Home blog Can You Figgure This Out?

Can You Figgure This Out?

Posted on Posted in blog

Can You Figgure This Out? was Originally Posted on June 6, 2012 by

You should understand that the samples I give here are simplified, so that you can understand them. However, there are many websites which go into better details, if you want to read further. I touch on this subject because LinkedIn, a well known website appears to have allowed people to access their encrypted database.

Most sites accepting users and passwords encrypt that information. Usually the email address and names are stored as is, however the password should be encrypted. Encryption has been around a long time in various forms, sometimes intended, sometimes not. Just try to read hieroglyphics or understand Nostradamus. Encryption can be simple or complex and the more complex the better. I’m sure in grade school you played with codes, perhaps a simple letter or number exchange. A really means “B” and B means “C”, etc. A could equal “01” and B “02”. You can even write simple computer programs to convert a file to an encrypted format and it can take just a couple lines of code to do it, along the lines of “read the value and write a new value + 1″.

As codes get more complex they are harder to decode. Think of treasure maps that after many people and hundreds attemps, remain unsolved. That is, if there is a real solution. I mentioned that there was a shared application called Enigma which is trying to solve a message which was encrypted during the war. 2 of the 3 messages have been decoded by having thousands of people work on small parts of the file.

One innovative cypher was to gather American Indians (code talkers) to pass messages during the war. They used a language not known overseas. Thus the message was not heavily encrypted (anyone with the knowledge of the language could make it out), thus the key was very difficult to obtain for people not native talkers, the key being a unknown language.

When a website asks for your password, it is suggested that you make it difficult and not a standard word. Someone can go to a website and try random words and see if they can access your account. Each attempt has the remote computer take what is entered, encrypt it and test to see if it is correct. You entered “XYZZY” as your password when you set up the account. The system encrypted that as “GUGUUI806786879″ and saved it. Then this random person enters your login name and the password “QWERTY”. The system encrypts “QWERTY”, comes up with an encryption of “JHGFJKGJG5″ and compares that value to what is stored. They do not match, so there is no access granted. Understand that if a hacker goes to a site, many of the passwords are “PASSWORD”, “QWERTY”, “12345678”, “LETMEIN”, etc. They can try just entering the most common passwords until they get in.

OR, they can steal a copy of the database, if it is not protected. It might be in the format:

John Doe, A1F4C308FF82B9

where the name and encrypted password are side by side. rather than feed random or known passwords through a formula fro each entry (which takes computer time), hackers take a long list of known and suggested passwords and create a list of encrypted and non encrypted passwords and store it. Then they just pull the next user and encrypted password, check to see if they already know the unencrypted part and go on to the next. Essentually saying “if anyone is using “A1F4C308FF82B9″, their original password is “QAZ123″. They may quickly scan a list and be able to fill in hundreds of common passwords in seconds. Then they log in to each account and see what damage they can do.

So at times when you are asked to create a password, make it a non-dictionary word. With simple computer skills almost anyone can take a file of dictionary words, pass them through one of the simple encryption formulas and sit back while the computer creates a list of clear text words and encrypted passwords. It does not take a rocket scientist or brain surgeon to do this. Any person taking a computer programming course can do it. Then you take the same list and add a “1” after each word and add to your list.

I once found an healthcare account which had asked me for my SS number. The account identifier they used for me looked suspiciously like my SS number with some digits reversed. I was tempted to see if someone else had similar results but changed provider soon thereafter.

Many sites ask “security questions” to help you recover your passwords. Questions such as “Mothers maiden name” or “high school attended”. Many of these answers may be found easily in your blog, Facebook or Geneology site data. In almost all cases, this is a verification question and not used for real validation. If asked for your birthday to gain access to a website, make up an internet birthday, something like July 4th of the year you were born. Use that data to sign up for online electric company billpaying access. They don’t need your real birthdate, they just want t oensure that the date you enter matches the date they have on record. There are websites with your actual data online like birthdatabase.com. I could easily determine your real date, yet most of my accounts would not accept that date as my birthdat, because my internat birthdate is neither that date nor July 4th (you now have 363 other choices).

Mothers maiden name is a fun one too. Perhaps you identify with Oprah. You could use Harpo as the mothers maiden name (a non relative AND a reversal of letters). You might also use the nonsense name of “Idwtty”. Their software will not blak, buy who would figure out that the letters you entered stands for “I Dont Want To Tell You”.

You can make simple to remember and hard to figure out passwords with sayings such as “The Cat In The Hat Is Fun To Read” becomes “TcItHiF2R” or “ReedingIsFun” using a deliberate mispelling and upper and lower case.

“GudLuck2Yall” and “ILBCNUL8R” (just say them outloud)