[Dixielandjazz] Hacking and Passwords
Robert Ringwald
rsr at ringwald.com
Sun Apr 14 09:22:12 PDT 2013
This was posted some time ago by the DJML assistant Moderator Dave Haupt.
I think it bares re-reading by all DJML members.
You might want to pass this along to your fi
friends.
--Bob Ringwald
DJML Moderator
In the past few months, we've seen a sharp increase in the number of emails that
DJML receives, for which the member claims they did not send the email. At first,
I assumed it was spoofed email. Someone with a modest amount of internet knowledge
can use any of several normal email clients, such as Outlook, to pretend that the
email came from someone else. If I get a copy of those emails, I can inspect header
information and most of the time, identify that it did not originate from the person
who is in the "reply to" address. That method is not 100% though - it depends on
the header information (what is known as an IP address) not matching the sender's
provider. For instance, the email return address goes to AOL, but the IP address
is Comcast. There are valid reasons why this might happen, so it's only a clue.
However, it seems that we're seeing more than just spoofing, we are seeing outright
hacking into accounts. One of my own accounts was compromised last week.
Here's how it works. The would-be hacker runs a piece of software that zips through
hundreds of thousands of guesses for your password. If you use any email provider
who has a web interface, they'll try your account. And, as far as I know, all current
email providers have a web interface.
The software tries combinations of English words as your password, and if it knows
personally identifying info about you, such as your name, it tries them.
I had done something stupid. Back when the internet was a bit safer, I had created
an email address with my ham radio callsign and name, and used as the password, a
simple English word. Dumb even fifteen years ago, and today, an outright invitation
to be hacked.
A friend called me on the phone to tell me I'd been hacked. I first assumed it was
spoofing, but then I logged into my email account, and checked the "sent" folder.
There were the spam emails, sent directly from my account, by someone logged directly
into it as me. My password was compromised. Of course, when I saw this, I made
huge forehead indentations in my keyboard, as I realized how stupid it was to use
a plain English word as a password.
The hackers seem to find a way in, then send spam to everybody in your address book.
Keeping your address book empty helps, but it's better to close the door on the hackers.
So, this is a strong recommendation to all DJML members to select a strong password
for all your accounts. You can make variations on a password and use it for different
accounts, so you aren't completely lost. Believe it or not, writing your passwords
down on a sheet of paper that you tape to your monitor is not at all risky, if it's
a home computer. Hackers do their work over the internet, and they cannot read that
sheet of paper taped to your monitor. They might be able to read a file on your
computer, however.
Here are the basic strong password rules.
1) Do not include any English words, unless you can't avoid the little ones like
"at" or "in" for instance. Simply reversing a word seems to not help. E.g. "newspaper"
spelled backwards will be guessed.
2) Use a combination of upper and lower case letters.
3) Include numerals.
You can come up with your own "formula" for creating them. Think of things you know
about yourself that you don't talk about in email. What was the name of the dealer
who sold you your first car? Let's say it's "Anderson Chevrolet". Take out all
the vowels on the first word and now you have "NDRSN". Make up your own formula
for the capitals, like "boom CHICK boom CHICK" so you'll know that you capitalize
#2 and #4 and maybe #6 and #8 since they'll actually be #2 and #4 in the next measure,
er, word. Select another nonsense word the same way - think of something you'd know
but that you don't think much about, like that presidential candidate you voted for
in college who did not win, and maybe this time, take out all the consonants. Put
a two or three digit number between the two non-words or before or after the whole
thing. I've given only one example of a way to come up with a password that, to
anybody else, looks totally random. And one that a
computer program is unlikely to guess.
Do not use your name, the name of the instrument you play or the words of anything
you routinely discuss in email.
This style of hacking can only be reduced by making strong passwords.
Hope this helps.
Kindly,
A somewhat humbled Asst DJML moderator
Dave Haupt
Hillsboro, OR
__________
More information about the Dixielandjazz
mailing list