Passwords: Information and tools to keep them safe

A friend recently asked me to write an article about passwords.  There are a few things I will touch on, first and foremost.  First, you need the best damned AntiVirus program you can afford.  Check this post, for the rated best AV software, by independent labs.  Second, protecting your system goes beyond AV, read this post, for further information.  Third, no matter how many protections you have on your system, it won't protect you from your own stupidity.

People are stupid when it comes to passwords.  The best way I can prove this, is simply by the types of passwords we get on my powerleveling company.  We level a ton of games, and over the years, have seen a strangely similar type of password come around.  They generally consist of something along the lines of abcd1234 or asdf1234.  I don't know about you, but that to me, is not a secure password at all.  It's like you're inviting people to hack you. A bruteforce password hacking program could crack one of those with ease.

The best password, is a combination of letters both small and large, symbols, and numbers.  It should be as long as you can remember.  Make it something you can remember, not something you have to copy from a text file or a word document or anything else along those lines.  A better rendition of a password would be something along the lines of aSdFg!2#4%.  Now all I did for this password, was to use the keys asdfg12345... but I used shift on every other letter and number. I also extended the password to 10 alpha-numeric characters, rather then 8.  Instead of a password which was 36 to the 8th power, I made it approximately 92 to the 10th power on degree of difficulty... it also happens to be something easy to remember, which is important if you don't use a password manager.

When we're talking about games, it is a delicate subject.  People might think that because they use an authenticator they are safe, so they can have a really simple password.  Unfortunately, thats not really true.  You see the problem comes in, with the fact that to make it more convenient, games released their apps on iphones and other phones.  The problem specifically lies in the fact that these phones can be rooted, which is to say that people can download the software.  Once you have the software, it can be reverse engineered - let me assure you, for all you World of Warcraft players... it's been done.  Keep a strong password and a good AV program, protect your system!

Another subject we should chat about, is trojans, keyloggers, rootkits, and RATs (Remote Admin Tools).  The best AV software can be fooled, they can be bypassed, they can be turned off -again, my exclamation that people are stupid.

Certain bots/hacks out there, require a rootkit, to hide themselves from the games.  The problem with a rootkit, is they can also hide other softwares from you, like trojans and keyloggers.  So the bot/hack peeps tell you, to ignore the directory with your AV, and wanting to use it, you do it... and that's when the shizz hits the fan.  Of course you also have to give permission to the software to access the internet - assuming you are using a 2-way Firewall anyways.  Once you do that all your information will be lost.

When dealing with rootkits, the best solution, is to let the AV remove it.  Once it's been removed, go ahead and scan the directory.  If it checks out clean, then go ahead and let the software update themselves.  If they still check out clean, then you can ignore the directory with your AV, and put the rootkit back in there.  Can it be abused later? Sure it can.  Once a rootkit is on your system, you are at the mercy of anyone else.  To keep your account safe... you can't use rootkits.

A virus really won't mess with your passwords.  It's really used as a generic term these days, but a virus goes in to mess-up your data. Same thing with a worm, though some worms can also datamine, so you should update your definitions often.

A trojan isn't really a virus.  What a trojan actually does, is to open a back door on your system.  They are often used to drop a RAT or Keylogger onto your system.  If your system detects one, get rid of it immediately, and scan the directory it was in thoroughly.  Hopefully it's a new trojan, not something that's been sitting there for weeks or months. A trojan can drop a file into any directory, so do a thorough deep scan as soon as possible.

Keyloggers have become more and more adept and getting your information.  If you are infected with one, even if it was only yesterday, you should go in and change all your passwords for everything (after doing a complete system check). These days, a keylogger can grab everything you type, as well as everything off the clipboard.  This is why copying and pasting from a text file or word document, doesn't work if you are infected.  Keep reading for a solution...

A RAT... people actually use these.  A remote desktop tool, such as Team Viewer could be considered a RAT.  However a RAT, is usually placed on your system by a trojan, and then when you connect to the internet, it gives a signal to the person that you are infected.  Then it's just a matter of searching through your system for the information someone wants.

