Reasons to change your password

February 25th, 2008

One of the questions I often get is why should I change my password. Here are five technical reasons for regular password changes.

1. Having a password change schedule reduces the likelihood that the same password is used for multiple accounts. For example, we wouldn’t want our password to be the same as our UMW password. Right? : )

2. Passwords can be guessed over time. ‘Shoulder surfing‘ helps.

3. Passwords can be attacked with brute force. Periodic changes reduce the effectiveness of this type of attack.

4. Password can be ‘sniffed’ with older insecure protocols.

5. If someone has captured your password, then changing it will take care of that issue.

Disk Encryption Bad News!

February 22nd, 2008

After being excited about the new version of Truecrypt and learning of FREE Compusec, this study really yanked the rug out from under full disk encryption. Researchers at Princeton discovered fairly easy ways to get a disks encryption key if a computer is on and even recently turned off. What is really bad news for some implementations of Bitlocker, and possibly other disk encryption techniques that store the key in a TPM chip, is that the computer can be turned off for months and this attack is still effective.

Other then making sure one’s computer is turned off completely — no sleep mode, even hibernation in some cases — there isn’t a good defense for software based full disk encryption. Segate’s Momentus FDE isn’t currently subject to this attack because the drive stores the key in it’s own memory chip independent of the system RAM.

This research from Princeton is certainly going to cause manufacturers to make new hardware technology to protect against RAM dump attacks.

Disk Encryption Good News!

February 22nd, 2008

Good news in the full disk encryption arena. Truecrypt 5.0, and now 5.0a, has been released. The most important new feature in the Windows version is that can encrypt the entire Windows system partition. Finally, an open source full disk encryption product for Windows. I’ve been using the full encryption on my home machine since Feb. 17th and there doesn’t seem to be any conflicts or performance issues. Steve Gibson, of, ran a test (defragging copies of a hard drive) that showed performance to be increased under Truecrypt compared to an unencrypted drive. One limitation of TC’s full disk encryption is that it doesn’t support hibernation so it may not be suitable for most laptops.

Truecrypt also released versions for Mac OS X, though not full disk encryption. Along with Windows and Linux support Truecrypt volumes can be very portable between systems.

In addition to Truecrypt, FREE Compusec is a free, though not open source, product for full disk encryption for Windows. This product does support hibernation and it has some other features not currently in Truecrypt. I will do an evaluation of this product as well.