Poojan (Wagh) Blog

Requests for comment

Archive for the ‘security’ tag

My Password Setup

without comments

So, I’m basically making this post so I can share with friends/family. In this post, I will explain what I do for managing passwords, including two-factor authentication (2FA), and give some options for getting 2FA. Before I do that, I will explain how I got to the conclusion on what I am using.

For those that don’t know me, I am not a security expert. You should do your own research (and maybe consult the security experts out there). I could be wrong about some of my conclusions. And more generally, what might work for me might not work for you.

Also, the scope of what I explaining here is only for my personal accounts. My company (and most out there) has an IT policy for work accounts.

You can skip past the Intro, if you don’t need convincing on why reusing passwords is insecure. Also, I put my recommendations right up-front in the Bottom Line section, if you don’t want to read the whole article.

Bottom Line

My bottom line recommendation is to look in to the following combination and see which one works for you: something to manage your password, and something for 2-factor rolling codes (OTPs).

For managing passwords, you can go with a hard-paper notebook (where you write passwords down and you never store them on a computer) or a password management app, such ass KeePass, Bitwarden, or LastPass.

For getting 2-factor rolling codes (OTPs), you can go with a device such as a YubiKey or an app such as Authy, Microsoft Authenticator, or Google Authenticator.

Intro

There have been a lot of password leaks lately. I mean, a lot. This multitude of leaks culminated in a meta-dump of everyone’s password. That is, someone compiled many of the previous leaks and put them into one big password dump. As a result, if you’ve been using a password for any amount of time, and if any of the sites you used practiced sub-par security practices, your password is probably available on the Internet.

(You can check here. Just enter an email and it will likely show which of the many breaches your password appeared. Alternatively, you can enter a password here and it will show you if that password was in a data dump. But I’ll save you some time: yes, your email and password are available online.)

Now, one solution is to use unique passwords, and don’t share them between websites. In this case, even if one of your favorite websites leaks their users’ passwords, you only have to worry about someone hacking your account on that site.

Unique passwords solves most, but not all the ways people can gain access to your account. Most experts recommend a 2nd factor called one-time-passwords (OTPs) to use in combination with unique passwords. OTPs are basically a rolling code that changes with time.

Remember that there can be a huge profit motive to someone hacking your account. They may want to get your LinkedIn network, your FaceBook contacts, or your financial institution. Taking these two steps can make these attacks much more difficult.

Incidentally, similar recommendations are being provided to US officials participating in elections, albeit with Google’s own hardware product.

The Limitation with Passwords

If you want to create unique passwords for each site, you’ll need to create a lot of passwords. And you probably want to use either a notebook to write them all down, or a password manager to store them (in a secure, encrypted format).

This unique password is a reasonable solution. But, it does suffer from a significant problem: someone could impersonate a website. If, for example, I wanted to go to real cat video site but typed the address in wrong. I mistakenly go to fake cat video site. Fake cat video site has completely impersonated real cat video site. Unless I paid very close attention to the web address, I would not know the difference.

I then type in my password (unwittingly) to fake cat video site. Now, they have my password. They have complete access to my account at real cat video site. They can do whatever they want with that password–including delete my videos, or even replace them all with dog videos.* The problem with passwords is that they are static. Once you’ve handed it out, the cat is out of the bag.

This website imitation is easier than you think online: fake cat video site can pass all traffic through to real cat video site without you knowing. They don’t actually have to copy the information; they can simply forward every request and return every answer. This attack is known as a man-in-the-middle (MITM) attack. Passwords can’t help you with them.

2-Factor Authentication

To mitigate this deficiency, most experts recommend something in addition to the password, a second factor. This is called 2-factor authentication (2FA).

The simplest and most obvious way to add a 2nd factor is to add a rolling code: that is, an extra code that changes with each login attempt. With this rolling code, if you log in to fake cat video site with your password and rolling code, they get access to your real cat video site account only once. They can do some damage, but they do not have permanent access. If they try to log in again, they will need a new rolling code.

There are many ways of getting such a rolling code. One of the most convenient is to use an authenticator app, such as Authy, Microsoft Authenticator, or Google Authenticator. (All of these use a common standard, so you can use any of these with most sites that support a rolling code authentication app.)

These methods uses your phone to create the rolling code (which changes every 30 seconds or so on an app on your phone). For many people, this is a safe enough option. There are flaws with this method, but it really is a very good compromise between convenience and security. If you are going to do nothing else, enable 2-factor authentication using an app.

