Security for Activists - passwords

Security for Activists - passwords

The lack of understand about computer security and passwords is a little scary. Lots of activity now is being done on-line. Your bank, Shopping, email, etc are all being done by accessing on-line resources and these means logging in using a login and a password. In addition to thieves trying to access you accounts, the ruling class and their servants in government have a vested interest in know what the citizens are up to. Given the empire's, (and this is now an empire) long track record of attempting to suppress and silence activists (see the Wikipedia entry for COINTELPRO, google the phrase "green is the new red") it is imperative that those in the movement know how to protect themselves and prevent the status quo from disrupting us.

 Computer Power

 In 1977 Digital Equipment Corporation AKA DEC released the VAX-11/780 ( a better picture is here VAX 11/780 ) The pictured machine is 3 side by side cabinets each being about the size of your refrigerator. What is not shown is the power handling module which was also the size of your fridge. The entire system was powered by a 440 volt 3 phase line. At the time it was introduced the cost was between $120,000 and $160,000. Just for reference in 1976 my parents bought a 4 bedroom, 2 bath, 2 story brick house that had been built in 1900 on a double city lot in Norfolk, Va. The cost of their home was $55,000. The VAX was rated at 1 MIPS (Million Instructions Per Second)

 As anyone who knows anything about computers will tell you, MIPS is also know as Meaningless Indices of Performance. Without getting too far off into the weeds, a lot has happened in the computer field to make MIPS a defective yardstick. RISC vs. CISC, advances in hardware and software optimization, more efficient algorithms, multiple CPU and cores are now the norm. But it is the yardstick we have.

My cell phone is a Samsung Galaxy S24+ that cost about $800. The way performance is measured has changed a lot since 1977 but the MIPS rating is, ball park, over 5,000 MIPS. We have come from a machine the size of 4 refrigerators.  

On the other end of the spectrum is the super computer. These are huge, very expensive machines that government and big research universities have.  The performance of these machines is measured in PetaFLOPS. That is one quadrillion (10^15) floating-point operations per second. Currently (Jan 2025) the fastest machine is known as Frontier at Oak Ridge National Laboratory. The following link lists the top 21 fastest machines. Frontier is capable of 1,194 petaFLOPS. This list does not include machines owned by NSA and other secret agencies. It is a safe assumption that their machines are at least as fast as Frontier.

So what was the point of the last few paragraphs? In general cracking passwords is a brute force effort. The more powerful the machine, the less time it takes to crack the password. When you have government  machines capable of making trillions of attempts a second, most passwords wouldn't last more than a few minutes. The good news is that the people who have access to super computers have no interest in stealing your money, they will just print more. The people who want to steal your money generally don't have access to super computers.

Anatomy of a strong password

A strong password should be at least 7 characters in length. With each character added the password gets harder to crack. If a password is composed of all ASCII printable characters, that's 95 characters; ( a-z, A-Z, 0-9, !@#$%^&*()_+{}-=[]|\;:'"<,>./?~` ), and the password is one character in length, the number of guesses a password cracking program has to make is 95. If the password is 3 characters in length the number of guess to crack the password is 857,375 (95 x 95 x 95 or 95^3). So a 7 character password would require 69,833,729,609,375 (95 x 95 x 95 x 95 x 95 x 95 x95 or 95^7) guesses. 

There two points I am making here are;

1. the longer the password the harder to crack  
   
2. using mixed case characters, numbers and special characters makes it even harder to crack.

Use mixed case characters, numbers and special characters in your password. Again this makes the password harder to crack.

Never use an easily guessed password. Words like "sex", "money", "secret" and "password" are not passwords. Nor should the password be something about you like the city where you were born or your significant others name. A password should never be a word found in the dictionary. A common hacking technique is called a "Dictionary Attack".

A dictionary attack is system where the program that is attempting a break in will randomly pick a work from the dictionary, say the word cat, and will attempt to login to your account while changing the case of the letters like so; cat, Cat, cAt, caT, CAt, cAT, etc. if none of these combinations works the word is marked as tried and another word is randomly selected from the dictionary until either they successfully logged in or they have worked their way through the dictionary. A phrase or word with mixed case characters, numbers and special characters on the surface looks good but it contains words from the dictionary and it's just a matter of time.

Name That Tune

One of the more secure password algorithms is what I call the "Name That Tune". One picks a song, say "Take It Easy" by The Eagles, then one picks a phrase from that song, lets use "Standing on the corner in Winslow Arizona". Using the first letter of each word of the phrase the password would be "sotciwa". Not bad but we can make it harder to guess by changing the case of some letters and substituting numbers for letters like so, "s0tc1WA$%^$%^". We have substituted a zero for a lower case o and a one for a lower case i. We have also made the letters w and a upper case and just for the hell of it tacked on 2 sets of charters.

The really beauty of the "Name That Tune" algorithm is that it's easy to remember, hard to crack and one can talk about the password without saying the password. For example, lets say we used the above example as the root password to a group of web servers. If someone who knew the password but forgot it (it happens) and needed to know what the password was all you would have to say is, "It's the Eagles song." You have just conveyed the password without saying it and even if someone knows the "Name That Tune" algorithm that don't know which song, which phrase and how the phrase was twisted.

Having a strong password is one thing, it is quite another thing if used stupidly. Writing down your password is a bad idea, especially if it is written down in a place where it can be found. I've seen cases where a root password was written on a piece of paper that was taped to top of the monitor. Another bad idea is to use your password everywhere. One of the basic principles of security is compartmentalization, that is to keep things separate. One should be using different passwords for different accounts. Maybe not every account be every different class of accounts, one for social media, one for bank accounts, etc.

One last point, one should change your passwords every 3 to 6 months. The longer a password is in use the longer the hackers have to break into your account.

 

Password Managers

Two Factor Authentication