5 Things We All Do That Make Hackers' Lives Incredibly Easy
Hollywood portrays hackers as superpowered math geniuses who can intimidate computers into giving them whatever they want through intense keyboard mashing. Even outside of movies, they are feared as something like mysterious and powerful wizards -- the infamous hacker Kevin Mitnick was ordered to never use any networked technology more advanced than a pay phone, for fear that he could whistle a tone that would start a nuclear war.
But in reality, almost every "hacking" exploit that you hear about compromising some database or other is done with very simple methods that, many times, require no computer at all.
They can do that because our computers aren't secure, and never will be, thanks to the fact that ...
Our Brain Remembers Passwords Only if They Are Words
The four most common passwords (according to Mark Burnett's 2005 book Perfect Passwords) are "1234," "123456," "12345678" and "password." (The fifth is "pussy" -- No, really.) On the next level of password caution, you'll find something like "dolphins." ("It's because I really like dolphins!")
Unfortunately, dolphins are notoriously terrible at information security. Hence their defeat in the Great Orca War.
Yet if you ask a website to generate a password for you, you'll get something like Yzivlq$0X?9. The difference is that most humans can't memorize much beyond seven digits unless there's some other meaning attached to help us remember. So we have to use an actual word instead of random character strings; otherwise, we'll never retain it.
The problem is that even if you use an uncommon word (such as "adelphogamy"), you are making it massively easier for a bad guy to guess your password. The average new computer can guess 10 million passwords a second. For reference, the unabridged Oxford English Dictionary lists about 600,000 words, and the average adult knows a fraction of that.
That means if your password is a word or even one of thousands of common names, an attacker can have your password faster than hands can type it. Even if you add a number to the end of the word, like "hunter2" or "entropy9," you've only increased the time it takes to crack to half a second.
It's not hard to make a secure password, one that's not a word and is reasonably long but still is easy to remember and quick to type. Take a phrase you know by heart, such as "Every Halloween, the trees are filled with underwear; every spring, the toilets explode." Now, type out the first letter of every word in that phrase, picking different letters or adding punctuation wherever feels natural for you, resulting in a password like "eHttRfwu;estte." By using something that isn't a word and never has been, you're increasing the pool of necessary guesses exponentially.
"I_love_golf" is an easy password to crack. "I_love_women_with_no panties_teeing_off_on_my_face_while_gophers_finger_my_asshole" is a little harder for robots to guess.
If Someone Asks Us for Our Password, We Give It to Them
One survey found that, in public, 70 percent of people would give out their passwords in exchange for chocolate.
On one hand, this is a stunning indictment of just how shortsighted people can be. On the other hand, MOTHERFUCKINGCHOCOLATE!
A favorite strategy of the hacker mentioned above, Kevin Mitnick, didn't involve either supercomputers or a criminal mastermind brain. Once he decided what corporation he wanted to hack into, he'd just go into its trash. Not to find some list of passwords, but to dig up an organization chart so that he could call up an employee claiming to be a co-worker whose boss needed the password to get into the company's server (he called it "social engineering").
The only time the words "engineer" and "social" have been that close in years.
Likewise, in 2007 there was a well-publicized rash of Xbox Live accounts suddenly escaping their owners' control, leading to rumors that some master hacker had gotten into Halo developer Bungie's database. In reality, it was all done via conversations over Xbox Live headsets. Like many systems, Xbox Live would verify your password by asking a series of personal questions (more on that later). So the thief would just get into a game with his target and steer the conversations toward subjects such as pets and high school, stealthily probing the target for his secure question answers.
Alternatively, the thief would call Microsoft's tech support and, pretending to be the account holder, basically play on the operator's sympathy until the operator gave in and handed out the info. This problem continues to flare up for Xbox Live users, from skilled gamers such as "Skyllus vBi" to Dan "Shoe" Hsu and Will Tuttle, both editors-in-chief of major gaming publications, all of whom had their accounts stolen in 2008.
Privacy is a myth, folks.
Even Microsoft's Larry "Major Nelson" Hyrb, director of programming for Xbox Live and the closest thing the service has to a human face, had his account hijacked in March 2010, almost three years to the date after he posted the security bulletin above.
Not that we have to hear a human voice in order to hand out our passwords; online scams continue to be rampant. Once, a system administrator sent out an email telling users not to respond to fake "what is your user name and password" phishing forms. He included a sample form to show people what to look out for -- then saw users reply to him with their user names and passwords, because the sample phishing form he sent along asked them to.
Presumably, emailing these people directions for performing the Heimlich maneuver would lead to an epidemic of fatal chokings.
We Will Always Demand Convenience Before Security
In the mid-90s, Microsoft was tripping over itself to make computers convenient and user-friendly. Microsoft BOB, the operating system with a smiling face, encouraged users to keep all their banking information nestled securely inside a virtual desk. Would-be thieves would be stopped at the virtual front door, where users were prompted for a password. If the user forgot his password, he would be inconvenienced by it only three times, at which point the system would conveniently let him change it.
Microsoft Bob: Because even idiots need to use computers.
Even though this is about as secure as guarding your house with a BEWARE OF FERRET sign in your yard, anything less would have been too inconvenient for the target audience of Microsoft Bob (which ended up being small enough for Microsoft to realize what a terrible idea it was trying).
Unfortunately, this is a fundamental trade-off, and it's one we often don't even notice we're making. For instance, it's convenient to have your browser store all of your passwords so you never need to type anything to look at your bank account, but leaving your laptop open at Starbucks, then coming back and discovering that you've bought the original master recording of In the Court of the Crimson King for a complete stranger is also inconvenient.
