Can’t remember your PIN? Here are some tips for choosing a new one!

In today’s era of computers, the numerical password or PIN is incredibly easy for a computer to guess. That being said, here are some ideas to make the number you choose harder to crack and easier for you to remember.

First off, a computer can guess any numerical PIN less than 11 digits long in about 2 seconds thanks to the power of iterative guessing.
The best way to protect your PIN is to enable a time out on whatever device you have. For example, on your phone or tablet, if someone enters the wrong PIN more than X number of times, it wipes the device’s data, or it makes you wait a minute between each try, etc.

Next, try using the following methods to pick a PIN that’s difficult (for a human) to guess, but that you can remember:

• Make your PIN as long as you can. This will depend upon your device & your memorization abilities. Assuming you can use all 10 digits (0 – 9), a 4 digit PIN gives you 10^4 or 10,000 possible combinations. 5 digits gives you 100,000, etc. The longer the PIN, the harder to guess.
• Don’t use a number someone else would know (such as your birthday).
• Use the keypad on your phone to spell a random word that you will remember. E.g. NAME = 6263).
• Make a sentence out of numbers. E.g. using the first letters of each word in “This Sentence Is Awesome!” gives a PIN (on a phone keypad) of 8742.
• “Encrypt” your password by appending another number to it. E.g. if your birthday is July 19th, choose a PIN of 0719 and then tack on another number (such as the last 4 of your phone number) to give you: 07191234
• Don’t use a common PIN – 10% of PINs equal 1234, another 10% are 0000 and 1111. That means that 20% of the time, I can guess your PIN using those 3 numbers. A number like 2580 looks random but it’s the 22nd most common PIN. Why? Because it’s straight up & down on a phone keypad. Be unique – don’t follow the herd.
• Use sports players jersey numbers. This doesn’t work for me because I’m not a sports guy, but for those of you who are – just concatenate the jersey numbers of your favorite players together. E.g. Babe Ruth (3) + Lou Gehrig (4) + Yogi Berra (8) could give you a PIN of 030408.
• Choose a number you like such as your birthday and then subtract or add another number you like. So your birth year might be 1955 and your wedding year might be 1978. The difference is 23. Subtract 23 from your birth year to get 1932. To make it even harder to guess, reverse the numbers to get 2391.
• For a bank card, use the assigned random PIN and memorize it.

Helpful? Got tips or tricks of your own for remembering PINs? Share in the comments below!

~Yosef

UPDATE: Browser Security: How Firefox, MS Internet Explorer, Chrome, Opera & Safari store usernames & passwords – Part 1 of 5

Note: This is an update to my original article

With the release of IE10, Microsoft has changed how Internet Explorer stores passwords. Previously, for versions IE7 through IE9, the browser would store auto-completed passwords in the registry and
HTTP basic authentication passwords in the Windows Credentials Store (aka Vault). As a refresher: Auto-complete passwords are normal website login passwords such as gmail, Facebook, LinkedIn, etc. HTTP basic authentication passwords are network login passwords for LANs, etc.

The encryption method that IE7-IE9 used for storing auto-complete passwords was very difficult to defeat, whereas the Credentials Store was much easier to break into to recover passwords. Therefore I was very surprised to learn that in IE10, Microsoft now stores ALL passwords in the Windows Credentials Store – with no new security measures!

The Windows Credentials Store is only protected with the regular DPAPI, and can be (relatively) easily cracked. All private entries of a user can be found in his profile. By default, the folder
is in:
C:\Users\<USER NAME>\AppData\Local\Microsoft\Vault\<VAULT_UID>
where
<USER NAME> = user name &
<VAULT_UID> = Vault identifier. By default, the value is: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28.

Each IE10 password entry is in a .vcrd (Vault Credential) file and the encryption key is stored in the same folder.

This moves IE10 into the same league as Google Chrome leaving Mozilla Firefox as the leader in terms of password security (providing you enable a strong Master password).

How to change your Exchange E-mail Account Password

How many times have you heard about a celebrity, politician or even friends and family who have their e-mail accounts hacked? Don’t be the next victim!

