I know you all have probably already seen this, but it is worth sharing again to increase the volume. The more I learn about our current state of environmental concern from actual scientists, not political activists, corporate lobbyists, or emotional citizenry, the more I realize that we really need to move to renewable power. And there is one new technology that really stands out as a very real game changer...
Size matters. This is more true now than it has ever been, and we as IT professionals need to start preaching this new mantra to our users if we want to keep passwords from being the weakest link in our security chain.
Everything we've known as true about password security really needs to be revisited based on current technology, trends in password cracking, and a better understanding of social engineering and human psychology in general.
For years we have been told that the more complex the password was the more secure it was. We enforced this methodology on our poor users because we "knew" what was best to protect our precious network and its data. But then we turned around and complained almost daily about some user who wrote his or her password down as to not forget it and have to "bother" IT once again.
It has become a standing joke, yet we continue to do nothing to fix the problem. We just laugh and repeat ourselves about the sanctity of the password and continue on our merry way, oblivious to the truth that the user really doesn't care about our beliefs, and as soon as we walk away they retrieve the sticky note with their password from the garbage can and put it in their top drawer, which is an improvement at least from having it on the monitor.
Only a few short decades ago, we were taught that "P@ssW0rd" was more secure than "password" and that we should always use at least three of the four secure methods in our passwords: lowercase, uppercase, digits, and special symbols. Then we changed it to insisting that all four be used in a password to "guarantee" that it was secure. That hasn't really changed since, but it is time it does.
Back then computers simply weren't strong enough to run through all the possibilities, and we sat complacent that no computer would be able to run all 895 combinations in a timely manner, and, for the most part, that was true. That was where most of our "password security training" ended — why would we need to know any more than that? Why would we need to know that Windows 95’s password hashing was essentially nonexistent, until it was fixed in the second release? Or that LANMAN truncates all password hashes to fourteen characters, case insensitive, and doesn't salt the hash?
Thankfully, NTLM is far more secure — salts its hashes, and has removed all the shortcomings of LM. So, we’re safe now, right? Let me ask you this, have you turned off LM on your servers that are 2003 and earlier? No? Then hopefully all your passwords are at least 15 characters long, because that’s the only way to ensure that only the NTLM hash is being saved.
Let’s return to the issue of computing strength. As was mentioned, a few decades ago PCs simply weren't robust enough to handle cracking of passwords that required brute force attacks. However, processors have grown in power, yet we haven’t really revisited the strength of those old eight character passwords that we've been relying on all these years. So let’s do that.
Almost three years ago, the British website Lockdown.co.uk posted the stats for how long it would take to hack various passwords based on both complexity and length. And for the most part it should impart to the reader that length is indeed far more important than complexity. It’s fairly obvious as one reads down the tables that the longer the password is the longer it takes to crack. However, that table is reflecting computing power and capabilities from three years ago.
Now, consider this information from the Georgia Tech Research Institute that explains that GPUs are now capable of cracking passwords in minutes that used to take days. This gets scarier still. Consider that the goal for the cracker is to find a valid password in a reasonable amount of time, which for the cracker could be a day or two, or even longer if there is profit and/or fame to be had. Obviously, the cracker is going to want to use the power of GPUs to get these faster turnaround times, so just how fast can they go given a reasonable amount of money and/or equipment? How does 33.1 billion passwords per second sound? That was achieved at the end of 2010, and if that cracker has the money available, they can even hire a cloud service that delivers up to four teraflops of single-precision peak performance and 515 gigaflops of double-precision performance using GPU computing power. By now this should have you seriously considering the minimum lengths of your passwords.
The first part of the cracker’s strategy is the software at his or her disposal. The software is focusing more and more on exploiting the power of the GPU, and these programs are surpassing the CPU based cracking tools that we are most familiar with.
As this blog post points out, GPU cracking tools are now shortening cracking times down to minutes, and those tools are just going to get more efficient as time goes on So what are we to do? Obviously make passwords longer, right? But what about our users? If they wrote passwords down before, they are definitely going to do that if the passwords are long.
Again, that isn't necessarily true if we take the proper approach — more on that in a bit. The second part of the cracker’s strategy is the requirement that they actually have access to our network. This means they need to gain access via a compromised computer or directly to the network by getting their own computer connected to it. So, since the password is securely stored via NTLM hash on our Windows server, or any of the various UNIX-based hashes on a UNIX box, that shouldn't be a problem, right? Perhaps, but are you positive that all your services — specifically web services — are secure and that there are no unpatched exploits? Then it is likely better than perhaps, but what about your weakest link?
Since services were just mentioned, we would do well to ensure that the passwords that we use for our services are also following the methods presented here. Remember that services typically have just as many rights as the admin, and in some cases, more. Because services passwords are rarely used once entered, consider making them as long and complex as possible. This would be especially true for Internet-facing services.
The final piece to our security is also the one that we have very little control over — the humans. It doesn’t matter if they are an end user, a company executive, or even a member of the IT staff. We are all fallible. This is where the cracker strikes next or, more often than not, first.
Social engineering is of very real and serious importance to most crackers. It often requires the least amount of effort and resources and can provide the best access to the resources they are trying to steal. A simple call to a middle manager mentioning an executive’s name (both of whose identities were discovered via a business card raffle at the local deli) can be used to get software installed. Or, by putting on a contractor’s shirt, one can gain access to a business to hunt for displayed passwords and user names, or even worse, install software on users’ computers or bring in a mobile device to gain access. Even getting hired on as a night janitor can net the cracker all the information and access he or she needs, and often this also gives them access without the watchful eyes of the employees. More subtle approaches come in the form of routine sales and marketing calls or surveys — we seem almost eager to give perfect strangers all sorts of information that could be used to guess our passwords. That is if we use standard methods of determining our passwords. Thankfully, we can take some rather simple steps to deal with these issues.
Talk to your users
Explain the things mentioned above and what to watch for. Make sure that you — the IT professional — are not viewed as the enemy but rather as an important asset to the company that serves the user as a resource and as a helpful watchdog to the data that keeps the company running — and thus keeps the user employed.
Train users on how to make a secure password from their perspective
Very few users, if any, are going to comply with your wish to make their passwords filled with symbols and numbers because they are going to do the very thing you tell them not to do, which is write it down. As we saw above, a long password, or passphrase — the term we really should start using — is far superior to a short complex one.
Empower your users to create long passphrases
Why not tell them to use a sentence for their passphrase? Compare the following: "Wl12$zP39_Ix" and "This 1 password gets me to my lions, tigers, and bears!" Both have all the complexity elements, but the first is 12 characters that are so complex that even writing it down may not make it obvious, and the second is 55 characters long and is easy to remember for several reasons.
Pad the passphrase
Take it a step further and explain how the strategy should be something personal to the user that they come up with and mention "padding" passphrases, which might be even easier than sentences. Padding simply means adding characters to the password. This can be as simple as adding the last four numbers of the social security number to the end of the password or taking their address and putting half at the beginning and the end of the password. This strategy allows your users to still use their completely unsecure passwords that can be found in milliseconds with a dictionary attack and turn them into passwords that will require a brute force attack, and considerable time. For example, "22 Main-password-Street." Note the space between the numbers and name and that it is 23 characters long. We don’t want the passwords to be written down, so don’t force your users to rely on their memory for a password that means nothing to them — it won’t happen.
If your users aren't sure about their password, have them visit this site and try it out, but explain to them that this is not a "password strength meter" as the text on the page points out.
Don’t be too hard on users
Finally, remember that your users are just that — users. Few of them care about the intricacies of the things that happen behind the IT curtain, and they really only want to get their job done with as few complications as possible. So, make all this security stuff fun for them and remove some of the insane constraints we put on them, and they’ll be much more willing to comply with your policies — and not be the weakest link in your security.
If you need more proof weak passwords are still subverting IT security, see this post in the Spiceworks Community: http://community.spiceworks.com/topic/218528-weak-passwords-still-subvert-it-security. How do you work with users to ensure they’re using strong passwords or passphrases?
So, how long has it been? Close to 20 years. Yeah, about 20 years ago, I learned that taking notes is the same thing as telling yourself, "I'll learn it later." Of course that is an over simplification. You should still take notes on what is absolutely-essential-to-remember facts such as dates, names, etc. that you might forget in the long term. This was something I actually learned when taking a memory course, so I put a fair amount of stock in it. The memory course itself was fantastic and I still use many of the tricks I learned from it in my daily life.