The problem with app-based authentication is the scenario where you lose physical control over your phone. Or you install an app or download something that compromises your phone. More generally, if someone has access to your phone, you can’t count a security app on your phone to really be a 2nd factor. That 2nd factor app (if it sits on your phone) really becomes more of formality in logging in to an app on your phone.

That said, if you lose your phone and someone has the ability to unlock it, there are much bigger worries than them logging into a specific app or trying to steal a specific account.

The official name of the rolling code is one-time-password (OTP). I use an OTP wherever I can. However, I don’t use an app on my phone to store it. See the next section.

What I Do for OTP

I use a YubiKey for one-time passwords (OTP).

The reason I like the YubiKey is that it allows you to store/generate a one-time password on a hardware device: the small YubiKey itself (which fits on a keychain).

In addition, the YubiKey solves another problem: it’s independently portable. I generally have it on my keychain, where all my keys are. And most people are used to keeping their keys secure. In my case, I duplicate my credentials to two keys. One is a USB-C key (usable on my phone and recent computers) and the others is a regular USB-A key (for backup). So, I have a backup YubiKey that stays at home.

You do need to plug the YubiKey in to your phone or computer to read the codes, but this is done securely: only that single code gets passed through your phone/computer and onto your screen. No one can steal the secret code that generates all the codes; it is protected within the hardware of the YubiKey itself.

I also do create backup/recovery codes and print them out. These allow me to log in if I lose both my YubiKeys. (Or if they get corrupt.) I don’t store the backup codes on a computer. They are hard copies and kept in a fire-proof envelope. (Most sites, including FaceBook, allow you to create backup codes.)

What I do for Password Manager

There are many options for software-based password managers. The one I use is KeePass 2. The reason I use it is that it’s free (open source), has options for Windows, Linux, and Android. (I’m not sure about Apple/iOS, but I’d guess there’s a solution there.) And cloud sync is optional. You can store it on a single device, and that device does not necessarily need Internet access. The downside is that if you do want to sync it across devices, it takes some configuration.

Other Options for Password Management

Paper Notebook

While I don’t use a paper notebook—I like the convenience of having a software password manager—they are a good solution. It’s the cheapest (in terms of up-front time and money) solution.

You probably have a notebook lying around your house. If not, take a look at books on Amazon written by Lourdes Welhaven. The only thing to be careful of is that you generate good passwords, which are hard to guess. Your brain is pretty bad at doing random. So, here’s a systematic way using dice (if there are no restrictions on password length). If there are restrictions on password length, go here or here. Incidentally, password-generation is a place where password-management apps really shine.

No one can hack into your computer and steal your trove of passwords, if they are not on your computer. That said, people hacking a regular Joe’s computer doesn’t seem to be the way passwords are leaking–or at least it isn’t the only way. It is, in fact, the websites we use that seem to be the weak link. Every time a website gets hacked, your password at that website spills on the internet.

Other Password Management Apps

There are quite a few other options if you want to for a cloud-bases service. I’ve heard good things online about BitWarden and LastPass. I don’t have any direct experience with any of these, but I have come across many good comments about BitWarden.

I did try BitWarden very briefly on my Android device, but I kept KeePass because the Keepass2Android App has an extremely useful feature: you can set it up as a software keyboard in Android. It can then enter your username/password in other apps with a button on the screen.

The SecurityNow Podcast is sponsored by LastPass, and I generally am comfortable with their recommendations; they seem to have a decent vetting process for their sponsors.

Note that the Have I Been Pwned site I linked in the intro is sponsored by 1Password.

Other Options for OTP

Authenticator Apps are pretty neat. You set it up once by scanning or typing in a long code given by the website you want to use it with (FaceBook, Microsoft, Snapchat, etc). There’s a different code for each.

Then, after setup, it generates a rolling number that’s needed every time you log in. What’s nice is that the apps conform to a standard. So, you can have one app installed for all your different websites.

I have heard Authy. Authy is multi-platform (Windows/iOS/Android) and will sync across platforms. Google Authenticator is equally good, but it doesn’t sync your OTPs across platforms. Similar with Microsoft Authenticator.

One could make the case that OTP’s should be unique to the device they are on, but for most people, the convenience of setting Authy up once is worth the risk. There are those, however, that disagree: using an authenticator app is better than nothing, but a dedicated hardware security key is much better.

