Security--random thoughts

My Hotmail account was hacked last week.  Very embarassing--I have never had an account hacked before because I use decent passwords and I avoid viruses by not clicking through on strange links and using a Mac.  The hackers sent out a link to an online pharmacy, though I suspect the linked page is also use to spread malware.  I was able to send out a follow up email within 2 hours to let people know to delete the email, and, fortunately, I don't have a lot of addresses in my hotmail addressbook.  My aunt had it even worse--I saw 4 or 5 emails from her account, and she struggled to regain control of it and is now just going to shut it down.

It got me thinking about security, both virtual and physical.

On the virtual side, the long held belief is that a strong password will keep you safe.  That is apparently not true, as I just learned.  But the reason why is a bit annoying.  Hackers use "dictionary" attacks on popular web services, where they just bang on an account trying thousands (hundreds of thousands, actually) of combinations.

The most sophisticated tools (eg. L0phtcrack), easily available online, can crack 25% of passwords in seconds, and can try 17 BILLION combinations an hour.  An 8 character password with a combination of letters, numbers and special characters (eg. asterisk, dash, underscore) has only about 100 billion different combinations.  So, if someone really wants to crack your account, they just need a few hours.  Presumably, the hackers just spend a few seconds to get the easy accounts.  The password length I had been using, a mere 6 digits, had only 45 million combinations.  I do use longer passwords on my more important accounts, but Hotmail is mostly for spam anyway, so I never upgraded the password.

The real problem here is obvious, but few ever mention it.  Why do Hotmail and other services allow hackers to bang on the door thousands of times?  If you blow a password 10 times in a row, your account should be locked.  Then a simple, easily remembered password would be perfectly adequate.

The problem here, and I suspect why the web services do not enforce this, is that if hackers are banging on Hotmail all the time, thousands of users will be locked out every day, generating an enormous amount of traffic to customer support.  Very sensititive systems such as SaaS ERP do enforce a limited number of tries, but they have a small number of users and an enormous reputation problem if they are cracked.

So, perhaps the solution is multifactor authentication.  Not the physical token systems that you see some corporate users carrying around, but merely a second layer of security.  You could have a password that gets you to the second layer, which would require you to pick out a face or picture from a matrix of options.  The human brain is particularly good at remembering faces.  Because you can only present 15 or so options, it is really not adding that many combinations, but it would definitely help, and the fact that it eludes keylogging software is a definite bonus.

[UPDATE 9/20: Google just released two factor authentication for Google Apps accounts.  It uses a smartphone app to generate an authentication code that is the second step of the process (replacing a dedicated fob such as used by Verisign systems).  I am feeling rather pleased with myself for being one day ahead, for once, instead of the reverse.]

So, "strong" passwords present the illusion of security, but in reality are just a slightly higher fence.  That works for random attackers, but not an attacker that might be targeting you.

Many physical security measures work on the same principal--you don't have to outrun the bear, you just have to outrun your friend.  But if someone is targeting you specifically, you are in trouble.  This is where things like airport security often fall down.  They annoy the casual traveler in the name of protection, but fail to deter the dedicated attacker.

The auto theft statistics for 2009 show almost a 25% drop in theft from 2008--a big decrease.  But they also show a drop in the recovery rate.  Basically, the casual thief is deterred, but the pros are still doing fine.

The most effective part of a home security system is the sign out front.  Casual thieves move on to your neighbor.  If you are targeted by pros, then you had better installed something a bit heavier duty than ADT.