Fast forward about 4 years and I found myself passing this, now proven, method along to my students--I had been using what I learned in the memory course for years, and it had proved completely accurate in my own learning processes. Many students ignored my insistence, of course, and proclaimed themselves too old, or whatever. But I continued my insistence that it worked. In fact, I used the tricks I had learned in the memory course to remember all the names of the students in the class after only a couple minutes of introduction from each of them. Yet, many still didn't trust my advice and said I had a photographic memory, or whatever. Trust me, no photographic memory here.
Now jump forward to this article (http://io9.com/students-do-better-on-tests-when-they-take-notes-by-han-1571328675) that was shared with me on G+ today, and you can see yet another correlation--pay attention to what is being said, and don't waste your time on trying to take notes and you'll do better. Again, a bit of hyperbole there, you still have to take some notes, but the key is to actually pay attention to the lecture, not to the act of taking notes because again, you are subconsciously telling yourself, "I don't want to learn this now, I'll learn later," but later is too late because you've lost much of the context of what was said.
One of my favorite pastimes is playing a game you may have heard of called Minecraft. Shortly after it was released to the public for purchase, my son brought it to my attention, and he asked me if I could buy it for him because it was going to be “the next big thing” in games. At first, I was really apprehensive because it was in its early alpha stage and was being sold by this one guy, Markus Persson, and I just had mixed feelings about it. But I had learned to trust my son's opinion on computer and console games, so I delved deeper and checked it out. What I saw was amazing.
There were people creating all manner of crazy builds. Huge builds composed of tens of thousands of blocks, and the game had some really fascinating elements in the UI that made the collecting and using of items almost effortless. The best explanation I could give would have to be Lego taken to a much higher level. Needless to say, I took the plunge and not only bought a copy of the game for my son, but also for myself.
Over the following months I played it off and on, and explored various aspects of what could be done with it, and as I played, new updates to the game continued to be released at an incredible rate. With each new release there were more types of blocks and more things that could be done within the world. Then I noticed a trend starting on YouTube. More and more people were posting their experiences with the game, and it was being embraced by the community as a way to learn more about the game and what could be done with it. All sorts of brilliant creations were starting to be showcased. Then came the inclusion of "electricity" in the form of what is called redstone. This meant that you could potentially build machines in the game, and this spurred a whole new level of interest for me. So much so, that I jumped into the YouTube community as well, and started posting my own creations.
Right around this same time, or maybe a little after, programmers from all around the globe started discussing the possibility of modifying the game to allow additional functionality and items. The enthusiasm from the development community was incredible and in very short order the ability to mod Minecraft became a reality and with it, huge possibilities for the game itself.
At first, I was committed to playing the game as designed—vanilla is the term that is used—but as time went by and I saw more and more incredibly designed mods that allowed for even more possibilities in the game, I decided to join the modded Minecraft gamers. Now I find myself getting bored with vanilla Minecraft, but I'm very pleased to see that Mojang, the company that now owns and develops the game, is embracing the modding community and even including some of the more popular mods directly into the game, while at the same time opening the game to allow modders to more easily create mods. These days, I use Feed The Beast for my modded Minecraft experience because it is so easy to setup and run, as well as keep updated.
I still don't have as much time as I would like to be able to play it more frequently, but it is always fun to fire it up and punch some trees. And now that I understand how Minecraft servers work and have seen how much more fun it is to play with others, I’ve set up a Minecraft server at home for my son and I to play on.
If you enjoyed Lego as a kid, you should definitely give Minecraft a try. I think you’ll have lots of fun. Oh, and there are two rules that you need to live by: never ever, under any circumstances dig straight down, and as much as you would like to, don’t hug creepers.
I have been driving for just shy of twenty-eight years, and I am seeing a horrible trend among California drivers—the utter lack of understanding in simple physics, and a complete disregard of appropriate social behavior. I am sure that anyone reading this post will likely be nodding his or her head and agreeing with what I have to say, but how many readers will actually take these words to heart, or pass them on to others? I suspect these words will be easily forgotten as soon as said readers get behind the wheel. I will start by saying that the vast majority of the problems I see today are most likely the result of a couple factors—lack of driver’s education in schools, and an ever increasing population. There is one more factor, but I hesitate to put it at the top of the list of causes simply because I want to believe that the problem is not widespread—new residents to the state.
First and foremost, I believe that ever since driver’s education was reduced to elective course status and the number of online schools and training have risen, fewer and fewer students are getting a proper education in driving. More and more this responsibility is falling on the heads of parents who are working sixty hours a week, stressed out, and impatient. In fact, this responsibility is often being shifted to older siblings who have already earned their license, and the parents feel should be able to teach their younger siblings to drive. This situation results in a complete decline in the amount of education that new drivers receive. Now combine that with finite amounts of information found in online driver’s ed courses and test prep materials, and we have a situation where new drivers are barely learning anything beyond the essentials. Now advance forward four years and these uneducated drivers are commuting to work and college. Combine that with late-night gaming sessions, parties, or just working late, and we have an accident waiting to happen. Each morning I see someone speeding through traffic because they did not give themselves enough time to drive to their destination in the morning. And that takes us to the lack of understanding physics. There are very simple laws of physics that dictate total travel time from point A to point B. You can drive like a bat out of hell for fifteen miles on the freeway, but as soon as you exit you will have to stop at every light along with everyone else, unless of course you want to break those laws as well. So, that time “saved” breaking the speed limit—lost. Sure, one might have saved oneself a minute’s time, but what else did one lose? What about the wear and tear on the car? The stress caused to both mind and body worrying about getting caught or getting in an accident? Was that one minute of time really worth it? Is one so self-absorbed that he or she is willing to tell the rest of society to go to hell just because he or she is unable to wake up at an appropriate time to commute to one’s destination at the posted speed limit?
That brings up the second issue I raised—disregarding acceptable social behavior. I realize that there are psychological factors at work when one is encased in a steel shell and only in the presence of another for a few seconds, but that does not excuse the behavior that more and more drivers are exhibiting. I can completely accept erratic driving and speeding if one has a life-threatening issue, but if one’s behavior is due to a lack of preparation, that individual has no right to act the way he or she does. If one were to walk through a crowd the same way one drives, how long would it take before someone “corrected” that behavior either verbally or physically? And again, what is being gained by driving this way?
If you find yourself falling into the rushing trap, try this little test one day to see just how much time you are really saving yourself: record the time you pull away from the curb and your arrival time at your destination. Drive like you usually do to beat the clock. The next day, go to bed at a reasonable hour and wake up early enough to get out the door with plenty of time to get to your destination. I recommend Google Maps or Google Now for determining how long the trip will take. Drive to your destination going the speed limit and not a mile faster, feel free to stay in the slow lane. Make sure to record departure and arrival time. How much time was saved between the two? Depending on distance traveled it will likely be a few minutes at most. More importantly how do you feel both mentally and physically? I am betting you will be much more relaxed and happier in the second instance.
And before you accuse me of pointing fingers, I will say that I have been guilty of driving this way as well. We all have. It happens. Hopefully, it never resulted in an accident. Also, I have done the test I mentioned and mine was on an enormous scale. I used to commute almost 200 miles to school each week, and I tested the difference between driving like a madman and driving the speed limit. Do you want to hazard a guess as to the time differential? I saved a whopping ten minutes. Yes, ten whole minutes. And the difference physically and mentally was astounding. So tomorrow when you leave the house, do me a favor and take it easy and don’t let the sound of your own wheels drive you crazy.
"Dungeons and Dragons," "Champions," and
"GURPS" are the titles of three of the most popular role-playing
games, yet most non-gamers have never heard of them. If they have heard of any
of them, "Dungeons and Dragons" is likely to be the one they
recognize, but not for its positive aspects. "Dungeons and Dragons,"
or more popularly, D&D, is considered the epitome of the role-playing game,
or RPG. Many non-gamers equate it with a group of stereotypical nerds or geeks
sitting around a table eating pizza, rolling dice, and playing make-believe,
and to a great extent, they are correct. After all, stereotypes are based on
common perceptions. What the non-gamer misses, however, are the many benefits
that RPGs provide. As an avid role-playing enthusiast, or simply, a "gamer,"
since the age of ten, I have benefited greatly from RPGs, and now at the age
of forty, I look back on my gaming experiences and realize the role that they
have played in my life from an educational perspective. Playing RPGs improved
my literacy skills, strengthened my creativity, and gave me strong analytical
"Verisimilitude," "maladroit," "perquisite"—all
words that I learned and knew the definition of by the age of eleven. The
single most important aspect of role-playing games is the ability to read,
comprehend, and recall information, and to use that information to communicate
with the other players. Much like the popular games "Monopoly," "Life,"
and "Clue" that we all played as children, RPGs have rules that
control the game and determine outcomes, but these rules tend to be written in
books that are at least thirty-two pages long, much larger then the couple of pages
of a typical board game. Because the rule books are also typically written by
well-educated individuals for adult audiences, as a young boy, I found myself
stumbling over the words and having to look them up. I wanted to because it was
not school work, it was a game. The rule books spoke of fantastic ideas,
places, and creatures that compelled me to find the original sources—the
literature that inspired the games. I found myself consuming books such as King Kong, The Lord of the Rings, and I,
Robot, not as school assignments, but as background material for the RPGs
that I played. My friends were doing the same, and when we got together to play
RPGs, we each brought new words to the table. I was learning words in the RPG
books that I read that were years ahead of my fellow classmates. Many of these
words were showing up in the purchased adventures, or modules, that we used for
Many RPGs that were published in the late 70s and 80s had
adventures that gamers could buy, which one player, the game master, or GM,
would read and then use as a story to lead the other players through. The GM
would present the setting, describing the area that the players’ characters, or
PCs, would be adventuring in, and the players would then use that information
to make decisions about what they wanted their characters to do. This typically
involved overcoming an obstacle, righting a wrong, or discovering a secret. In
other words, the players were pretending that they were mythical heroes, and
their characters provided the abilities that their heroes had via the mechanics
of the game. The restrictions placed on the PCs meant that the players could
not simply say they overcame a given obstacle. The player would have to use
only the abilities that their character had, much like real life in the sense
that no one can do everything and we have to find solutions to problems using
our own experiences and abilities. This lead the players to come up with
surprisingly creative ways to overcome the problems that the GM presented.
Eventually, I outgrew the published adventures and found myself creating my own
scenarios. I used what I had learned in those adventures and the various novels
I read to create my own unique worlds and puzzles for the players to solve.
The puzzles and obstacles in RPGs are where a great deal of
analytical thinking is done. Players and GMs alike have to use analytical
thinking in RPGs to solve problems or create sophisticated obstacles,
respectively. Although it is the same thought processes that a writer goes
through when creating a story, in the case of an RPG, the writer has no idea
what his protagonists will do in a given situation, and more often then not,
they do something the GM never thought of. At the same time, the players are
the readers of the novel, not knowing where the story is going, or what the
characters are thinking, and their control of the story lies only in their
ability to influence events from their perspective alone. This, in turn,
requires the GM to be able to think through the series of causes and effects at
a moment's notice to keep the story moving, and to fit the players’ actions
into the story. Another way of understanding the concepts would be to look at
an RPG as a group of actors performing improvisational theater with a set of
guidelines that control their behavior with random elements being presented by
By now, it should be apparent to the reader that
role-playing games improve literacy skills through reading and communicating
with fellow players, boost creativity by exercising the imagination of the
players, and strengthen analytical skills through the creation and solving of
complex problems. I have played many RPGs over the years, in a number of genres
and settings, and I am continually impressed with the general intelligence
level of gamers in general. When I step back and look at my own educational
experience, I see many times that role playing was used in the
classroom—without it being a game—such as when I had to present reports on
Alexander the Great and Thomas Edison, and I dressed up like the characters and
presented their biographies as if I were those people. It is no surprise then
that RPGs themselves are starting to find their way into the classroom, and
some teachers are even sponsoring RPG clubs at their schools.
After being in the IT field for several years, I found that having a centralized repository of other IT professionals that I could turn to for advice, recommendations, and help was nigh impossible to find. Information is scattered far and wide, and a great deal of it is either erroneous or misleading, so finding an answer outside of Microsoft Technet is a complete crap-shoot. Of course, finding answers on Technet can be just as difficult sometimes.
Jump forward many years, and I hear about this company called Spiceworks that produced a completely free network inventory and helpdesk solution called, Spiceworks.
Over the years their forums have grown steadily and at over a million users worldwide, it is the source of some incredible information--vendor recommendations, troubleshooting tips, how-tos, and even some water-cooler discussions. In fact, they have grown so large that they now host an annual SpiceWorlds conference in Austin, Texas. So, if you are in IT, and you haven't heard of Spiceworks, do yourself a favor and check them out. Even if you don't use their software, it is a great resource for IT professionals.