It has been a while since I have posted anything. And now, I will post about a topic very near to my heart and certainly an area I know a great deal about, more so than I believe anyone the Australian Government is seeking “guidance” from with regards to the retention of metadata.
First things first, metadata is descriptive data. Databases and spreadsheets all contain forms of metadata from the schema (layout) of the tables and fields, columns and rows to people who wrote it, the time editing and other data. Such data is used many times with indexing services, it is able to read some of this metadata and also search on this data.
This is just the tip of the iceberg, this document I am showing the properties of has this metadata attached (I will look into this data as well shortly) but any computer to computer communication requires metadata. Most of it harmless and of little importance but in reality it is a symptom of the Internet we setup for ourselves and now so heavily rely on that changing, at its core, the way networking hardware communicate together would surely cause an outage on such a scale, we would not be willing to do it.
That said, the issue is not so much that data is collected, each hardware will have logs of varying levels capturing the data which can, with little effort personally identify you. A number 220.127.116.11, is your address on the web. This address is allocated to you by your ISP and ISP has a log of which account was allocated this IP (Internet Protocol) Address. This address, that web sites also have is resolved through a DNS (Domain Name Server) which translates the name, http://www.websitename.com to 18.104.22.168 and it routes it around the web finding that address and once found the data is this returned to the address that asked for it, you.
All of this data, is kept, there are flagged sites that when ISPs detect you have gone to one of these flagged sites your details, date, time, IP address and so on are sent to authorities. But, normal use is merely logged. The laws in Australia force the ISPs and telecommunication companies to retain this data and provide it to one of the policing bodies like the AFP (Australia Federal Police) or any of the state counterparts, ASIO and ASIS (ASIO is international, ASIS is domestic) even bodies like the CCC (Corruption and Crime Commission). All of them can request without warrant this data from the various companies who collect it providing it forms part of a legitimate investigation. They don’t need to be looking for terrorists or potential jihadists, in fact the AFP has requested much of this data around government leaking of data because in Australia it is against the law to leak information even if considered in the best interesting of the people it is still illegal.
If they are getting access to this data now, why the bother? Well the law has made it easier to get. There is a judge who oversees granting approval (I am not sure if that is who it is or not) but they are appointed by the PM of the day and has now judicial oversight it is also now illegal to state if any permission to seek data was made if it was made or not. This is what should be ringing alarm bells everywhere, we have one person, who says “yes” or “no” as to whom can get the data which can personally identify you and where you have gone not to mention that don’t report to anyone they are not an independent or need to be, there doesn’t need to be bipartisanship with the government or opposition as it is just the Prime Minister who appoints them and any case they look into, it is against the law to even report about it.
This is an issue as massive one since we might be looking at merely the descriptive data of our activities on the internet but this can tell a lot about a person, and information in a political world is capital and a lot of it as well. So don’t be surprised if the laws are used for less than the predefined reasons such as policing and counter-terrorism.
How can one get away with hiding themselves on the internet? How can I stops anyone knowing where I have been? Well if you communicate through the internet it is a difficult one to hide your footprints. Using a TOR browser1 will help remove your source location when browsing the regular web. But one of the metadata elements that is collected is what browser you are using so they will now that using that browser will mean you are hiding details but since it will take more efforts to locate you it isn’t needed.
But this post isn’t about using TOR or other mechanisms to avoid detection as the only way to not have data on the internet collected is to stay off it. Using the technology of old will help, traditional letters, dead drops and location marking, meeting face to face. If you need to get information out and to other people find a way that doesn’t involve communication through media. Or use heavy traffic and generic areas, high traffic twitter posts as long as mentions were done, using aliased accounts internet cafes and cash will hide it (but understand using an internet cafe to access an account will compromise the account as often they have key loggers so they would be one use only.
We are heading backwards in terms of privacy in this country and which opposition is going to be strong enough to stand up for it when we have the fuel being tipped constantly on the fire of cafe sieges and regular people heading over to Syria and Iraq to fight for ISIL and anyone who stands up for their privacy is on the terrorists side. That I should be OK with prying eyes looking at where I have been as long as I have done nothing wrong, but I don’t like it when laws come in like this as all it takes is for someone with an agenda beyond that of terrorism like saving the kids from pornography and we have a brand new spying going on.
