Way too many passwords, not enough protection...Does Having A "Password" Protect Your Files?...No Way!!!



Scrolling Color Bar


Like Music,Click The Arrow<bgsound src="/~entreken/Stuff2/silouhet.mid" loop="infinite">Song: Silouhet

By Stevenson Swanson...Tribune national correspondent...Published January 19, 2003

NEW YORK -- The online bank account. The e-mail inbox. The frequent-flier account. The Internet retailer who sells those hard-to-find exercise tapes.All of these Web sites--and thousands more--require passwords.

And that's in addition to all the other user names, codes and personal identification numbers people need to log on to computers at work, withdraw cash from an automated teller machine, check their voice mail and disarm a home security system.

With concerns about security on the Internet and on workplace computer networks reaching new heights, passwords are proliferating to the point that they threaten to overwhelm the original computer--the human brain.

In response, computer security experts are looking for new ways, including such techniques as "cheap fingerprint or retina scans," for people to prove that they are who they say they are in the chaotic computerized universe.

Password overload

When it comes to passwords, "there are too many of them, and it's too hard for the average person to remember them," said Matt Bishop, a computer science professor at the University of California-Davis.

Avi Rubin, a computer security expert at Johns Hopkins University, recently counted all the access codes he has to remember, including those for his computer, for two garage doors and for the nanny to get into the house. He came up with 53.

Michael Walters, information technology manager for the New York office of Perkins and Will, a Chicago architectural firm, even has to recall discarded passwords as part of his job overseeing the office's computer network."I have to remember passwords even going back to before I came to work here," said Walters, who needs the old access codes in emergency situations when data has to be recovered.

But a recent identity-theft case on Long Island illustrates why passwords and other computer safeguards have become more important than ever. In what federal prosecutors call the largest identity-theft case on record, three people in New York were accused in November of stealing the passwords and other personal information of more than 30,000 people, resulting in losses of at least $2.7 million. And that was just one gang of digital ne'er-do-wells. In 2001, the Federal Trade Commission received 86,000 complaints from victims of identify theft

"Nobody knows you're a dog on the Internet," said cyber-security expert Jerry Brady, referring to a popular New Yorker magazine cartoon that shows a computer-savvy canine surfing the Web. "But nobody knows you're an identity thief either. There are a lot of nasty people out there." And a lot of obvious passwords.

In one study by AT&T Labs, the most popular password was "mother," said Rubin, the technical director of Johns Hopkins' Information Security Institute. Brady, the chief technology officer for Guardent, a Waltham, Mass.-based information security services provider, frequently can guess the passwords of 1 in 3 people when he demonstrates a computer network's vulnerability to a client.

"HOW IT'S DONE" BE SURE TO READ AND RE-READ THE FOLLOWING

Guessing is easy, but with a "little"investigation, the amount of "Guessing" is greatly reduced!!!

"All you need is to know a bit about a person--his wife's name, pet's name, car's name," said Brady, who noted that much personal information is readily available on the Internet and in public records. "And knowing what a person cares most about--his wife, his pet or his car--you can guess."

Apart from typing * a password to their computer, one of the most common mistakes people make with their digital combinations is to use a word, which most people find easier to remember than a number. " Such codes are vulnerable to "dictionary attacks," a hacking tactic using a program that methodically tries thousands of words."

Another frequent error is to log on to password-protected sites at Internet cafes or hotel business centers. Such computers frequently are contaminated with programs called "keyboard sniffers," which record the order in which keys are pressed and then send surreptitious e-mails of the sequences to a waiting identity thief.

Personal identification numbers for ATM cards and calling cards are susceptible to "shoulder surfing" by sharp-eyed swindlers who watch as the unsuspecting tap in their codes on the machine's keyboard.

Considering the resourcefulness of the thieves, the odds may seem heavily stacked against ordinary computer users, but security experts have some suggestions for devising passwords that are tough to crack, and ways to keep from being swamped by dozens of access codes. But, as noted in the beginning of this paragraph,such lengths are beyond the average user.

