[ISN] The best password is more than a word

From: mea culpa (jerichoat_private)
Date: Thu Nov 19 1998 - 22:49:33 PST

  • Next message: mea culpa: "[ISN] How do you test strength of a network's security?"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981119234751.14826dat_private>
    Forwarded From: darek milewski <darekmat_private>
    The best password is more than a word
    The Dallas Morning News
    Most people wouldn't leave their passport lying on a park bench or shout
    their Social Security number across a crowded room. But choosing a bad
    password or even logging into your computer while on vacation can amount
    to the same thing. 
    In a password-based computer system, your password is your identification
    card, how your computer knows it's OK to let you in the front door. 
    But in cyberland, interior doors aren't securely locked and elevators stop
    at every floor. Someone with your password and some hacking skills can
    obtain access to everything on your network. 
    ``The security of the system is the security of the weakest password,''
    says Bruce Schneier, author of Applied Cryptography and president of
    Counterpane Systems, a computer security firm. 
    Large-scale threat
    CERT Coordination Center, an organization based at Carnegie Mellon
    University that collects reports on computer security problems, gets many
    reports of password-based attacks, says spokesman Shawn Hernan. He cites
    an incident reported to CERT in July when an intruder was detected with a
    list of 186,000 passwords collected from businesses and universities all
    over the world. 
    In a joint survey by the FBI and the Computer Security Institute of San
    Francisco, 64 percent of 520 organizations, Fortune 500 companies,
    government organizations and financial institutions reported computer
    security breaches over a 12-month period. 
    Some of the blame rests on users who pick bad passwords. And it only takes
    one such password on a network to make it vulnerable to intruders. 
    In a typical system, users each have one fixed password until they decide
    to change it. When the password is typed in, the computer encrypts it,
    translates it into a string of gibberish and then checks it against the
    long list of encrypted passwords in a password file stored in the
    computer. If it finds an identical string of gibberish paired with your
    log-in, it allows you to enter the system.  How hackers do it
    Hackers attempting to break into a system typically go after the password
    file, says David Wagner, a graduate student at the University of
    California at Berkeley, specializing in computer security.If they have
    achieved a high level of access, they can take a copy of the file with
    them and run a password-cracking program on the file. 
    A cracking program encrypts a long list of character strings, such as all
    words in a dictionary, and checks it against the encrypted file of
    passwords. If it finds even one match, the intruder has access to the
    This sort of attack doesn't require a high degree of skill on the part of
    the hacker. All sorts of password-cracking programs are available on the
    Internet, many from security Web sites promoting regular password checks
    by system administrators. 
    Some systems can defend against cracking programs by keeping the password
    file under tight security. The bigger problem, Wagner says, is sniffers. 
    Sniffers are programs that unobtrusively monitor network traffic on a
    computer, picking out whatever type of data they're programmed to
    intercept, such as any chunk containing the word password. Sending data
    over a network is ``like shouting in a crowded room,'' Wagner says.
    ``Everyone can hear what everyone else says,'' but computers are supposed
    to only listen to the one shouting at it.  Internet danger
    The problem becomes worse for data sent over the Internet.  When you log
    in to your account from a remote location, unless you take special
    precautions, your password is sent, unprotected, through perhaps hundreds
    of computers. Routers are big computers that act as traffic cops,
    directing the flow of traffic from one crowded room to another. 
    A sniffer installed on a router has the potential to pick off thousands of
    passwords. And, like password-cracking programs, sniffers are everywhere. 
    Doug Tygar, a computer scientist at Carnegie Mellon, says system
    administrators pull sniffers off their network about once a week. 
    ``At any given time there's probably a sniffer running on our system,'' he
    Password problems cannot be addressed only by users, however.  Experts
    cite the widespread use of insecure computer systems as the bigger
    problem, but good security costs money. 
    And there are other methods of securing access to your computer system:
    through fingerprint or eye scans, for instance. 
    For logging in remotely, tokens provide the best security, experts say. A
    token is a little card, about the size of your credit card, that generates
    a password valid for a brief period each time you enter a personal
    identification number. 
    But at $30 to $50 per card, tokens require a greater investment in
    security than most organizations will make. 
    The Dallas Morning News
    When creating a password: 
    + Don't use names or numbers associated with you in any form, i.e. your
    user name, your wife's name, your dog's name spelled backward, your
    telephone number transposed, your middle name in French, etc. Hackers are
    educated enough to make an educated guess. 
    + Don't use names or dictionary words, including several words strung
    together, in any language. 
    + Use both upper- and lower-case letters as well as punctuation symbols or
    + Use different passwords for different accounts. An intruder who cracks
    your password on one network can use it to jump to other networks. 
    Once your password is created: 
    + Change it frequently, at least every four to six months. If you need to
    use the same basic word as your password, vary it with unexpected numbers
    or symbols or misspellings. Sniffer programs that intercept passwords are
    quite common, and changing your password offers at least some protection. 
    + Don't e-mail your password to anyone. 
    + Don't tell anyone your password. If someone calls you claiming to need
    your password, don't give it. Any legitimate technician would already be
    authorized to enter a system. 
    + If, for any reason, you must share your password, change it as soon as
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:45 PDT