nelladragon

For each website, app, or service you use, you should use a separate password. This post explains why.

When you sign up for an online service or a mobile app you are often asked to register with a username and password. For many services, the username is your email address. Other services ask you for a username, but then also ask for your email address to be used as a recovery mechanism just in case you get locked out of the service.

An attacker may compromise one service by hacking their website. They gain access to the list of usernames and protected passwords. Depending on how the passwords have been protected, if at all, and how long your password is, the attacker may be able to determine your password. The attacker then tries out your email address and password combination on dozens of websites simultaneously. This may lead to the user’s accounts being accessed on multiple websites.

Websites such as facebook.com now take security seriously. User’s who use the same password on multiple sites provide a way for attackers to take over their account that Facebook can’t prevent. If you have used the same password on multiple sites, then you are relying on the security of the weakest, most poorly funded site, to keep all of your accounts on the other websites secure.

What you should do:

• Have a different password for each website.
• Use a password manager to store your user name and password details.
• If offered, use a two factor authentication mechanism (send a code via text message for instance).

What is a good password? Your girl friend’s, boy friend’s, or partner’s name? A common English word, but in Spanish? Your favorite password which you have used for past five years? I know people who have and still do use these types of passwords!

To understand how to choose a good password, it helps to understand how websites use passwords and how attackers try to break passwords. Websites typically store user’s user names and passwords in a database. The passwords should be stored in processed form. That is, when the user first registers with the website, the password should be processed and then stored. When the user logs in again, their password should be processed in the same way and then compared with the stored processed password. If the processed password used for logging in matches the stored processed password then the user has entered the correct password and should be let into the system.

Attackers find a vulnerability or weakness in a website and then steal the database file with the list of user names and processed passwords. Once in possession of the database file, they can then perform an, “offline attack”, in which they perform their attack using their own computing resources. An “online attack” would be where the attack happens inside the network of the attacked website.

Attackers determine how the passwords have been processed by analyzing the website’s code. They then perform a dictionary attack, in which they try out a long list of possible passwords.  Historically, this list would be simply a list of common dictionary words. These days the list would include tens of millions of dictionary words, names, words from different languages, with combinations of various numbers and characters.

Another baseline attack to keep in mind is a Brute Force attack. For this attack and attacker tries all combinations of passwords.

Some websites don’t process stored passwords. These websites sometimes reveal this to their users by emailing them their passwords. Have a look at http://plaintextoffenders.com/ to see websites which have been reported doing this. If an attacker hacks one of these websites, then they have your password, no matter how complex it is.

How long it takes an attacker to try each password depends on how the password was processed by the website. Assuming the website has done a salted hash or better (more on password processing in a latter blog post), then depending on the precise algorithm used, an attacker could try approximately 1,000,000,000 per CPU core per second, and could perhaps arrange for 10,000 parallel CPU cores to operate in parallel, then the attacker could try around 10,000,000,000,000 passwords per second = 1 x 10¹³ passwords per second. There are around 31,536,000 seconds per year. As such, an attacker could try around 3 x 10²⁰ passwords per year.

On a standard keyboard there are around 70 characters (allowing for UPPER case characters) which users are likely to use. If a user creates an eleven character random password, then there are 2 x 10²⁰ possible password combinations. As such, to have a secure password which attackers would need to allocate considerable resources to breaking for a year, your password needs to be twelve random characters long or longer.

Personally, I don’t use completely random passwords. I find them impossible to remember even temporarily and difficult to enter. I create passwords which are based on groups of randomly associated real words, some unreal words, combined with numbers and special characters. My typical passwords are fifteen to twenty five characters long.

The problem with long passwords is how to remember them. I suggest that everyone use a password manager app.

Some example passwords which seem good to me:

• Iw0uldntWritSky99
• JustGoing###23Nice
• S0eedP89ackets__Hist
• WorNoFinishe12*1234

With Shower Timer Talking (https://play.google.com/store/apps/details…) edging past 1000 downloads, it is time for a new version with some new jokes and some new thoughts of the day. I plan to add the following jokes. Do you have any suggestions?

My first app, Shower Timer Talking, is up in Google Play. A week ago I uploaded the second public version of the app. This post describes what it has taken to get this first simple app up and running.

My app uses the following external services:

• Google in-app billing to allow people to donate to the app.
• Facebook and Google+ integration to allow people to use their Facebook or Google+ name and profile photo for photos in the app.

Before you start you need:

• A desktop / laptop computer to run Android Studio on.
• A bank account to link to Google Wallet. This is needed you can transfer money earned from in-app billing.
• At least one Android device. It would be great to have a range of devices: screen sizes, app versions, high end – low end.
• A Google account.
• For Facebook integration: A Facebook account.
• A mobile phone number.

For me, the costs involved in getting set-up were:

• US$99/year: Domain name and hosting (nelladragon.com).  I did this through wordpress.com. You need a domain because you need your Android code to be under a package which reflects a domain you own.
• US$50/year: Added an email address / Google Apps for the domain.
• US$25: Register as a Google Developer.
• AU$168/year: Cost of setting up a “business” address. An address must be published with your app if you are doing in-app purchasing or if the app is paid for.
• AU$29: A very low end phone. I already have tablets and a high end phone.

To create a release version of the app, you need to create a release signing key / key store. It is important to back-up the release key store and back-up the password protecting the release key store. If you loose this, you won’t be able to update your app. It is helpful to have the same debug key store on all the computers you use for development.

To get Facebook integration working I needed:

• A Facebook account with a mobile phone number associated with it.
• A Facebook developer account: https://developers.facebook.com/docs/facebook-login
• A Facebook Application ID. This needs to be integrated into the app. It can be obtained from the Facebook developer console.
• A lot of persistence. The Facebook API has changed significantly with time. As such, you can’t just look at stackoverflow.com to see how things can be done, as many of the answers relate to out of date versions of the API.

Multiple screen sizes, Google integration, and using Text To Speech all needed persistence, but presented no major technical challenges.

The first time through setting up the Android Developer Console for the app took a few hours. The time from uploading the app to it being available to customers was as advertised: in the order of hours.

Shower Timer Talking was uploaded to the Google Play Store last night and is now available on the play store.