Lessons from criminals – Good passwords matter

Screenshot of an SSH key

Screenshot of an SSH key

While I was returning from my trip to Boston a story broke about the Brazilian authorities’ attempt to crack the encryption used by a financial criminal to protect his digital secrets.

Daniel Dantas was convicted in Brazil for bribing a police officer in December 2008. He is also suspected of money laundering and other financial crimes, but evidence has not been forthcoming. Police seized five hard disks when they raided his apartment, but the data contained on them appears to be encrypted by TrueCrypt using AES-256-bit encryption.

Brazil’s National Institute of Criminology (INC) unsuccessfully tried to access the disks for five months before contacting the FBI. The FBI tried dictionary-based attacks against the disks for 12 months without breaking the encryption on any of them, finally returning them to the Brazilian authorities.

Unless this is an elaborate public relations stunt, it appears the integrity of AES-256 as a military-grade encryption standard has been proven in a rather public way. This is excellent news, aside from the issue that an alleged criminal may go unpunished.

The best lesson we can learn from this is the importance of a secure passphrase. I use the term passphrase because password implies that it is simply a word or words. By my definition, a passphrase is derived by taking pieces of a memorable phrase and adding mixed case, numbers and other symbols. Sophos’s Graham Cluley demonstrates the technique in this YouTube video.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Yes, the argument can be made that you could still be the victim of a key logger, shoulder surfing or any of a variety of other attacks capable of capturing your password. None of these things matter if your password is easy to guess, as this automatically increases the odds of being hacked or cracked.

Securing your PC with anti-virus, firewall, full-disk encryption and a secure passphrase protects you against the vast majority of threats to your data. Keeping a separate secure passphrase for each website or service you use adds another layer of protection in case one of your accounts is compromised.

Personally, I use LastPass with two-factor authentication to store my vault of login IDs and passwords. There are many different options for different OSs with differing levels of security. The greatest benefit of these tools is the freedom to be secure with a minimum of hassle.

I hope this story inspires more of you to take password security seriously and perhaps one-up the criminals by out-securing them. Modern processors with cryptographically sound algorithms can effortlessly safeguard your data through encryption if properly configured. Deploying encryption and using good password security techniques can help keep you off the list no one wants to be on.