Assuming for a moment, that you have followed my advice in the past, and you want just a bit more security, when surfing the web or playing a game, you can get a program called Key Scrambler.  The pro version, will protect online games and web access.  If you just want to protect yourself on the web, you can use the free version for IE and FF.

A great tool to use, is a password manager.  There are a few out there, and most browsers have them built in to their systems.  Use them.  For your own safety, you can even put a master password on them.  Alternatively, you can also use other password managers, like Roboform, KeePass, or Password Keeper.  I use KeePass (opensource and free).  I won't make a recommendation even for KeePass, since I have not tried them all. Also, there are probably others out there, this is just a small sampling of them. KeePass, does have an option to run on a memory stick however.  One thing I like about using a database like this, is that I am not afraid to put the password database on secondary locations, like my camera, phone, mp3 player, etc.  If it gets lost or stolen, without my password and the application, they aren't going to get access to my passwords.

Are there password generators? Sure, in fact I have one on my computer, which I use.  PCTools, offers a free site - or you can download their password generator as well.  It's available here.  You can use it to make random passwords for any length, you can also generate more then one, so if you wanted 10 of them, it would make that many (or more).  I also want to mention that KeePass has a built in password generator as well.  Not having tested the other programs, I can't know whether or not any of the other password managers have password generators.

If you want to check your password, to check it's strength, there are plenty of sites out there which can do this for you, but overall, the best one I found was Password Strength Checker.  It's the best since it will tell you exactly what's wrong with your password. But keep in mind, any password checker is subjective.  A password on one site might be considered strong, and on another site weak.  Use the checker site I linked to, and for safety, make your passwords 10-16 characters long.

Remember, a password keeper, or even a log file, is only as good as your AntiVirus AND your Firewall.  A one way firewall, which comes standard with Windows XP, filters only the incoming traffic.  It assumes that any software on your system, is ok to connect to a host, outside your network.  A one-way firewall is extremely dangerous, and not recommended.  Find instead a 2-way firewall, which will allow you to decide which software is allowed to access the internet.  My personal favorite is Agnitum's Outpost Firewall. While I do not have Windows 7 installed, I do want to also mention that the Windows Vista firewall, is weak. This is why I use a 3rd party firewall.

Now at the very beginning, I mentioned that the best protection can't save you from your own stupidity.  What I mean by this, is phishing emails and sites.  A phishing email or site (pronounced fishing), is a fake email/site asking for your login information, but presenting themselves as an official site.  A good example of a phishing email, are the ones which ask you to login to their site, with your information, like the ones we get for WoW and Aion in our email.  The best way to check if an email is legit, is just to type the actual site in the url bar at the top of the page.  If the url has special codes, then hover over the link and compare the url to the actual url in the email.  Other phishing attempts are the videos posted on youtube and other video sites which will list "gm hacks", just send us your login and password... yah right, lol.  A perfect example of a phishing site, and what they can do, is talked about here (pwned).

Is that the limit of stupid people? Hell no! Stupid people also "trade" their accounts.  They get convinced that the person they are trading to, is legit.  For the record, just because someone is trustwho verified, doesn't make them legit automatically.  A friend of mine some years ago, had a buyer she would work with on accounts.  He was a legit buyer for accounts, and built up one heck of a rep.  Then one day, he went bad.  He started ripping people off.  Of course his positive rep on trading sites, allowed him to claim the other person was scamming - and people believed him.  He was trustwho verified AND had great rep.  Of course, when someone trades their account, they are "trading" it for another account.  The only legit trade, is one handled by the actual game company.  As far as I know, SOE is the only company which does this.  Optionally, you can use a middleman service as well.  Using a service that takes in both sides, to make sure everything goes legit... but there can also be problems with those, which is a topic for a later time.