- TOR Browsers are used to get access to what is called the Deep Web. An area of the internet that is not indexed on your usual search engines like Google or Bing. The reason for this is they use a different protocol header, normal web uses http or https but the deep web uses often tor. Using these protocols tells the browser to go to certain routers on the web to find the data as the usual routers will not know where to redirect your traffic to.
It is a trend in life, you live in the modern era you will have a presence online, it seems a inevitable as the rising of the sun every morning there will be data, out there with information about you.
So in this growing online world the amount of information that exists grows as well. We start finding it easier and easier to share photos and updates to family and friends. Once we would send a yearly letter, with a current photo, now, log on to Twitter or Facebook and it is there, what we did this weekend, last weekend, and the hundreds of weekends before. This is good and it is also bad.
But this post isn’t about the benefits of social media nor is it about the pitfalls of having a presence online. It is about trying to make sure you data, remains as safe as possible and the first line of defence is the password.
There has been plenty of information about there about what the most common passwords are, but what I will do in this post is show ways to help manage the plethora or passwords that are out there without having one universal password, how you might be able to have the most complex passwords out there but there is only a need to really remember one of them, and if there is only one, then that one can be more complex.
Hackers use a couple of different techniques when hacking the main is a brute force attack. This is trying any account information they might be able to glean and trying all types of passwords. Now a crude brute force attack, uses a combination method. There are far more sophisticated versions available that use many different algorithms and heuristics to try and get passwords for accounts.
I want to show some examples of the amount of time it can take for a crude brute force attack. To put it simply when using just characters, upper and lower case and numbers (this is a minimum for most passwords), this gives, 62 different characters.
a-z, A-Z, 0-9
a-z, A-Z, 0-9, &, #, !, *, $, @
This simple table shows how the length affects how many possible combinations available. Now looking at the Oxford dictionary there are about 228,132 words. A brute force attack would and could cycle through a word in the dictionary very quickly. To see the inclusion of the additional characters at only 8 character passwords offers 238 trillion more possible passwords.
The amount of time it takes for a PC to try and iterate through 457.163 trillion passwords is:
This is a single threaded calculation, using multiple threads across multiple cores could increase this speed, same would be using the cores on a GPU, my home PC has 1000+ CUDA cores all could be used to calculate passwords. Though is more difficult than using a traditional processor.
So a quick explanation on how secure a password can or can’t be shows that the more characters one includes means that there are than many possibly combinations to check.
So, knowing that, what is one to do;
- Having multiple simple passwords across all the sites
This is the most common approach people use passwords are easy to remember but are also easy to crack.
- Having a Single Complex password across all sites
This is good, it makes cracking a password more difficult, but once they have it, they have it for potentially all sites. Especially since people use the same email address too.
- Use complex passwords that are connected to what is being used
This adds further complexity to the passwords but also makes it a little easier to remember them since you are at the site the password is being used.
- Multiple complex passwords mixing it is good
And difficult to remember, we are creatures of habit, when we enter our password many times we will remember it, if we don’t then we will for get it. Then you are going to have to go through a number of forgot password steps to get or reset the password until next time you forget the password
- Use a password vault.
This is the best solution, as many password vaults enable very complex passwords, store ALL your passwords in an encrypted file and it also means you only need to enter one main password to open the fault.
Above is ordered, in my opinion, from worst option 1, to best option 5. So why is it this way? Why should I consider having any of these options.
Forget the single words
This is plan and simple, forget the days of having “password”, “welcome” or anything else that is a single word, why. Simply because these words are in a dictionary and are the first ones used. That coupled with numbers, “password1”, “welcome1” and so one. These are nice and easy to remember, but a cinch to guess in a snap.
A password can be more than one word
A password can be made up of multiple words, it can be a sentence. Single words are more simple to hack, but multiples in a sentence can add more complexity to hacking this password than even using a mixture of letters and symbols.
This also make the password more simply for the user to remember. “LetsGoBroncos” is an example, “ImNeverGonnaGiveYouUp” these simple phrases suddenly make things more difficult. Words exists and common heuristics can be used to help work out patterns but once again these take time to process and the longer it takes to hack it then the less likely it is to be hacked.
If it takes them 50 days to crack 1 account or 1 day to crack 50 accounts, they will opt for the 50 accounts in 1 day, every time.