There are two ways to protect your e-mail:
1. Choose a difficult password
2. Change your password on a regular basis

In this article, I will show you how to change the password on your Microsoft Exchange e-mail account.

If your company has a security policy to change your password on a regular basis, you’re all set to remember – if not, add a recurring reminder to your calendar to change your e-mail password about once every 90 days.

To change your password, log into your web-mail account (NOT in Outlook!) using your Internet Explorer browser (if you use another browser, you may not see all the options listed below).

If you don’t know what your web-mail address is, (in Microsoft Outlook 2010) go to the “File” tab on the menu ribbon. Select the Account you wish to modify in the drop down menu under the “Account Information” banner on the Info sub-tab. The web-mail address should be listed next to the “Account Settings” button next to your picture (see text in red in picture below).

Outlook 2010 File Menu

When you load the web-mail address in your browser, you will get a login screen. Enter your e-mail (or sometimes domain\username) and password and press the “Sign In” button.

Outlook Web App Log In Screen

In the top right corner, select “Change Your Password…” from the Options menu.

Outlook Web App Options Menu

Enter your current & new password & click “Save”. Again, please note: you may not see the “Save” button unless you are using Internet Explorer as your browser. The Outlook Web App does not play nice with non-Microsoft browsers…

Outlook Web App Change Password Screen

The next time Outlook tries to connect to the server, it will ask you to log in using your new password.

That’s all folks!

LinkedIn Security Breach: What You Really Need to Know

Yesterday, (6/7/2012) it was announced that LinkedIn has suffered a major security breach and 6.5 Million passwords were stolen. Immediately, news stories, e-mails and press releases were sent out telling everyone to go online and quickly change their passwords. While this is a good idea, and you definitely should change your password, you really need some background on why you need to change your password and what you should change it to.

First, some background. The hackers did not steal 6.5 Million passwords. They stole 6.5 Million password hashes.

What’s a hash you ask? Think of it as a black box into which you put your password – press the button and out pops a hash. A hash is a one-way mathematical process to convert any text string into a set of (seemingly) random alphanumeric characters. Any two different sets of text will give you different hashes. For example, if your two passwords are “Password1” and “Password2”, the hashes would be (in base64) “cMzZAHM41tgd07YnFiG5z5qX6gA=” and “kjfLD7kesqJFhF+fPvQt76LklLY=”.

Therefore, what the hackers have are a bunch of encrypted passwords – the (main) way to break the passwords is to generate random hashes using a huge list of common words (called a rainbow list and used in a so-called dictionary attack) and compare the list of generated hashes with the encrypted passwords. If any of the hashes match – the hackers know which word you used to generate that hash.

The hackers than try any passwords they are able to decrypt with a list of user names to try to guess which one belongs to you. This might sound difficult but it is very fast for a computer.

Now, there are two things to think about. If your password is something simple such as “ILoveYou” and you change your LinkedIn password to something equally simple (such as “ILoveYouToo”), a dictionary attack will easily figure this out – not to mention that it probably already exists in the list of 6.5 Million hashes. Secondly, LinkedIn has not disclosed how the hackers obtained this list in the first place, nor have they said that they have fixed the problem. In other words, for all we know, you change your password & the hackers just download the latest password hashes all over again!

So what should you do? First, change your password to something that is:

1. Long
2. Uses special characters (!@#$%^&*,._-=, etc.)
3. Uses multiple cases (E.g. UpPeR&LoWeRCase)
4. Has both numbers and letters

Second, set a reminder on your calendar to go and change your passwords on a set schedule – whatever won’t drive you crazy, be it monthly or annually. And definitely change your password once LinkedIn publishes that they believe they have fixed the issue.

Having trouble remembering your password? Check out XKCD for some tips: XKCD: Password Strength

Want to generate a hash on your own? See: Hash Generator

Finally, for a great introduction to the technical side of hashing and salting passwords, see: PHP Security: Password Hashing

Questions? Leave a comment below and I’ll respond as soon as I can. Thanks!