Take extra precautions, wipe your log files regularly with CCleaner.  A determined hacker could grab these and search through them for logins, passwords, and recently accessed files. This will allow you to also clean your system from stray files.  It's not really something to do with passwords, but with being hacked, and cleaning your system, so CCleaner for the honorable mention.

One last thing, before I complete my writings... if you print out your files, and keep a hardcopy (I did this in the past), it's a lot safer then keeping a file on even a removable thumbdrive - unless you use a password manager.  However keep in mind, that keeping the hardcopy has it's own dangers as well.  You need to keep it locked in a firesafe, and still have a backup copy somewhere - a safe deposit box would be great for this.  If anyone gets access to the hardcopy, you lose it, or spill a drink on it... you're screwed.  It might seem safe, but the inherent dangers around your computer including family and friends don't make it as safe as you would think.

So the question is, what is the best solution?  I can't really answer that, however I can answer what the best in my opinion is.  It's KeePass and KeyScrambler working side by side.  Even if you do get infected with a keylogger, which you have given access to the internet, KeyScrambler will protect your login, and KeePass will protect your passwords. Should you type them both in, using the pro version of KeyScrambler, then most games you play will be safe no matter what.

If you want to know more on keeping your system safe, please read this post - System Protection - Use it or Lose it.

For our subscribers, I have a special gift, which I am sure you will appreciate...

6 Responses to Passwords: Information and tools to keep them safe

  1. TomRiddle says:

    Great post Spitt!

    These non game posts to me are the posts that I learn the most from, the original security post (was gratified to see most of my personal selections there) the blackjack posts were most informative….

    I need help in setting or seeing things to set up so videos help me find where the features are, maybe they will help others as well

    Some keepass help videos

    installing and set up

    Using the Password Generator

    Sync KeePass between iPhone and desktop

    keepass faq help and set up instructions

    KeeFox adds free, secure and easy to use password management features to Firefox which save you time and keep your private data more secure.

    Think of KeeFox as a bridge or connection between Firefox and KeePass Password Safe, the most popular open source (and free) password manager.




    Review Is Keyscrambler Personal Free Keylogger Protection Plugin Legitimate?

    Keyscrambler Personal Personal Overview

  2. Spitt says:

    Glad you like the post, I am 99.9% sure that no other cheat site has this kind of information – unless they copy from me that is. I don’t think they realize the amount of people who could be “saved”, if just a little information is provided to them. Hopefully we will gain some loyal followers from those who appreciate the kind of information we can provide here.

  3. TomRiddle says:

    I use extractnow which supports 7z files but it wouldn’t open the key scrambler pro so just went with the free personal version on cnet

  4. Spitt says:

    Well, first off, I recompressed as RAR and uploaded it, replaced the 7z link… second, that was a surprise for the VIP members. I did not mentioned it in the post on what it was. o.O Third, I use WinRar. Opens just about any archive, including archives that are exe’s (makes them too).

  5. MonekyMan2000 says:

    Another security solution is to use a Macintosh or Linux OS. Either do so, on a separate computer, which is specifically for banking etc., or install a duel boot operating system. (and make sure the two OS’s partitioned drives do not have access to each other)

    Macintosh and Linux OS’s are known to have less security threats on them, therefore reducing the chances, you will get key-logged etc.

    I agree with almost everything you have up there except keepass. I would not use the feature to upload and download your passwords to the internet. this process is EXTREMELY insecure. It is relatively easy for someone to steal your passwords from you, especially if you frequently sync information between you and the server.

    Additionally keepass, and similar programs, show up as “false positives” on virus scanners, and CAN GET YOU BANNED on online games. My friend had used one of these programs for World of Warcraft and has his account banned because he used the “autokeypress” option when logging into the game. (It was considered a variation of botting.) I just wanted to warn you about this. I am not saying these programs are bad, but in many cases risky. I personally, am a much bigger fan of the “Key Scrambler”, since it does not keep any password information stored on your computer, and utterly defeats all but the most complex key-loggers.

  6. Joe says:

    Shows more of a problem with Blizzard than the scrambler. Overparanoid. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *