Steganos Blog

spm-BMP_PRODUCT_BIGMay we suggest a New Year’s Resolution for 2014: I’ll start using a password management program so that I am not always using the same password just because it’s the only one I can remember.

Hardly anywhere else is there such a disconnect between knowledge and behavior as with the topic of passwords. Every internet user has them, and everyone knows that secure passwords are
important — yet hardly anyone really takes proper precautions with them.

For most internet users, a password is only an obstacle to the actual goal. Passwords protect e-mails, payment data for online shopping, access to Facebook and much more.

Despite this, many people choose very simple passwords like 123, or they use the same password multiple times. In the best case, two or three different passwords are used.
Even users who lock their doors or take advice from police about how to protect themselves from break-ins abandon their healthy sense of secuity consciousness as soon as they sit down at a
computer.  Why is this?

One reason for this poor “password hygiene” is that the dangers of insecure passwords are not sufficiently known; “I have nothing to hide” is the prevailing attitude.

Laudably, online banking is perhaps the one exception where appropriate security measures are taken. But: it is the banks that set security standards so high, by sending TAN lists without which transactions cannot be completed. Additionally, one increasingly sees “two factor authentification”, which means nothing more than that a second level of protection has been added.

For example, upon entering the password at login, one receives a numeric code sent to one’s mobile. These are measures taken by the providers, because passwords alone are not enough protection — largely because so many people use the same passwords multiple times.

The Risk of Password Recycling

So, why is it so dangerous to “recycle” passwords? Let’s suppose you use the same password for PayPal and Adobe Cloud. We are using this example because Adobe Cloud fell victim to data theft in 2013, as a result of which e-mail addresses and user passwords went missing. As you can see, even well-respected providers are not immune to hacker attacks. The data bank in which your password and mail address are saved together (a combinations also known as “credentials”) can be downloaded on the relevant pages with minimal effort. Meaning: your password is floating freely through the internet. The next step is simple: a hacker only needs to keep trying out your credentials with the major web services; if you use your password in multiple places, it will be found somewhere.

Mentally go through the list of sites and services in which you register. Think about Dropbox, Facebook, Google Mail, your insurance policies, Amazon, iCloud, train services, perhaps your own blog, travel agencies, PayPal, dating sites, your Microsoft ID, Spotify, Skype, LinkedIn — the list goes on and on. In the case of PayPal, a hacker — with your credentials — can now order things in any online shop that accepts this method of payment.

Of course vendors try to detect and prevent such fraudulent practices before damage is done. For example, the Facebook Login Alarm goes off when a user who has just logged in from tge USA tries a few seconds later to log in from Germany with the same access data. Using the IP address that is transmitted as the sender of every data exchange, Facebook can detect from approximately where a data package has come. Since nobody can change countries so quickly, Facebook flags such login attempts as potentially fraudulent and requires the entry of more data to authorize the login.

For this reason, it is important not to use the same password again and again. Even if one considers a particular service to be benign in relation to the data obtainable, we cannot recommend using a password multiple times. Something that one considers unimportant now can become critical later, and suddenly one has entrusted sensitive information to a seemingly harmless vendor. Just think of the ubiquitous synchronization of services with address books. Modern routers often function as simple telephone systems or as base stations for cordless phones. These routers can cull the Google address book in order to display telephone numbers. One does not want to imagine what could happen if the router at home is not protected with a good password. Many providers also „talk“ with each other nowadays over program interfaces — so called APIs. Through these APIs, Facebook or Twitter are often used as authorization services. Simply put: it is virtually impossible to know which ways your data travel. For this reason, varied and good passwords are a must.

The Myth of the „Safe“ Password

What is a good password? The decades-long enduring requirement is that it should look something like A3jNk$1d — in other words, it should not be a word out of the dictionary and should contain numbers, symbols and upper- and lower-case letters. But this is only partially right. In order to determine what a good password is, one needs to know how many variations of passwords are even possible by the respective providers. For example, a provider that only allows passwords containing numbers makes it easier for hackers—not more difficult, as presumed. In this case, they can eliminate anything without numbers when running through passwords.

For simplicity, we will consider in this blog passwords for authorization (such as with Facebook) and passwords that are used as keys for encryption (such as with Steganos Safe) together.


The cartoonist Randall Munoe, known for his math cartoons on xkcd, demonstrates that passwords created from simple English words are better to remember and are more secure than complicated chains of characters like A3jNk$1d. However, his calculation has a flaw that makes the chain of characters harder to see than they need to be. What is the flaw?

The more variation the password creation process allows, the better it is. This is called entropy, and the higher it is, the more variations possible. Thus, a word out of the standard German vocabulary that includes around 75,000 words has an entropy of 17 bits. In other words, one needs a maximum of 75,000 attempts to „guess“–the 17 bits are just a more concise representation of otherwise very large numbers. If one chooses a single word from the entire German vocabulary, he will come to a selection of a half a million different terms, which corresponds to an entropy of 19 bits. There may not seem to be a large difference between 17 and 19 bits, but that is deceptive.

