[ISN] The Password PUZZLE

InfoSec News isn at c4i.org
Thu Dec 9 03:15:36 EST 2004


By Aman Batheja
Star-Telegram Staff Writer
Dec. 08, 2004

It's December, so Dorothy probably has "candycane" written on a piece
of paper in her desk drawer.

Last month, it was "turkey." Before that, "pumpkin."

At work, Dorothy often chooses her computer password based on the next
holiday on the calendar. She has to use several methods of creating
passwords because she must change them so often.

"You have to write them down, and I know I shouldn't," said Dorothy, a
Fort Worth woman who asked that her last name not be used because,
well, she just told everyone her password. "I have an entire sheet of
passwords at my desk, which defeats the purpose of security."

Whether it's the name of a child, a favorite sports team or a hot
vacation spot, the constantly growing list of computer passwords
needed to exist in a Web-addicted world is taxing people's patience --
and memory.

Thanks to multiple e-mail accounts, online stores, online bill paying
and network software, the plethora of passwords has some people on
information overload. And it can only get worse this month as Internet
shoppers log on to order those Christmas gifts.

"We're making computer security too hard for the average user," said
Steve Jones, founder of the Association of Internet Researchers.

Most people end up using the same password for all their computer
activities, Jones said. Or they don't change their passwords often
enough. Or they choose passwords that are too obvious.

All of those open the door to hackers.

A survey conducted this year in London by Infosecurity Europe showed
that the most common passwords were names of relatives, followed by
sports teams and pets.

A recent study at Southern Methodist University found that two-thirds
of people's passwords are based on the users' personal
characteristics, said Alan Brown, a psychology professor who conducted
the study. Brown surveyed 218 students and found that about half based
their passwords on proper names and birthdays, he said.

Just 7.1 percent of the respondents used a password only once. The
rest duplicated the same password for more than one application, some
five or six times.

"It was kind of disappointing," Brown said. "We confirmed what the
suspicion was."

That sloppy password conduct makes stealing credit card numbers and
other personal information all too easy for hackers, experts say.

"As far as security is concerned, passwords are probably the No. 1
problem," said Mike Stute, chief technology officer for Global
DataGuard in Dallas.

Unconcerned about threats

Every month, the Windows XP Professional software on Nathan's computer
asks him for a new password. Every month, he types in the same one.

"Nobody's trying to rip me off," he said.

That I'm-too-small-potatoes-for-a-hacker-to-care-about attitude is all
too prominent, according to Rick Fleming of Digital Defense, a San
Antonio-based network security firm. About 10 million Americans were
victims of identity theft in 2003, according to the Federal Trade

Many victims never figure out how their information was stolen. But
information stolen from the Internet is likely to be used in the most
prevalent crimes -- illegal credit card purchases and unauthorized
checking account transfers -- according to a September study from
Gartner Research, a company based in Bridgewater, N.J., that
specializes in technology issues.

"The biggest threat to security is people's lack of concern about it,"  
said Fleming, a computer security veteran of more than 20 years.

When people imagine computer hackers, they might think of Matthew
Broderick in the 1983 movie WarGames. Broderick's character guesses
the password to a classified military computer.

But the typical hacker uses "brute force" -- password-cracking
programs that can try up to 300,000 passwords a second. If the word is
in the dictionary or is a proper name, a hacker can crack it in less
than a minute, Fleming said.

The programs are "in every language known to Earth and a few that
aren't, like Klingon," Fleming said.

Hackers don't necessarily mind if they can't find your credit card
number. Sometimes, they just want to use your Internet connection to
launch further attacks. And that could cause you problems with the

"You are the one who could be held legally liable," Stute said.

Some hackers want to use computers other than their own to send out
spyware, which gathers and reports information about a computer user
without the user's consent, or hackers may secretly install a file,
such as the latest hit movie, and make it available for illegal
download by others.

"Then you've got this huge file there, and everyone's coming in and
using your bandwidth access," Stute said.

Getting creative

Some people are more creative than others when choosing passwords.

Mike, a Fort Worth computer security analyst, said he uses the name of
his favorite mythical creature. Helle, a Scottish woman who was
recently visiting friends in Fort Worth, uses the names of her
favorite hotels in Las Vegas.

Some turn their passwords into a wry joke. Liz, who works in a coffee
shop in Fort Worth, makes a point to use ones such as "imbroke" and
"gotnone" when signing on to sites where she pays her bill.

"I think it's funny when I'm paying my student loans in small
increments that my password is something like 'moneygone,' " she said.

Janet, of Weatherford, uses her children's names and adds a number.

The real trick to a secure password is making it seem like more of a
random mix of characters, including numbers and symbols, Fleming said.  
That should increase the time it takes to crack a password.

But, given enough time and resources, hackers can crack anything.

That's why security experts stress the importance of changing your
password often. But that brings the problem back full circle.

"The more frequently you change your password [or] the more complex
you make your password, the more likely you are to forget it," Fleming

One way to remember a new, but effective, password is to pick a
memorable phrase and make your password the first letter of each word.  
Another method is to insert symbols that resemble letters into an old
password, such as turning "dallascowboys" into "da11a$c0wb0y$."

Security advances

Someday, passwords could go the way of the floppy disk and eight-track

Researchers are working on more secure alternatives, such as systems
that use visual passwords. Users are shown a series of pictures or
abstract images and are asked to pick several that seem familiar to

Those images become their password. To sign on, users pick their
pictures from a group of random images.

What makes a graphical password system so attractive is that it's
difficult to tell anyone else your password or to write it down.

Another avenue is biometric devices such as facial scanners. They make
it impossible for anyone but the user to sign on to a given system.

Microsoft founder Bill Gates has suggested that biometrics are the
future of computer security, and Microsoft has introduced a keyboard
with a fingerprint reader.

"All the James Bond stuff we've seen over the years may someday be our
reality," Fleming said.


What makes a good password?

* It should be at least six characters long with upper and lowercase
  letters, plus symbols and numbers if the site or program allows it.

* Avoid names, birthdays, telephone numbers or Social Security

* Devise an acronym using a nonsense phrase or a sequence you can
  remember, like a line from a song or the initials and ages of
  several friends.

* Vary your passwords often. You should change them at least every two
  months for sites or programs containing sensitive information.

SOURCES: Mike Stute of Global DataGuard in Dallas and Rick Fleming of
Digital Defense, a San Antonio-based network security firm

More information about the ISN mailing list