Google also has their Titan security key solution, which is hardware-based. I have not done any analysis comparing it to YubiKey. I just know the YubiKey supports many standards and does whatever I need it do do. I started with YubiKey many years ago and never saw a need to switched. I also have a cautious opinion of Google solutions because their repeated exit from markets.

SMS for Two-Factor

I really don’t like this option, and I wish companies would stop providing it. (Especially banks, where this seems to be prevalent.)

Once again, I am no security expert, but experts don’t like it and SMS has failed in the past.

* I am a dog person (too), but people like their cat videos.

Written by PoojanWagh

March 28th, 2020 at 11:00 pm

Verisign Labs’ Personal Identity Portal (PIP) / OpenID

with one comment

2008-10-01 Update
I’ve been informed by Verisign that you can only have one FOB attached to your PIP account. This is no big deal for me, since my FOB is on my keychain and you can always have a one-time password emailed or SMS’ed to you as a backup.


Personal Identity Portal (PIP) is an OpenID provider. This means that you:

  1. Register an account with PIP. You’ll get a URL (i.e. example.pip.verisignalbs.com); that is your OpenID URL.
  2. Go to other web sites–called OpenID clients–for example, My Yahoo, most blogs, identi.ca, army.twit.tv, etc. Instead of registering a username and password, tell them to consult your OpenID URL. Instead of giving them a username:password combination, you just tell them your OpenID URL (example.pip.verisignlabs.com).
  3. The web site then consults with PIP to see if you are authenticated. This authentication is done in a very secure manner, using cryptography, so that no one can impersonate you. To do this, you are temporarily transferred to PIP’s web site.
  4. You select what information (name, location, DOB) that PIP should share with the OpenID client.
  5. You are now logged into the OpenID client and can go about your business. The whole time, you only had to remember one password: your PIP password.

OK: big deal. So, I don’t have to remember more than one password. Here’s the cool part: PIP can be set up so that you get a neat FOB (a keychain doohiky). Here’s a picture of mine:

Verisign PIP FOB provided by Paypal

When I hit they grey button, I get a John Nash-like one-time code (only I’m pretty sure I’m not imagining it). This way, no one can log into my account unless they have my key FOB. I can have only one key FOB, and they come in different form factors (including a credit-card size one that fits in your wallet). You have the option of buying them from Paypal for $5 or the cooler looking ones (credit-card size and waterproof FOB) from Verisign for $30-$40.

If you don’t like carrying it around, you can also have PIP SMS or email you a one-time password.

Here’s another cool feature: PIP also has a little javascript bookmarklet that will save passwords for other sites that don’t support OpenID (linkedin, facebook, etc). Now, I don’t use this capability because I have a pretty good solution already (KeePass), but I might someday.

A list of web sites that support OpenID is at http://openid.net/where/.

Finally, a runner-up that I’d use is Yubikey. However, being an OpenID provider isn’t their main thing right now (although they do provide it sort of as a demo/utility), and I already bought the PIP/Paypal FOB. Alternative providers (including one that works with Yubikey) are at http://openid.net/get/.

Steve Gibson and Leo LaPorte’s SecurityNow podcasts have in-depth discussions of all these technologies.

Written by PoojanWagh

September 21st, 2008 at 11:23 pm

Posted in Web

Tagged with , ,

Locking down wordpress (without SSL)

without comments

I was a little worried about WordPress login’s, and about whether the data was sent in cleartext. Besides this point, was it possible for snoop on my traffic, steal my session cookie, and then impersonate me? It turns out the answer is yes. So, I wanted to lock down my blog to prevent traffic snooping and to encrypt the login.

This class of problems has been solved. The preferred method to do this would be SSL.

To use SSL, you need two things: a unique IP and an SSL certificate. Dreamhost charges around $4/month for a unique IP. You can get an SSL certificate for around $10/year. I don’t mind paying these charges. However, I have serveral blogs at different domains. I didn’t really want all the blogs to be SSL. However, I did want to protect my logins from being sniffed/hijacked.

Note that there were a couple of ways I was accessing my blog. I use the regular WordPress web interface (which calls for a method to encrypt traffic through FireFox) and I use Winodws Live Writer (WLW). Firefox lets you use either a SOCKS proxy or an HTTP proxy. WLW allows you to specify only an HTTP proxy. However, I found that Privoxy can act as an adaptor, converting HTTP proxy traffic into SOCKS traffic.