Instead of using a word,Rubin suggests taking the first letters of an easily remembered phrase and then adding some numbers or, better yet, punctuation marks and capital letters. That results in a password toocomplex to be broken easily.

Because many hackers work methodically over long periods, it is becoming increasingly important to change passwords regularly, experts say.

For some large financial institutions, that means a new password every minute. Employees carry a "token," a small plastic device that displays a new number every 60 seconds based on the time and a complicatedformula.

Using the same formula, the network computer changes its access code every minute. To make sure that not just anybody can sign on, users must enter a short personal code in addition to the password of the minute.

Toby Weiss, a senior vice president at Computer Associates, a provider of computer security software,recommends switching access codes once a month. Other authorities say every two or threemonths is sufficient.

To keep the number of passwords more manageable, the University of California's Bishop ranks the Web sites he uses on the need for high, medium or low security."If I go to a Web site where there's a book I wantto find out about and I don't really understand why they want a password, I have a couple of cannedpasswords that I always use," he said.

On the horizon...What's Comming

Bishop thinks the number of passwords is approaching the saturation point, despite the efforts of Microsoft and the Liberty Alliance, a consortium of computer companies, to devise a single-password portal that would give users access to a variety of online shopping and banking sites. "I don't think passwords are going to continue to be the main line of defense," Bishop said. "Passwords are intended to authenticate who you are, but there are other ways to do that."

With cheaper and more readily available scanning equipment, the wave of the future is likely biometrics, or security systems based on a person's voice, fingerprint or the pattern of blood vessels in the retina.

Even these next-generation solutions have weaknesses. A Japanese researcher hacked into a computer system that relies on fingerprint scans by fashioning a fingerprint out of gelatin.

"That would be the perfect crime," Weiss said. "After you're done, you eat the evidence."



* Highlights, Bullets and other added by page author

The following "Un-solicited (Spam ) E-Mail Solicitaion" was received with the heading...Security Advisor On-Line Password Security Newsletter...Normally, unsolicited _E-mail is marked "Block" and deleted, so that any future receipts are immediately deleted. Sections of the unsolicited receipt are copied and presented..in toto, because page author concludes that solicitation contains information that may prove beneficial to those who are concerned about their "Passwords" being compromised. Excepts are presented soley for visitors review and evaluation. Presentaion should not be construed as acceptance, approval or rejection by page author.


Are your passwords and data at risk? To access your risk refer to the questions below.

a) Have you acquired any new programs within the last year that require you to authenticate yourself via a password?

b) Do you use email to communicate with others?

c) Have you made an online purchase with your credit card?

d) Have you used a public computer (for example in the library) to check your online accounts (for example yourweb email) by entering your password?

e) Do you ever receive programs or data from other people?

If you answer “Yes” to any of the abovementioned questions, you have a potential password security risk.

Password security risk is a commonly ignored problem compared to high profile security issues such as Denial of Service attacks, Trojan Horses, virus and computer worms.However, it is an important issue that must not be neglected anymore as it leads to huge problems such as credit card and identity fraud.

Identity fraud occurs when someone else steals your password and impersonates your identity. They will/ * could ) then make illegal online purchases, take out huge loans and post offensive remarks on public bulletin boards, all done using your identity. According to the Federal Trade Commission, identity fraud can lead to a person losing his job, denied important study loans opportunities to purchase homes and cars due to an unhealthy credit rating.

Is There a Password Security Problem In Computing?


The answer is a vehement "YES". The very nature of user authentication via password is flawed and it leads to password security problems. The major threats are:

a) Interruption – If your password has been compromised by an intruder, it is very likely that the intruder will immediately change your password to a new password that is unknown to you.

b) Interception – An intruder that steals your password is also able to steal all your private and sensitive information.

c) Modification – A stolen password allows the intruder the right and ability to modify all attributes associated with the account.

d) Fabrication – An intruder could be a professional and commercial hacker who steals passwords with the intent of fabricating transaction.

Company that sent the E-mail to my address states that "A Password Management System can protect you from the above threats. If you have an interest in the company' name, use "source" for information




How Are Passwords Stolen?

Company advises several ways that are used to steal your passwords:

a) Spyware– Spyware are software programmed to spy and monitor illegitimately information on your computer.

b) Password Crackers/Brute Force/Dictionary Attacks – Password crackers break and steal your passwords via a technique called “brute force”, using a dictionary attack.

c) Trojan Horses - Trojan horses are programs masquerading as legitimate programs that covertly do another thing besides its advertised functionality.

d) Eavesdropping on the Internet – If your online account does not deploy SSL or SET technology it means that your online service is prone and liable to being eavesdropped on the Internet.

e) Information Leaks – Malicious programs could exploit information leaks or security vulnerabilities in some programs.

f) And many, many more ways. The reality is that many ways exist to steal your passwords.

How Easy It Is To Break/Crack My Password?

It is usually easier than what you though to break/crack your password. Consider the case where you used just alphabets (A-Z) for your password and your password is of any length from 1 to 8 characters. The system as a whole would then contain:

261 + 262 + 263 + 264 + 265 + 266 + 267 + 268 + 269 -1 = 5 x 1012 possible passwords

At first this large number seems to give you a (false) sense of security. At a rate of one password per millisecond, it will take on the order of 150 years to test all passwords.

However, due to the recent advances in computing, a rate of one password per microsecond is now possible and the work drops to a mere 2 months!

The above scenario is painted based on trying all possible combinations. However, people tend to pick easy to remember passwords and these passwords normally do not exceed 4 characters long. In this case, consider the use of 3 character long passwords (such as “god”). Such a system would contain:

261 + 262 + 263 = 18,278 possible passwords

At the assumed rate of 1 password per millisecond, all of the passwords can be cracked in 18.278 seconds!

This is hardly a challenge with today’s computers and anyone, even an amateur can easily crack your passwords. Also, if we raise the password length to 4 or 5 characters the results do not become any better.

For passwords of 4 characters length:

261 + 262 + 263 + 264 = 475,254 possible passwords All passwords can be cracked in 475 seconds (about 8 minutes)

261 + 262 + 263 + 264 + 265 = 12,356,630 possible passwords All passwords can be cracked in 12,356 seconds (about 3.5 hours)

The above analysis assumes that users pick “axyt” or “mjye” or “pzxqj” as the passwords of choice. However, people tend to pick common words for passwords such as “beer” and “goldy”. When such passwords are chosen (and this is the norm) the task for the intruder becomes even simpler as he could use a dictionary based attach.

With a dictionary of 100,000 words, the intruder is able to run through the dictionary to find common words and successfully attack and crack your passwords in 100 second or less.

How Could I Protect My Passwords And Improve My Password Security?

Company recommends that you take the following simple and easy steps to safeguard your passwords:



a)Choose long passwords – If possible use passwords of length greater than 10 characters

b)Avoid actual names or words– Do not use passwords such as “god”, “goody” or “hello”.

c)Choose an unlikely password – Use uncommon passwords such as “8j37ky” instead of “melissa”.

d)Change the password regularly – Change your passwords every 2 weeks.

e)Do not write your password down or store it on your computer

f)Do not tell anyone your password

          The above simple steps will easily and immediately improve your password security by at least fivefold.




How-To Choose and Use a Password

Googles page on "Learn To Choose a Password"


Launched: 01/20/2003




Visitors  Counter

Visitors  before move to this ISP=33,334


  •  To Privacy Link

  •  Back To Home Page

    Disclaimer


    This Page Of Links Is Provided As A Public Service, And Does Not Provide Any Warranty, Statement Of Quality," Implied Or Otherwise, " About Any Of The Products, Businesses Or Services Listed. Links On This Or Other Pages Are Intended To Be Informative And Does Not  Imply An Endorsement By Page Author.



    If Anything In This Page Infringes on Copyright,  Please advise
    and Correction Will Be Made.

    © Chicago Tribune: & other 1/17/2003...3/3/2003-2004