, your password), and you have no guarantee that your password doesn't get to someone's dirty hands in the end. When the right approach is used, stored are not the actual users' passwords but some derivatives of those (hash), which allows checking the validity of an entered password but doesn't allow to get hold of it.

The problem is extremely current. Besides Web resources, using the same password is undesirable for password protecting documents. For example, you could use the same password for protecting Word documents; moreover, some of the documents are stored in the old format (Word 2003), while others - in the new one. Since password protection in the old format is much weaker than in Word 2007, one can recover the password by using an old document and then open a new document with it, although the password, in the application to the new document, could be sufficiently reliable.

There is only one way out of it - to use different passwords for different resources. Unfortunately, it's going to be difficult to make up a new password for each Web resource. A truly reliable way out of this trap is using a password manager; for example, Aurora Password Manager, which provides a convenient plugin, which allows generating reliable passwords and then automatically enters the right password in the authentication form. You will have to remember just one master password that protects the passwords database.

You can also use a certain rule for forming passwords. For example, to set a password to a Web resource you could take the first and the last letter of the domain name and add your favorite password to them. In the strict sense, this method is not secure (especially if the rule is obvious enough), but it is still much better than repeating the same password everywhere.

In the conclusion, let me give you a few links to helpful resources:

www.LastBit.com/pswcalc.asp - Passwords Calculator for estimating the time necessary for breaking a password by searching characters depending on specific parameters

www.PasswordTools.com - Password Recovery Software for all popular applications.

www.Animabilis.com - convenient multi-user password manager.

Wednesday, July 29, 2009

Be Aware, Hollywood Steals Copyrights!

Hello,
My name is Vitas Ramanchauskas. I am a computer programmer since 1988. In 1997 I opened my personal Web site ( webdon.com ). In early 1998 I launched my first shareware program. In late 1999 I changed the site name to LastBit.com . Now LastBit Software is a division of Last Bit Corp.

This story began in 2003, 6 years after I’d written my first program PwlTool*. This program could be used to reveal cached passwords in the Windows 95 operating system and later was improved to another popular recovery tool Secret Explorer. As PwlTool wasn’t a commercial program, sone time past and I discontinued updates of the webpage where its source resided since 1998 and, as it often the case, completely forgot about it.

In 2003, when six years have elapsed since I wrote PwlView, C-2 Pictures, the Santa Monica-based filmed entertainment company released the long-awaited sequel to the blockbusters The Terminator and Terminator II which was called Terminator 3: The Rise of the Machines. Terminator 3 was quite a success and as every movie in the series it has got its fans. Quite many fans I suppose. C-2 Pictures launched the www.terminator3.com website for them. Now this site seems to be discontinued, you can use web.Archive.org service see its past contents: http://web.archive.org/web/20060424075449/http://www.terminator3.com/. Note the "TM and (c) 2002 C2 and its related entities. All rights reserved" line at the bottom of the main page. Besides tickets, dvds and other related stuff this site has got some terminator-themed wallpapers. Look, for example, at this one:
http://www.terminator3.com/content/desktop_downloads/desktop_lg/t3_desktop_a01_1280.jpg (http://web.archive.org/web/20051109094600/http://www.terminator3.com/content/desktop_downloads/desktop_lg/t3_desktop_a01_1280.jpg)
This wallpaper in fact is a shot from the movie itself with a code of PwlView which can be clearly seen on the right side of the picture. Just have a look.
When I first saw this, I had immense fun. "Wow! The Terminator uses my software to crack passwords!". Then I examined the picture closely, enjoying the look of the code which I wrote years ago.
But looking at this code thoroughly again, I could’t find my copyright notice (which was present in the code located at webdon.com). It's missing though I'm the author of this software. That's why I was a little bit upset.
I was failing to understand...WHY THE HELL?! The world is swarming with crackers, carders and other criminals who don't care a dime about (c)'s and (R)'s. It is small wonder. But why the hell the multimillion movie production company goes this way? The Terminator 3 movie yielded quite a handsome profit. I was not going to ask for a single cent of this. Neither I would have been, had they asked me for my permission to include this piece of code into the wallpaper. If these timid guys really felt so embarrassed of such an intimate question, they could just leave the copyright notice intact. They didn't.
Instead, they placed their own copyright. Besides this, they falsely claimed that all rights were reserved. But my rights weren't. I don't think it's the right way to do business for the company, that, I believe, is being held in high respect. I don't like my code being stolen and misappropriated. And I don't like anyone, no matter whether it is a teenage cracker or C-2 Pictures, who ignores the laws that protect intellectual property.
Then, one layer offered me his help and tried to contact C-2 Pictures but they seemed to be absolutely irresponsible.
Justice didn’t prevail.
The one more question that left without answer is why this layer recommended me not to spread the information about that case with copywrite.

* This program along with its source code still can be downloaded from http://www.webdon.com/VITAS/PSWAPI.HTM. You can use the www.archive.org internet archive to make sure that this webpage existed in 1999 (and in fact it was there even in 1997 though the last version that can be found in the archive dates from 1999). You can follow this link if you want to have a look at it:
http://web.archive.org/web/19991012014535/webdon.com/vitas/pswapi.htm).

Hello world!

This blog is all about passwords: password recovery, password management, computer security and so forth. Our main site is www.LastBit.com . We got online in 1997 (as webdon.com) — in the middle of the Internet development Golden Age. We offer password recovery solutions for all most popular document types, such as Microsoft Office. Welcome!