I came up with several solutions. In chronological order:

SSH

By far the easiest and best way to get security without paying for SSL is SSH. This has been well-documented elsewhere. You can tunnel your web (http) traffic in SSH. Your traffic then inherits the encryption and authentication features of SSH.
The best way to tunnel SSH is to set up a dynamic tunnel; this is the same as a SOCKS proxy. If you’re using the command-line on UNIX/Linux, this can be done with a:

ssh -D :1080 -N @.dreamhost.com

This will only listen for connections on the current machine. (The machine in which you type the above command). If you want to set up this machine as a secure SOCKS server for other machines to connect to, you type:

ssh -D *:1080 -N @

I did this on my FreeBSD machine once. I can then connect to it from other machines on my network (Windows machines for example).
I use this SSH-based SOCKS proxy in combination with the Firefox Add-On FoxyProxy. FoxyProxy lets you set pattern-based rules to determine whether to send traffic through a proxy (and which proxy).

HTTP-Tunnel

The SSH method works very well from home. Unfortunately, my employer doesn’t allow SSH traffic through its firewall. In fact, the only traffic that is allowed is HTTP traffic, through their own HTTP proxy.
I found a very promising and powerful program called HTTP-Tunnel. This program lets you set up a SOCKS server that translates all your traffic into HTTP requests.
The program is composed of a client (a Perl script running on your machine at work) and a server (which can be a perl script or a PHP script). Since the only access Dreamhost gives is FTP/SSH/telnet/HTTP, I ran the PHP version (which runs as a PHP CGI script). (The perl version listens for traffic on a specific port.)
To get this to work on Windows, I installed CygWin. I tried ActiveState Perl. However, I found the necessary packages for encryption (MCrypt & OpenSSL::RSA::Crypt, available from CPAN) difficult to find & install using ActiveState.
It was difficult to get the parameter sets (& Perl modules) set up correctly for HTTP-Tunnel to work. However, in th end, it did work. I was able to get data from firefox (once again with FoxyProxy) through the tunnel to DreamHost. Note that once I was in DreamHost’s network, I wasn’t as worried. At some level, you have to trust DreamHost not to spy on your traffic. In my case, there’s not a a lot of interesting stuff to look at. I just want unauthorized users getting access to my blog.
The main difficulty with HTTP-Tunnel is that it seems to be unmaintained for quite a while. In addition, I’m not qualified (nor do I have the time) to analyze the code to verify its security (and uncover any vulnerabilities).
One final note: I wasn’t able to use HTTP-Tunnel as a SOCKS server for SSH. (Don’t be confused with using SSH to create a SOCKS tunnel.) What I was trying to do here is run an SSH session which used the SOCKS tunnel (created by HTTP-Tunnel) as a communications channel. I tried both OpenSSH and PuTTY. Both failed because they for some reason, the HTTP-Tunnel program just stalled during SSH key negotiation.

WordPress Plugins

I found two excellent plugins that took care of web logins to WordPress.

Restrict WordPress cookies by IP

One thing about TCP/IP is that due to the 3-way handshake, you cannot spoof an IP. (You can send a SYN packet, but you can’t negotiate a link from a bogus IP address.) So, if we restrict the cookie to come from a specific address (by encoding the IP address in the cookie), we can verify that the person making a request using this cookie is the real person (i.e. has the correct IP address).
In fact, w-shadow wrote a WordPress plug-in that does exactly this. It’s even up-to-date for WordPress 2.6. Note, however, that this plug-in won’t prevent man-in-the-middle attacks. I’ve concluded that such attacks are pretty difficult to to orchestrate, since you need to be upstream from the victim.

Use OpenID

The WP-OpenID plugin allows you to associate a WordPress user with an OpenID account. I have an OpenID provider. Associating with OpenID allows me to login (using SSL) to OpenID first. Then, I automatically get access to my blog account.
Unfortunately, this scheme does nothing to help with hijacking the session. So, it should be used in combination with w-shadow’s plugin.

Encrypt the login

I found another jewel of a plug-in: Semisecure Login Reimagined. This plugin sends a public RSA key to the client (via Javascript). It encrypts (using Javascript in the client) the username/password using this public key. The server (and only the server) can decrypt the username/password.
So, merely logging in does not send your username/password in the clear.

Summary

Obviously none of the above is as good as SSL. Pretty much everything supports SSL (including the HTTP proxy at my work). However, given the cost of SSL (unique IP & certificate), I feel that the WordPress plugins (when I am not at home) and tunneling over SSH (when I am at home) give my username/password & cookies fairly sufficient protection from being sniffed/hijacked.

Written by PoojanWagh

August 24th, 2008 at 9:35 am