How the Crime is Committed

Now the only people who don’t know this are victims of cyber crime.

I have laid out an approach specific to cracking passwords which is best seen on this spreadsheet

  1. A dictionary attack is simply a streamlined attack or method that I deploy so I don’t have to try every password combination.
  2. This includes dictionary words, but it is not limited to dictionary words
    • Word 1 = Serendipitous
    • Word 2 = &
    • Word 3 = 8652
  3. The structure of the password is more important than the length, a long poorly structured password can be easier to crack than a shorter well structured password
  4. I attack trends, I hope that for the 100 accounts that I try, there is a fair volume of users within a trend that I have defined
  5. My goal with this exercise is to reduce the time taken to crack a password as opposed to spending a long time to guarantee I crack a password

What a Consumer can do to prevent it

There are lots of overlapping considerations, to sum them up

  1. Where do we use passwords
    • This is the device or network we are on when we enter passwords
    • Certain passwords should not be entered into devices or applications when we are on non-secure networks or devices.
  2. Security everywhere, is it necessary?
    • No, it is not necessary
    • We need certain things like Email, Banking, Paypal etc. to be secure and well managed
    • Other things we could not care less about e.g. Change.org
    • We should only be security conscious with things that can do us real harm
  3. Do we need different passwords everywhere?
    • No, only for things we need to be secure and there is a relationship
    • Email should be a unique password, as should our bank and things like paypal
    • Things like Online retail should be secure, BUT, we don’t necessarily need a unique password for each online retail account we use, we could argue that we need 1 password for all of our online retail accounts
    • Things that cannot do us significant harm can use the same password, the damage from something like Netflix is minimal, as is “Change.org”, so we can use the same password, it also does not need to be complex.
  4. Can you write down a password?
    • Yes, provided you are sensible about it
    • We cannot write down a password and put it with the device we are using
    • We can write down part of a password provided the full password is not written down
    • We can write down a password and keep it somewhere in our home that is secure
  5. How to define a secure password you can write down
    • The example in this article was an example
    • Use this page for multiple methods of defining passwords
  6. Do we need to reset passwords
    • Yes, but not that frequently
  7. What do we do when we are at work?
    • Whatever your employer tells you to do
    • But this does not necessarily keep you safe when you are not at work

What the industry has to do to prevent it

  1. Rules do not inspire creativity, but options do.
    • Multiple options should be available
    • The options should consider how to inspire creativity as opposed to dictating it
  2. A single option or method cannot be right, but it can be wrong
    • Any single ‘correct’ option can only create a trend
    • The challenge is to spread the trends used to make things like dictionary attacks harder
    • The more trends, the less I can do to take advantage and the less effective my methods are.
  3. Lazy Entropy calculations creates bad security
    • You have to calculate Entropy around the rules and methods in place
    • This applies to any method, even a random password generator can have trends set against it using probabilities
    • Being Lazy here is not so much an issue for the calculation on today’s technology, the issue here is that you miss the point where your method fails.
    • People will operate under the pretence of security, when actually their password is now very weak.
  4. Lazy Attack Explanations creates bad security
    • We all know that visual aids help with learning, but we don’t provide a visual method of attack
    • We don’t provide the attackers motives and methods start to end
    • We paint cyber criminals as, essentially, non-intelligent by explaining their work in “high-level”
    • In my opinion you cannot explain a solution without explaining the attack and showing the method and describing what is weak.
    • Consumers won’t necessarily know “How I know their word” or “How I guess their password”, so they have no reason to think they are not secure.
  5. Security issues are a collection of considerations, not considerations in isolation
    • Cannot stress this enough, for all forms of security, when industry gives advice if it is not truly generic, then it cannot be given as good advice
    • In this case, we have to consider “Network, Device, Application, Application Location (Among other things)” when defining how a password is cracked and providing a solution
    • The example I gave were password managers, as I know these are only secure by situation, so for consumers, because I cannot use this as a white wash success, I can’t advise it over a method of storing a password in a non-digital format.

Summary

So the password writing example I used in this article I used intentionally to show how me defining a password whilst ignoring things around it will eventually lead to a security flaw.

Not so much the issue with “Password Strength” today, but as technology evolves I will consider my password to be stronger than it is, eventually leading to a point where I am exposed but think I am safe.

Now, a lot of people will argue “2 Step Authentication” resolves this, but it doesn’t, I demonstrate this in other articles, but for the purpose of this article, when I do look at 2 step authentication, I have to reconsider my password structure and whether 2 step authentication then undoes my strong password.

The only final point I think still needs to be re-iterated is around

“it is not the method, but the user”

Ok, well 2 step authentication as an example is likely a wizard based set up, it is not the users fault that they follow this wizard and don’t interpret it correctly, leading to me being able to access their accounts quite easily.

So in the same regard, it is not the users fault that I gave a bad password writing method in this article that exposes them down the line.

It is not the users fault that we are lazy when calculating entropy, that is actually more largely to do with industry not understanding that random is only random until something happens.

That something could be a “Random” password generator, now I am not talking about how a computer handles “random”, but I am talking about how Entropy is not the same when Probabilities are involved, the random password generator introduces probabilities, which means we can refine the Entropy calculation to include this factor and create a new data dictionary.

It could be a better solution, but we don’t know that while we are lazy with entropy.

So at the same time, it is not the users or consumers fault that our answer to their involvement in cyber security is that “Entropy cannot be calculated to account for users”, it can be done, because that is in essence what a hacker is doing when they define a data dictionary for a Dictionary Attack.

What they are left over with is a reverse of entropy considering the human equation i.e. when consumers follow the rules as specified by industry, what do they most likely end up entering?

So when you calculate entropy in a non-lazy way around the specific method as defined, what you are left with is a dictionary attack.

That is what a hacker would have to produce to crack your password method.

When you put the effort in, what you are really saying is “This password method as written down and defined to a consumer likely results in this many password combinations being generated at most” or, the actual entropy when all variables are considered.

The other larger issue we see is the “most of it is this anyway” which actually encourages consumers not to put effort in.

For example, “most attacks are online” which is expressed in a way where we don’t have to worry about password strength all that much.

The truth of the matter is, protecting against an offline attack with a secure password protects against an online attack, the other way round is not true, so protecting against an online attack does not protect against an offline attack as far as password cracking goes.

So this would be a factor in consumer entropy, one of the larger reasons why I hate when people blame users and consumers for having bad passwords when they do get cracked.

The industry has conditioned consumers not to worry about it, but it’s their fault when they don’t use a secure enough password?

Anyway, we will leave this one here.

Hopefully, you won’t have read this and be hopping over to our “Practice what you preach” section, where we provide different ways of making secure passwords that can be written down.

As that means your password was very weak!

Links below to other sections of the website and thank you for reading.

Previous Page

Back to How I Would Commit Cyber Crime