Supposing one wanted to crack a password with 17 bits through random attempts and has a program that runs through 1,000 different passwords per second (which is not unrealistic), he would be finished in just over two minutes ( 217 / 1.000 = 131 seconds). With an entropy of 19 bits, one would need almost 9 minutes, with 20 bits over 17 hours.

9 Minutes or 714 Centuries

Critics now argue that a password that consists only of a German word has a very low entropy and that one would be better off choosing a meaningless string of characters with letters, symbols and numbers, such as the abovementioned A3jNk$1d. But is this really the case? A password that consists of three real words from German vocabulary strung together (for example carbooksausage) has an entropy of around 51 bits, whereas a password like A3jNk$1d has an entropy of only 49 bits. Surprisingly, the easier-to-remember password in this case is also the better one. In both cases, however, we are dealing with dimensions in which the data to be protected are likely to have lost their sensitivity; 49 bits corresponds to 178 centuries of attempts, 51 bits to 714 centuries.

Now, one must of course put these enormous numbers into perspective. It cannot be ruled out that under certain circumstances not only can 1,000 different passwords be tried per second but maybe also 10,000 or even 100,000 (when, for example, it’s not a slower web service to be cracked but rather a locally present piece of encrypted data). Even with 100,000 attacks per second, we are still talking about a search time of 714 years. For very important data, one could connect several computers in a row and let them search in parallel. We don’t know exactly what resources the NSA has at its disposal, but if one such intelligence agency left 1,000 computers to crack our 51-bit password, then it could bring down the time to under one year; with 10,000 computers, one would already be in workable dimensions.

This is also the reason why 51 bits is simply not enough for really sensitive data. In Steganos Safe, a 384-bit long key has been used ever since the revelation of the Snowden leaks. With this, the number of variations exceeds the unfathomable 3,940 novemdecillions; this is the name for a 115-digit number.

Let’s go back to the xkcd. Munroe tries to demonstrate that the complicated string of characters Tr0ub4dor&3 is a worse password than the easier-to-remember correct horse battery staple. Tr0ub4dor&3 is a variation of the already unusual and misspelled english word “troubador”. Then he replaces an “o” with a “0” and an “a” with a “4” and adds two additional characters. The result is a seemingly random word, but only seemingly. Because his password is based on an already-existent English word, his entropy is only 28 bits. No wonder that the much longer password with the horse ranked better, with an entropy of 44 bits. If one were to really randomly select a password with upper- and lower-case letters, numbers and symbols, one would create an 11-digit password with an entropy of a significantly higher 68 bits.

Reliable Password Manager as Solution

Because it is almost impossible to remember such numbers of passwords, the use of a password manager is recommended. These programs encrypt and save your passwords; you need only remember a single password—namely the one for your password list (sometimes also referred to as the “keychain”). The password manager enters your passwords automatically when a website requires them. This is not only convenient but also increases your security since the password manager creates good, long and complex passwords that you needn’t remember because they are entered automatically.

http://dl.dropboxusercontent.com/s/ve618cxki08yfyw/Passwortgenerierung_en.png
The Steganos Password Manager allows the automatic creation of really secure passwords, and displays their entropy so one has an idea how safe they really are. The selection of a password manager should be done carefully, as you are after all entrusting the key to your sensitive data to this program. Respectable vendors encrypt and save your passwords on your computer and only transfer this data to a cloud server if you have expressed the wish to do so.

Even then, data should only be saved to the cloud if it has been encrypted and is thus not visible to the cloud provider. This is the case with Steganos Password Manager.

Tips for Secure Passwords

    • Long passwords are better than short ones because they have a longer entropy, even if they are created from real words
    • It is only worth using numbers and symbols to increase entropy when the password is short
    • Passwords should never be used over and over, even with seemingly harmless services
    • Ideally, one should use a password manager which encrypts and saves the passwords locally on your computer
    • The password manager should generate passwords itself — that way, one does not have to wrack one’s brain and gets significantly better passwords
    • Passwords for your e-mail provider and payment services like PayPal should be changed at least every three months; this also applies to cloud providers like Dropbox or iCloud

Even if we have by far not covered every aspect of password protection, we hope to have given you some insight into and understanding of this complex topic. Please post any questions in the comments section, and have a great and secure start to the year 2014!

A new version of Steganos Safe 15 for Windows is available immediately.

The update will be offered to current customers within 24 hours for automatic download. An installation is recommended.