So what exactly is a fire witch? Anybody?
There's literally no getting around this; what is convenient for us will also be convenient for intruders. Like those "security questions" they use to verify passwords that allowed those Xbox Live hackers to get in. The whole point of that is if you lose your password, you can get it back quickly and easily and not get locked out of crucial online services. So, on most sites if you lose your password, you simply need to answer a few pre-determined questions ("What was the name of your high school's mascot?") which supposedly only you know.
OK, now let's say you're Sarah Palin in mid-2008. In your private life, you like to use a Yahoo email account that's not subject to the bureaucratic overhead of government records. The downside here is that, because you're Sarah Palin, everything about your past is common, well-publicized knowledge. So some kid on 4chan with a Wikipedia page in one tab and Yahoo's Reset Password page in the other can just copy-paste from the former to the latter to gain access to this email account and spread the contents across the Internet. Even if you're not famous, your high school is on your Facebook page, and 10 seconds of Googling will tell someone what the mascot was. It doesn't take much longer to find out what your mother's maiden name was, and so on.
The best solution here? Lie.
Tell the database that you grew up in "Smurfville." Say that your dog's name was "Cat." Say that your high school mascot was the "Yo Dawg I Heard You Like Passwords So We Password Protected Your Password" (or "The Fightin' YDIHYLPSWPPYPs," as we called them).
Go, Deer Ticks!
But even if you buck the "one password for everything" trend, the Web is going to try to force your hand because ...
We've Put 500 Million Eggs in One Basket
In early December 2010, anybody who had ever interacted with a Gawker blog had his login details leaked to everybody. If you don't see what the big deal is, you have to remember how many people use the same passwords across almost every site they visit. You can't blame them -- today you might have three dozen sites you need logins for. It's impossible for most people to retain that many passwords, even if they never change them. (Note: One trick is to use the same password but create permutations based on something you remember about the site, so your Cracked password could be "eHttRfwu;estteBatman."
No one expects the goddamn Batman.
The bigger problem is that we're moving the opposite direction. People want one login that gets them into all of their favorite sites, and Facebook is there to give it to them. Many of you already use Facebook to log in to Cracked.
The danger, of course, is that if somebody gains access to your account on Facebook, he's unlocked your account and private information on every site you have or could connect to it.
Above: How most people handle online security.
As the number of sites that let you do this goes up, the jackpot payoff for breaking into the databases of these high-profile sites goes up with it. In an online landscape where sites can double and quadruple in size in a matter of days, it's going to be almost impossible for these sites to grow as quickly as the size of the target on their forehead. All it takes is one screw-up by a major content provider, such as AOL's infamous 2006 distribution of every search made in its browser over a three-month span, or a compromise of a powerful employee, such as Facebook director Jim Breyer, whose account was taken over by spammers in May 2010, and they've just broken into more vaults than all the Ocean's Eleven movies combined.
Even if Facebook and other third-party login sites (such as Twitter) were built like brick houses against all the big, bad wolves the Internet can muster, there's still one ubiquitous point of failure that's already ingrained itself into the fabric of the Web: email.
You might have heard of it.
Not only does a hacker who can access your gmail, or worse yet, hotmail now have the ability to reset every Internet account you've ever associated with it (possibly every account you've ever had), if Google or Hotmail falls victim to any number of common vulnerabilities, you and every user of their services are up shit creek. And since most email accounts are spread out over a handful of companies, that could number in the hundreds of millions.
You Have to Give Access to Someone, and That Person May Hate You
The problem, in the end, is human nature. Even if some day we have computers that can outright scan our eyeballs to determine who we are before allowing us to click an icon, it won't matter unless they also can read minds. Every large system has to give access to a lot of people, and all it takes is for a single one of them to turn on us when we're not looking.
For instance, FBI Agent Mulder's password on The X-Files was "trustno1." Not a bad motto when it comes to computer security, both in the real world and one where the goalie from The Big Green turns out to be a vampire.
But that motto should have extended to the shadowy government conspiracy Mulder was after. Here you have Mulder actively trying to bring them down, yet they continued to let him have a job that gave him access to the FBI's computer network and database.
That's not the stuff of fiction, either. Heard of WikiLeaks?
Consider the chain of events that led up to the information security meltdown of every major institution in the world: Because of some terrifying technical vulnerabilities that keep turning up on the Internet, the Department of Defense just plain made itself a new, more secure Internet called SIPRNet, which only people in the intelligence community can access. Problem solved!
Well, after 9/11, suddenly we had tens of thousands of people working all over the world, needing to coordinate and share information. So access to this secret network was expanded. One of the roughly half a million people with access to SIPRNet was Bradley Manning, the disgruntled soldier who allegedly sent the secret military documents to Julian Assange and WikiLeaks.
Our military has lasers that can destroy tanks ...
His "hack" of the system apparently involved bringing in some writeable CD-RW disks and claiming they were music. He'd stick them in the CD-ROM of his work PC, hum as if he was listening to Lady Gaga and dump thousands and thousands of pages of classified documents onto the disks.
But one of these and the tiniest bit of cunning imaginable can bring the whole government to its knees.
We're talking about maybe the single most well-funded and powerful organization in the world, spending millions creating its own freaking private Internet, all undone by human nature.
It won't be the last time.
Stuart P. Bentley is a programmer laying low in Redmond, Wash. He has a website at TestTrack4.com.
If you don't trust Cracked with your password, you can always get our articles in book form.
For more ways we're totally not safe at all, check out 5 Popular Safety Measures That Don't Make You Any Safer and The 5 Most Popular Safety Laws (That Don't Work).