This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------D1CCFC27E92D754BAFD23871 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.981119234751.14826dat_private> Forwarded From: darek milewski <darekmat_private> http://www.herald.com/archive/cyber/techdocs/040080.htm The best password is more than a word By SARA ROBINSON The Dallas Morning News Most people wouldn't leave their passport lying on a park bench or shout their Social Security number across a crowded room. But choosing a bad password or even logging into your computer while on vacation can amount to the same thing. In a password-based computer system, your password is your identification card, how your computer knows it's OK to let you in the front door. But in cyberland, interior doors aren't securely locked and elevators stop at every floor. Someone with your password and some hacking skills can obtain access to everything on your network. ``The security of the system is the security of the weakest password,'' says Bruce Schneier, author of Applied Cryptography and president of Counterpane Systems, a computer security firm. Large-scale threat CERT Coordination Center, an organization based at Carnegie Mellon University that collects reports on computer security problems, gets many reports of password-based attacks, says spokesman Shawn Hernan. He cites an incident reported to CERT in July when an intruder was detected with a list of 186,000 passwords collected from businesses and universities all over the world. In a joint survey by the FBI and the Computer Security Institute of San Francisco, 64 percent of 520 organizations, Fortune 500 companies, government organizations and financial institutions reported computer security breaches over a 12-month period. Some of the blame rests on users who pick bad passwords. And it only takes one such password on a network to make it vulnerable to intruders. In a typical system, users each have one fixed password until they decide to change it. When the password is typed in, the computer encrypts it, translates it into a string of gibberish and then checks it against the long list of encrypted passwords in a password file stored in the computer. If it finds an identical string of gibberish paired with your log-in, it allows you to enter the system. How hackers do it Hackers attempting to break into a system typically go after the password file, says David Wagner, a graduate student at the University of California at Berkeley, specializing in computer security.If they have achieved a high level of access, they can take a copy of the file with them and run a password-cracking program on the file. A cracking program encrypts a long list of character strings, such as all words in a dictionary, and checks it against the encrypted file of passwords. If it finds even one match, the intruder has access to the system. This sort of attack doesn't require a high degree of skill on the part of the hacker. All sorts of password-cracking programs are available on the Internet, many from security Web sites promoting regular password checks by system administrators. Some systems can defend against cracking programs by keeping the password file under tight security. The bigger problem, Wagner says, is sniffers. Sniffers are programs that unobtrusively monitor network traffic on a computer, picking out whatever type of data they're programmed to intercept, such as any chunk containing the word password. Sending data over a network is ``like shouting in a crowded room,'' Wagner says. ``Everyone can hear what everyone else says,'' but computers are supposed to only listen to the one shouting at it. Internet danger The problem becomes worse for data sent over the Internet. When you log in to your account from a remote location, unless you take special precautions, your password is sent, unprotected, through perhaps hundreds of computers. Routers are big computers that act as traffic cops, directing the flow of traffic from one crowded room to another. A sniffer installed on a router has the potential to pick off thousands of passwords. And, like password-cracking programs, sniffers are everywhere. Doug Tygar, a computer scientist at Carnegie Mellon, says system administrators pull sniffers off their network about once a week. ``At any given time there's probably a sniffer running on our system,'' he says. Password problems cannot be addressed only by users, however. Experts cite the widespread use of insecure computer systems as the bigger problem, but good security costs money. And there are other methods of securing access to your computer system: through fingerprint or eye scans, for instance. For logging in remotely, tokens provide the best security, experts say. A token is a little card, about the size of your credit card, that generates a password valid for a brief period each time you enter a personal identification number. But at $30 to $50 per card, tokens require a greater investment in security than most organizations will make. PASSWORD TIPS The Dallas Morning News When creating a password: + Don't use names or numbers associated with you in any form, i.e. your user name, your wife's name, your dog's name spelled backward, your telephone number transposed, your middle name in French, etc. Hackers are educated enough to make an educated guess. + Don't use names or dictionary words, including several words strung together, in any language. + Use both upper- and lower-case letters as well as punctuation symbols or numbers. + Use different passwords for different accounts. An intruder who cracks your password on one network can use it to jump to other networks. Once your password is created: + Change it frequently, at least every four to six months. If you need to use the same basic word as your password, vary it with unexpected numbers or symbols or misspellings. Sniffer programs that intercept passwords are quite common, and changing your password offers at least some protection. + Don't e-mail your password to anyone. + Don't tell anyone your password. If someone calls you claiming to need your password, don't give it. Any legitimate technician would already be authorized to enter a system. + If, for any reason, you must share your password, change it as soon as possible. --------------D1CCFC27E92D754BAFD23871-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:45 PDT