The other day, I had to change my Windows login password on my work computer. As usual, whenever I ever change password, for the next 2-3 weeks, muscle memory kicks and I always type in my old password, hit Enter, get told I entered the wrong one, and then re-enter it. I do this every time. This muscle memory reflex is so strong that sometimes when I use different keyboards (such as on a tablet or even a photocopier) I can’t login because I don’t know my password, I only know the movements my fingers make. I can’t remember the actual keys since the keys are in different places on different devices.
Anyhow, I humorously posted this on Facebook that this is what I do – I always enter in my old password instead of my new one. I got an interesting response from a friend of mine, and then a follow up conversation from another friend of mine that also works in the security space here at Microsoft. I’ve modified the names to protect their privacy:
As you can see from reading the conversation, my friend Dan thought I was referring to updating my login credentials for web portals, although I actually wasn’t. But the conversation took on a life of its own as he is relying upon his web browser’s ability to encrypt his passwords, and expresses confidence that a hacker could never breach his system to steal them.
My friend Will countered that such overconfidence is misguided. A couple of other friends also chimed onto the thread, asserting that vulnerabilities exist and nobody ought to believe that they are entirely secure. Interesting, the people with the most security background are the ones that are the most paranoid.
Cyber criminals wouldn’t try to break into my friend’s system by trying to decrypt his passwords using a brute force attempt. That’s not how they break passwords most of the time – it’s too computationally inefficient. Instead, they use things like rainbow tables and guessing commonly used passwords in an attempt to figure out how the user protects themselves.
But even then, hackers don’t go for the most difficult option. Firefox has vulnerabilities – not necessarily within the browser itself but there are third party plugins like Adobe Flash, Adobe Acrobat and Java.
As another friend posted, here is a list of security vulnerabilities in Firefox. A hacker could then use a tool like that which is available from SecurityXploded to decrypt passwords.
But the point is this – I don’t know the full list of ways that a hacker could attempt to game my friend’s system. I work in spam and read a lot about security. Hackers who break in are of varying levels of skill, but the really good ones are good at what they do. Unless you’re full time trying to defend breaches, you shouldn’t be so confident in your ability to not get hacked. People who are persistent will dedicate resources to figuring out a way around your defenses. Unless you’re not connected at all, you are vulnerable in some way.
Encrypting data helps. Running anti-malware software helps. Not opening up strange attachments or clicking on weird links helps. Using firewalls help.
But it would be a mistake to believe that you’re immune.