Replace and Increase
There are letters and even words that can be replaced with one symbol. “ILoveMoney”, “ILove$”, “ILove$$$$$” are all realtively easy to remember, but the last one, is a little more difficult to crack that the first 2. Including these symbols means the number of possible combinations to try go up. The more combinations the more difficult it is. Other are using &, @ () for letter or word replacements, I will not give a list here, some are common some aren’t but it is best for you to use what you understand than me, some might use # for H but, I would use # for hash or sharp.
Forget the right way, use your way
What I mean by this is, the right spelling might not be the best. Many ways to spell different words, or the use of homonyms, words that sound the same but have a different meaning. Butt and But, Poor, Paw, Pour and Pore. Each of these can be used in your phrase;
MyCatHaasBigPores – so, Hass, and Pores changes the context of the word when looking at it and again makes it more difficult to guess.
Where I am can help me remember
I use the Blingles site and when I create my password I use “ILoveMyBlingles”. But don’t use this across the board. “ILoveMonstersHigh”, “ILoveMoshiMonsters” and so on. Since guess the patter and you have all of them. But, “
”MonstersHighRocks”, “MyMoshiMonstersAreCool” provide some examples of this.
A place a password can call home
We have now, so many passwords all complex and all long enough to take your account out of the mix of any quick brute force attack. But I can’t remember them, well, I can now say don’t. Use a password vault.
A password vault is a secure place for you to store all of your account and password details. But there are so many, some online, some offline, some mobile, some not. The thing to remember is look at something that you want to use and which is the best approach for these.
The simple ones is just an encrypted repository for all your passwords. This is all it needs to be. Others have better features like auto typing or storing additional information or grouping of the data. Some features a nice others I feel are required. Below is a list of things you want any password vault system to have no matter where or how it is stored.
- Strong Encryption – You want to have the best encryption possible, but also you want this to change if the best encryption gets better.
- Encryption is only as good as its encryption key. This is like the password used AES uses up to 256bits for a password key. Below is an example;
6ZPIAFHPwPyqjkMIyRTRkC4Hd4MZPjUhkM4fgKF8T8M= MyEncryptedPassword but is encrypted with a 256bit key, the maximum size for AES.
AuR4SL2Bt1BfPxdoB/X87bAQ6b+lsepCkoFrsQQ46+I= is the same word encrypted as before, but it used a 128bit key. So, as you can see when something is encrypted with a longer key it will create better encryption.
- Generating passwords is a good one since coming up with passwords that are complex enough for use in systems and keeping them safe is not as easy as it sounds. Once could simply put in jshdfjksdhfjksdfhjdsh but without knowing I have created a pattern in the password, patterns are one element of trying to hack and crack encryption as patterns in passwords and keys could also setup patterns in the data they are encrypting. Keep away from this.
- Key or a Password, why not both. The better vaults have the ability to use more than one method to secure the vault. Passwords are good, simply remembering a single password makes things easy, but a key, is far more complex than any password. If the software can use both, it will further lock down the vault and prevent people hacking that, since this is going to contains the keys to your entire digital life, might as well make it as secure as possible.
- Password hashing – The vault should store your password within the file as a hash. If it doesn’t hash it, then it isn’t as secure as one that does.
- Is NOT a cloud based solution.
With these in mind we need to look at a couple of elements I stated that need further explanation.
The Keys to the House
I used words like AES and 256bit, 128bit, Keys, Hashing. So what are these and how does this affect me looking at password vault software.
This is Advanced Encryption Standard it is one of the newer and possible more secure of the the encryption algorithms. Though no encryption algorithm is completely unbreakable, the time to break 192bit and 256bit AES is obviously increasing high. It is the current standard used by the US government. Though with all of the goings on about the NSA and them hacking and requesting data, it is best to keep things as secure as possible.
These are the key lengths used to encrypt the data. The minimum of AES is 128bit and the max is 256bit. I know what you might say, if increasing the key length also increases the strength of the encryption as I showed above why not use a longer key. The Algorithm is fix to take keys at a maximum size. But there is a trade off, the longer the key the longer it will take to encrypt and decrypt the data.
Keys are a file or a single of characters up to a certain size that are used to add to the security when encrypting. With Vault software some of them might use a password and a key. If you don’t have the key you can’t decrypt the file, ever. Since both parts are used to decrypt the file and therefore you are missing a large portion of the key used to encrypt the data. SSL uses this form of encryption since there is no passwords they use a combination of public keys and private keys. Data can be encrypted using the public key but only the private key can be used to decrypt the data.