    • A problem closing a Safe in Windows 8.x — which in certain circumstances caused the computer to have to be restarted — has been corrected.
    • A problem was corrected in which the Safe main window was displayed in the foreground without reason after unlocking Windows
    • Notice: at this time, the problem corrections apply only to the individual product Steganos Safe, not to the Staganos Safe included in the Steganos Privacy Suite. An update for Steganos Privacy Suite 15 is planned for January 2014.

A new version of Steganos Online Shield for Windows is available immediately.
The update will be offered to current customers within 24 hours for automatic download. An installation is recommended.
  • Problems with connecting to the VPN server have been corrected
  • Connecting and disconnecting have been accelerated
  • A problem was corrected in which user-made deactivations of the automatic start with Windows were re-activated again after an update installation.
  • The notice for automatic repair of the VPN service (should it be compromised by other programs) will be displayed longer.

A new version of Steganos Safe 15 for Windows is available immediately.

Contains all changes listed below from Stegnos Safe 15.1 and Steganos Password Manager 15.1
The update for existing users will be offered for automatic download within 24 hours. Installation is recommended.

    • A system crash (blue screen) when closing a Safe still shown in Explorer in Windows 8.1 was corected
    • The user interface of Steganos Safe acts as expected after returning from Standby/ Sleep mode in Windows 8.x
    • The „Hot Keys“ (keyboard shortcuts) now act as expected
    • A problem with the displaying of more than six Safes has been corrected
    • „Open Safe automatically at Windows login“ now also works when the name of the Safe contains blank spaces
    • The error message „Safe cannot be closed“ although it was closed will no longer be displayed
    • Problems with the opening of portable Safes on certain computers were corrected („USB Starter Error“, „SLE Data not valid“)
    • The occasionally occuring error message „The Safe engine driver ist not completely installed“ will no longer be displayed

 

A new version of Steganos Password Manager 15 for Windows is available immediately.
The update for existing users will be offered for automatic download within 24 hours. Installation is recommended.

    • When starting the program, Windows no longer asks whether you want to allow the program to make changes on the computer
    • When the password of a keyring is changed, the encrypted keyring in the Cloud will immediately be set to the new password
    • In conjunction with Steganos Mobile Privacy for iOS or Android, the incorrect message that a new version of the keyring is available in the Cloud will no longer appear
    • It is no longer necessary to end Chrome for installation
    • Corrections of the English localization

Notice: For technical reasons, it is not possible at the moment to use the Password Manager Plugin (regardless of version) for Internet Explorer. We are working on a solution and recommend in the meantime that you use another browser (for example Firefox or Chrome)

A new version of Steganos Privacy Suite 15 for Windows is available immediately.

Contains all changes listed below from Stegnos Safe 15.1 and Steganos Password Manager 15.1
The update for existing users will be offered for automatic download within 24 hours. Installation is recommended.

Steganos Safe 15.1

    • A system crash (blue screen) when closing a Safe still shown in Explorer in Windows 8.1 was corected
    • The user interface of Steganos Safe acts as expected after returning from Standby/ Sleep mode in Windows 8.x
    • The „Hot Keys“ (keyboard shortcuts) now act as expected
    • A problem with the displaying of more than six Safes has been corrected
    • „Open Safe automatically at Windows login“ now also works when the name of the Safe contains blank spaces
    • The error message „Safe cannot be closed“ although it was closed will no longer be displayed
    • Problems with the opening of portable Safes on certain computers were corrected („USB Starter Error“, „SLE Data not valid“)
    • The occasionally occuring error message „The Safe engine driver ist not completely installed“ will no longer be displayed

 

Steganos Password Manager 15.1

    • When starting the program, Windows no longer asks whether you want to allow the program to make changes on the computer
    • When the password of a keyring is changed, the encrypted keyring in the Cloud will immediately be set to the new password
    • In conjunction with Steganos Mobile Privacy for iOS or Android, the incorrect message that a new version of the keyring is available in the Cloud will no longer appear
    • It is no longer necessary to end Chrome for installation
    • Corrections of the English localization

Notice: For technical reasons, it is not possible at the moment to use the Password Manager Plugin (regardless of version) for Internet Explorer. We are working on a solution and recommend in the meantime that you use another browser (for example Firefox or Chrome)

The new iOS version of Steganos Mobile Privacy is now available:

    • New Look for iOS7
    • Local keychains are deleted after disconnecting from the Cloud
    • A problem with the Dropbox connection, where sometimes several connection attempts were neccessary, was fixed.
    • Many small improvements, i.e. in the english localization

A new Steganos Online Shield 365 is now available:

    • The chosen country (Shield location) will now also be used for the automatic connection on Windows startup
    • Improved stability thanks to automatic repair of the VPN service, in case it was affected bei other applications
    • Fixed a problem which could in rare cases lead to a crash while connecting
    • More small improvement; i.e. on the connection screen of the free version, and in the spanish localisation

Subcategories

Page 6 of 8