http://dailynews.yahoo.com/h/nf/20010625/tc/11524_1.html By Jay Lyman www.NewsFactor.com Monday June 25, 2001 A new computer password survey of British employees highlights what many security experts see as an underrated threat: passwords that are obvious to people or to "cracking" programs widely available on the Internet. The survey, conducted by UK domain registry CentralNic, revealed that nearly half of the workers polled use their own name or a nickname and a third used a favorite sports team or celebrity for their passwords. Security experts say most employees are not aware how easy it is to guess -- or more commonly, use a cracking tool -- to uncover passwords and gain access to the company network. Obvious Choices The survey by CentralNic, the registry for the "us.com" and "eu.com" domain names, indicated that 47 percent of respondents used their own name or a nickname and 32 percent chose their favorite football team or favorite celebrity, according to Joe Alagna, North American marketing manager. "One of the main places security can fail is the password because people can guess them too easily," Alagna told NewsFactor Network. Michael Sutton, senior security engineer at iDefense, said he was not surprised to see half of respondents using their own names for passwords. "Sometimes it's worse," Sutton told NewsFactor. "They'll use a one-letter password or a null password -- nothing." Sutton, whose Fairfax, Virginia-based company assesses risks for businesses and government agencies, said using passwords based on personal information -- name, spouse's name, car -- leaves the codes vulnerable to discovery by acquaintances, co-workers and all of the people who interact with them. Sutton said a solution might be assigned passwords, but they are often forgotten, written down on Post-it notes at the computer or e-mailed, making their discovery more likely. Words Are Weak Passwords are also vulnerable to cracking tools available on the Web that are able to scan for any word as well as letter-numeral combinations. "Something that people aren't aware of is the way password crackers work," Sutton told NewsFactor. "They run through the dictionary, so if you pick something that's in the dictionary, it's very easy to crack. Other password crackers systematically go through every number-letter combination." Sutton suggested using passwords that replace various letters with numbers or symbols, or making up an acronym that is not a word. "You want to end up with something as random as possible, but it still has to be something you're going to remember," he said. Protecting Password Files A well-known cracking tool such as "LoftCrack" would take about 48 hours to scan the entire password file of a company, according to Sutton. "There are various files you do not want people to access, and one is definitely the password file," he said. "With most operating systems, if you want on and have access to the password file, you can get on." Sutton said there are probably a dozen cracking programs for all major operating systems, but some crackers are application-specific for e-mail, word-processor documents or other software. "So long as it's a popular application, there's a good chance that there are a couple of password crackers for it," he said. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 02:18:02 PDT