This has nothing to do with potatoes. A hash is a one way encryption of data. In the world of the ever expanding internet when passwords are stored on the server they should be stored in a hash format. Why? It is impossible to workout the value that created the hash, I say impossible but in terms of reference, in computing nothing is impossible and giving the amount of time it can be calculated, infeasible means the time it takes it process, currently is not within these boundaries and therefore are not possible at this moment in time.
Given a machine that can perform 1012 operations per second, this is a lot. The time to work out a solution 2n and given that this time is in the terms of time small, 264. It would take 213 days give or take to calculate this. Increase it to 2100 which is still not terribly complex that would take 40,196,936,841 years, yes, 40 billion, the universe is only 14 billion years old, give or take. So a computational task that takes that long to complete, is considering infeasible. 213 days isn’t but I wanted to point out the difference between the complexities, might not look like much on the surface but turns out to be massive in the end. AES complexity is 2254.2 so that would potentially take longer than the 40 billion years to work out a 2100 complexity.
OK, so you want a vault that has good encryption, enables use of keys and passwords (both would be better), can generate passwords, stores the vault password as a hashed value and is NOT a cloud based solution.
Encryption in the Clouds
Why not in the cloud? So much stuff is moving there, it would be nice to use a system that enables me to get access to all my passwords online. For a couple of reasons.
- The internet might not be always available and therefore you might need a way to use it offline.
- You can be assured the business who operates the site will be there tomorrow. If it is gone, so is your complete vault of passwords.
- Can you trust them? Given the plethora of statements made by Edward Snowden regarding the NSA and companies handing over private data to them what gives you any trust in someone who houses all of your account and password information. NSA knocks on their door and requests is with a federally signed document stating they must provide it. OR, they are in a country who’s laws aren’t as strict as other countries and therefore it isn’t in their best interest in keeping this data out of state hands.
- You sure it is secure? I have entered my password and the database is showing, but is it encrypted, how can I tell, where do you keep the password, in the same database I have my data in, etc… All of these are valid and go to show when the data isn’t in your hands you are putting a lot of trust into these businesses.
So, offline would be a recommended model but cloud solutions are good if they offer ways of backing it up offline, accessing it offline, terms of services and service level agreements, etc… If not, and you read some of them and realise that they do not store things in one way encryption or using simple encryption algorithms.
What should I use?
Well there are two I would recommend, both are offline and one offers many more devices. It is a preference and either would enable you to feel safe using. KeePass is an open source software than provide all of the elements I would look for an more. This is an offline model but it can support using file hosting services like DropBox if you wish to maintain this not just locally but enable you to synchronise the data across all systems. There are some mobile applications that can use the KeePass database as well, but KeePass has only the software for Windows but since it is Open Source, there are many different versions available for many devices, see the Download page.
The other is Norton Identity Safe. This is a Free product as well but is not Open Source. But Norton release a version for Windows, iOS and Android, which can cover most of your needs. Norton is a trusted name for the protection of your PC. Since they released Norton Utilities, they have kept making your PCs faster and more secure. BUT, this is the only cloud based solution I would recommend. It is simple, easy to use and can store more data you need. My main issue with Identify Safe is there is no use of keys, passwords for the vault that are limited to 20 characters.
Is there an issue with using Open Source software for your passwords, no, as long as your control the file the passwords are stored in and I do. I have my password file, available to me anywhere I want. Store it in DropBox, OneDrive, Google Drive, iCloud, anywhere that might enable you to store any file type the ones that allow automatic integration into Windows Explorer or enable automatic synchronisation as well would mean all PCs that run the software could get access to it.
IF you WANT a cloud based solution I have included this one in here as my recommendation for it. But I would prefer to recommend KeePass. As it is more secure (as it is offline), can use a key and a password, the passwords aren’t restricted in size for the vault itself.
The Password to Rule Them All
So, you have decided to use a vault and you are about to create a new one. The password, remember the lesson of the password. It comes all undone (potentially) if you secure your vault password with password (11bits, yes a long way shy of the maximum of 256bits allowable in AES). So if you only need to remember one password, then go to town.
It means that once you have that, then everything else is there for you and you can store anything secure in there you like.
Public-Key Cryptography. (2014, June 15). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Public-key_cryptography
Advanced Encryption Standard (AES). (2014, June 24). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard