[ISN] And the Password Is . . . Waterloo

From: InfoSec News (isnat_private)
Date: Thu Dec 27 2001 - 23:15:44 PST

  • Next message: InfoSec News: "Re: [ISN] Why Worm Writers Stay Free"

    Forwarded from: Richard Caasi <rcaasiat_private>
    
    http://www.nytimes.com/2001/12/27/technology/circuits/27PASS.html?todaysheadlines
    
    December 27, 2001
    By JENNIFER 8. LEE
    
    COMPUTER passwords are supposed to be personal, disposable and
    discreet. But people become sentimentally attached to them or leave
    them taped underneath their keyboards or on their monitors, to the
    dismay of computer-security professionals worldwide.
    
    And even those who are vigilant about guarding passwords may be giving
    away more than they think. The problem is that computer passwords have
    evolved into the personality test of a networked society, as millions
    of people try to sum up their essence through a few taps on the
    keyboard. As psychologists know, people and personalities are often
    very predictable in the aggregate, and thus so are passwords a reality
    that malevolent computer hackers often take advantage of.
    
    "When you are thinking of something neutral to use as a password,
    whatever your obsession is will pop into your head," said Helen
    Petrie, a professor of human computer interaction at City University
    in London. "It's the new version of the inkblot or word- association
    test."
    
    Psychologists say that people can store only five to nine random bits
    of information in their short-term memory. Users therefore often
    choose passwords with a personal meaning that they can associate with
    something in their long-term memory. A recent survey of 1,200
    employees of British companies by CentralNic, a London-based domain-
    registration company, showed that half of them used passwords related
    to family passwords based on names, nicknames or birthdays of
    partners, children or pets.
    
    Even high-ranking executives may act on naïve impulses when it comes
    to choosing a password. Edward Skoudis, vice president for security
    strategy at Predictive Systems in Manhattan, recounted how the user
    account of the top executive at a large Japanese financial institution
    was cracked open during a security assessment. The automatic password
    scanner found that his password was a woman's name.
    
    Sometimes passwords can be cracked by security consultants with what
    is known as a "brute force" program, which may try every possible six-
    or seven-character combination. But in reality what emerges from the
    human mind is seldom truly random. So the more efficient computer
    programs systematically use extended dictionaries.
    
    In an effort to mimic human behavior, many of the most powerful
    password-cracking dictionaries add twists beyond simply suggesting a
    word. They experiment with first and last names, sports teams,
    fictional characters, numbers, punctuation symbols and
    foreign-language terms. They reverse the spellings, string words
    together, substitute zeros and ones for the lowercase O and L and try
    popular keyboard sequences like qwerty.
    
    The reason the programs are often very effective is that they attack
    an institution's passwords en masse. No one may know that a specific
    person at a company is a Michael Jordan fan. But among 1,000 people,
    the probability that at least one is a Michael Jordan fan and has a
    related password is significantly higher. A third of the password
    users in the CentralNic survey were categorized as "fans," meaning
    that their passwords were based on sports teams, fictional characters
    or celebrities.
    
    Characters from fantasy and science fiction, like "The Lord of the
    Rings" and "Star Wars," tend to be especially popular, and some
    password policies advise against choosing characters from those works.
    
    At a million password attempts per second, the password scanners used
    by today's security companies can be very efficient. In the typical
    corporation with 10,000 employees using Microsoft Windows, 20 to 50
    percent of the Windows passwords could be determined in the first 20
    minutes with an extended word-list attack, and 90 percent on the first
    day by adding a brute-force attack, said Chris Wysopal, director of
    research and development for @stake, a security company based in
    Cambridge, Mass., that produces a popular Windows password-auditing
    tool called LC3.
    
    Less than one-tenth of all users, the most security-conscious, pick
    passwords based on random or semirandom sequences of letters, numbers
    and symbols. Even when people do use symbols, the most popular ones
    are the exclamation point, the dollar sign, the ampersand and the "at"
    symbol, Mr. Wysopal noted. The brute-force algorithms take this
    tendency into account, leaving more unusual characters like the tilde
    until the end.
    
    Passwords, the "open sesame" of a computerized world, are thus the
    sieves of computer security. Passwords are also the only
    authentication of identity within a corporate network to which many
    people may have access. "When insiders go bad and want to steal
    information, a password attack is a very common thing," Mr. Wysopal
    said.
    
    Bruce Schneier of Minneapolis, chief technology officer for
    Counterpane Internet Security, based in Cupertino, Calif., said that
    an employee at one Fortune 500 corporation was caught trying to use a
    dictionary attack to break into other users' accounts. He was fired.
    "We only caught that because we were watching," he said.
    
    Users often think that they have nothing in their accounts that a
    malicious hacker would want to see. But hackers often look at breaking
    into accounts as a means to an end. Ryo Furue, an assistant professor
    at the Center for Climate System Research at the University of Tokyo,
    said that a hacker used a password-dictionary cracker called Crack to
    run rampant through the university's systems after starting from a
    relatively innocuous account at the Educational Computer Center. "A
    system is more fragile if you have an attacker inside it than if the
    attack is from outside," Dr. Furue said.
    
    Some organizations devote time to creating elaborate password policies
    the Defense Department's guidelines are 30 pages long. Some employers
    require that passwords be frequently changed or that they include a
    combination of letters, numbers and special characters. But such
    stringent regulations often backfire. Faced with remembering complex
    new passwords, some people change them back to what they were, write
    them down although others might find them, or simply forget them.
    
    A systems administrator at a company that made employees change
    passwords every two weeks found that about 80 percent of the time,
    users either taped their passwords underneath their keyboards or used
    a variation on the date on which they were last required to change
    passwords.
    
    "God," "sex" and "money" are among the most popular passwords for
    those who are unschooled in computer security. At Bargaindog.com, a
    shopping site with more than 20 million users that is popular with
    middle-aged women, the most popular password was "love."
    
    Younger users tend to use self-laudatory terms. At a popular Web site
    that had 2.5 million registered users with an average age of 25,
    popular passwords were "stud," "goddess," "cutiepie" and "hotbod."
    
    "There were so many `studs,' it wasn't even funny," said Andrew
    Prihodko, a former technologist for the site, which he requested not
    be named. He said that male users tend to use words related to
    masculinity or profanity. The CentralNic survey found that about 10
    percent of users fall into this category, which it calls "fantasist."
    
    "Even though passwords are supposed to be absolutely secret, it's
    almost as if people are trying to show off with their passwords," said
    Professor Petrie of the University of London.
    
    Trying to be clever, people will sometimes take cues from computer
    messages like "Enter your password now" or "The password is incorrect"
    and select passwords like "now" or "incorrect," said Gary McGraw,
    chief technology officer at Cigital, a software risk management
    company.
    
    Spy or security-related terms like "secret" and "password" are
    popular, too.
    
    "I thought I had a brilliant idea," said Guillemette Faure, a French
    journalist living in New York who used "password" for three years.
    "But then I read somewhere that it was very common." She said she had
    changed it recently after an argument with her boyfriend, who she
    feared would use it to check her e-mail.
    
    Even though the soaring number of Web sites, computer applications and
    financial services has increased demand for new passwords, most people
    tend to use the same ones over and over. A typical user might have to
    enter a password for 10 to 100 different uses, said Rachna Dhamija, a
    graduate student of information management and systems at the
    University of California at Berkeley who has researched passwords. A
    survey by a university research project in which she is involved found
    that most users have only one to seven passwords, however, and they
    tend to be variations on a theme.
    
    This tendency to reuse passwords could be easily exploited, said Mr.
    Prihodko, who is starting a security company called Cambridge Network
    Security. He found that people use the same passwords at their
    entertainment sites that they do for e-mail programs or other
    important accounts.
    
    As part of a security assessment for organizations, Mr. Prihodko
    designed a test in which employees are sent an e-mail message asking
    them to log on to a sweepstakes site with a password. People
    overwhelmingly picked passwords that they also used for more sensitive
    matters like corporate e- mail. The point, he said, is that companies
    should encourage their employees to keep their work passwords and
    personal passwords separate.
    
    Since passwords are meant to be private, learning someone's password
    can open a window into someone's thoughts. "When it's an opposite-sex
    name that is not a spouse or their kids, you always wonder if you've
    learned a little secret," Mr. Wysopal said.
    
    Wellie Chao, chief executive of Xerxes, an e-commerce consulting
    business in Manhattan, said that while studying at Harvard he found a
    file with hundreds of his classmates' passwords on his computer after
    a hacker used the computer to steal passwords. "You could see who had
    a crush on whom based on which girls had which guys' names as
    passwords," said Mr. Chao, who once also had a password based on a
    girl's name.
    
    At HipGuide, a New York multimedia company, employees must turn in
    their passwords when they leave. Syl Tang, the chief executive, said
    she was surprised by the passwords of a departing employee who seemed
    very conservative.
    
    "This was not someone who was coloring outside the line," she said.
    But the employee's passwords were all obscenities.
    
    "It is sort of odd," Ms. Tang said. "You wonder what is going on
    beneath the surface."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 06:15:53 PST