I'm not going to lie, this is one of the most useful guest posts we've ever had. Stolen passwords haunt our lives on the daily. Thankfully, Ray Daniel gives us some tips on how to protect ourselves from those pesky hackers, in correlation with his latest release, Hacked. The fourth book in the Tucker Mysteries, which is available now!
Hackers love passwords. They love
to use them, sell them, and trade them with their friends. Once they have
passwords they can steal identities, publish secrets, and create a wide variety
of mischief and mayhem. So, how do they
get them? Most importantly, how could they
get yours.
It's perhaps comforting to know
that they don't get your password because they know your birthday, your dog's
name, or the names of your loved ones.
While not using any of that personal information to create a password is
good advice, we don't live in a creepy world where hackers are omniscient.
Hackers have two primary ways of
getting your password: they can guess it, or they can trick you into giving it
to them. Let's look at both of those
approaches and then see what we can do to protect ourselves.
When it comes to guessing
passwords, one imagines the hacker going to Amazon.com and trying passwords
until one hits. This, of course, does
not work. Amazon.com and other sites
place limits on the number of guesses.
Instead hackers need to steal
databases full of email addresses and their associated encrypted password. Encryption takes your password and turns it
into an unintelligible string of letters.
For example, the password 'password' becomes the following:
5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
There's no way to figure out the
word 'password' from that. The very
similar password 'Password' looks like this:
E7CF3EF4F17C3999A94F2C6F612E8A888E5B1026878E4E19398B23BD38EC221A
As you can see there's no
discernable pattern between them even though they are similar passwords. However, if I told you that my password was password but I didn't tell you whether the
P was capitalized, you could figure out which password was mine by
guessing. You'd encrypt password and then encrypt Password and check to see which one
matched the encrypted string. That's
exactly how hackers guess your password except on a huge scale.
Hackers regularly break into insecure
servers and steal databases of email addresses and encrypted passwords. When you heard that hackers broke into Yahoo
and stole information for one billion (billion with a B!) accounts these
username-password pairs were some of the information stolen.
Once they have the encrypted
passwords, hackers use bastardized graphics engines to create hacking machines
that can guess a billion passwords in a second.
They take your password and compare it to lists of previously guessed
passwords, then they compare it to words in a dictionary, then they replace the
'e' with '3' and add numbers and letters to the end, they use advanced
prediction mechanisms to create guesses from a first letter such as 's'.
Using techniques such as these hackers
can guess between 60 and 80% of passwords in a typical stolen database. If you'd like to know whether your password
information is in the hands of hackers, follow this link to this New York Times
article:
Or to be more precise type your
email address into http://haveibeenpwned.com.
Both sites will tell you whether
your information may be out there. (But, come on, we almost all have a Yahoo
account.)
The other way hackers get your
password is by asking for it with a phishing attack. In this approach hackers send you an email
that looks to be from a coworker or, even better, a boss or the IRS. The message says something like, "You
had better read this right now or you're screwed!" The goal is to get you
to panic, click on a link, and log in to see the information. Once you do that, the hackers have your
password. This is how John Podesta of
the Hillary Clinton campaign lost his password to Russian hackers. To be fair to Podesta, he shared the email
with his IT department who told him it was legitimate
when the person had meant to type illegitimate.
(One cannot make this up.)
If you think you're immune to being
phished I suggest listening to the Reply All podcast from Gimlet Media named What Kind of Idiot Gets Phished?. https://gimletmedia.com/episode/97-what-kind-of-idiot-gets-phished/
There are three things you can do
to minimize password-related damage:
1. Use a different password on
every site. I'd worry if I had used my
Yahoo password to protect my bank account.
2. Use a password manager to
generate unguessable random strings to all sites and save them. That way you only need to remember one
password. (Here is a comparison of password managers: http://www.pcmag.com/article2/0,2817,2407168,00.asp)
3. Set up two-factor authentication
on all sites that allow it. John Podesta
would have survived losing his password if he had turned this on. Two-factor authentication requires the
hackers to have both your password and your cell phone to get into your
account. They probably don't have your cell phone. (Two-factor authentication
saves Tucker in Hacked.)
The modern world of hacking and
password can seem like a scary place, but it's not difficult to stay safe. If you use a password manager to generate
different random passwords for all your sites and turn on two-factor
authentication you won't wind up like John Podesta.
***
Aloysius Tucker vows vengeance when a hacker terrorizes his ten-year-old cousin online. But the situation goes sideways fast, threatening to take Tucker off-line for good. #TuckerGate
Promising his cousin that he’ll get an apology from an Internet bully, Tucker finds himself in a flame war that goes nuclear after a hacker is murdered. Now more hackers, the whole Twitterverse, and a relentless bounty hunter agree on one thing—Tucker is the killer and he must be stopped.
With death threats filling his inbox, Tucker battles Anonymous, Chinese spies, and his own self-destructive rage while chasing a murderer the online community has named the HackMaster. Can Tucker clear his name and build a case against the killer before the death threats come true?
Ray Daniel (Framingham, MA) writes first-person, wisecracking, Boston-based crime fiction. His story Driving Miss Rachel (published in Blood Moon by Level Best Books) was chosen as a 2013 distinguished short story by Otto Penzler, editor of The Best American Mystery Stories 2013. Daniel's work has been published in the Level Best Books anthologies Thin Ice, Blood Moon, and Stone Cold. Terminated is Ray Daniel's first novel. For more information, visit him online at raydanielmystery.com/.
No comments:
Post a Comment