http://www.dfw.com/mld/dfw/10366676.htm By Aman Batheja Star-Telegram Staff Writer Dec. 08, 2004 It's December, so Dorothy probably has "candycane" written on a piece of paper in her desk drawer. Last month, it was "turkey." Before that, "pumpkin." At work, Dorothy often chooses her computer password based on the next holiday on the calendar. She has to use several methods of creating passwords because she must change them so often. "You have to write them down, and I know I shouldn't," said Dorothy, a Fort Worth woman who asked that her last name not be used because, well, she just told everyone her password. "I have an entire sheet of passwords at my desk, which defeats the purpose of security." Whether it's the name of a child, a favorite sports team or a hot vacation spot, the constantly growing list of computer passwords needed to exist in a Web-addicted world is taxing people's patience -- and memory. Thanks to multiple e-mail accounts, online stores, online bill paying and network software, the plethora of passwords has some people on information overload. And it can only get worse this month as Internet shoppers log on to order those Christmas gifts. "We're making computer security too hard for the average user," said Steve Jones, founder of the Association of Internet Researchers. Most people end up using the same password for all their computer activities, Jones said. Or they don't change their passwords often enough. Or they choose passwords that are too obvious. All of those open the door to hackers. A survey conducted this year in London by Infosecurity Europe showed that the most common passwords were names of relatives, followed by sports teams and pets. A recent study at Southern Methodist University found that two-thirds of people's passwords are based on the users' personal characteristics, said Alan Brown, a psychology professor who conducted the study. Brown surveyed 218 students and found that about half based their passwords on proper names and birthdays, he said. Just 7.1 percent of the respondents used a password only once. The rest duplicated the same password for more than one application, some five or six times. "It was kind of disappointing," Brown said. "We confirmed what the suspicion was." That sloppy password conduct makes stealing credit card numbers and other personal information all too easy for hackers, experts say. "As far as security is concerned, passwords are probably the No. 1 problem," said Mike Stute, chief technology officer for Global DataGuard in Dallas. Unconcerned about threats Every month, the Windows XP Professional software on Nathan's computer asks him for a new password. Every month, he types in the same one. "Nobody's trying to rip me off," he said. That I'm-too-small-potatoes-for-a-hacker-to-care-about attitude is all too prominent, according to Rick Fleming of Digital Defense, a San Antonio-based network security firm. About 10 million Americans were victims of identity theft in 2003, according to the Federal Trade Commission. Many victims never figure out how their information was stolen. But information stolen from the Internet is likely to be used in the most prevalent crimes -- illegal credit card purchases and unauthorized checking account transfers -- according to a September study from Gartner Research, a company based in Bridgewater, N.J., that specializes in technology issues. "The biggest threat to security is people's lack of concern about it," said Fleming, a computer security veteran of more than 20 years. When people imagine computer hackers, they might think of Matthew Broderick in the 1983 movie WarGames. Broderick's character guesses the password to a classified military computer. But the typical hacker uses "brute force" -- password-cracking programs that can try up to 300,000 passwords a second. If the word is in the dictionary or is a proper name, a hacker can crack it in less than a minute, Fleming said. The programs are "in every language known to Earth and a few that aren't, like Klingon," Fleming said. Hackers don't necessarily mind if they can't find your credit card number. Sometimes, they just want to use your Internet connection to launch further attacks. And that could cause you problems with the authorities. "You are the one who could be held legally liable," Stute said. Some hackers want to use computers other than their own to send out spyware, which gathers and reports information about a computer user without the user's consent, or hackers may secretly install a file, such as the latest hit movie, and make it available for illegal download by others. "Then you've got this huge file there, and everyone's coming in and using your bandwidth access," Stute said. Getting creative Some people are more creative than others when choosing passwords. Mike, a Fort Worth computer security analyst, said he uses the name of his favorite mythical creature. Helle, a Scottish woman who was recently visiting friends in Fort Worth, uses the names of her favorite hotels in Las Vegas. Some turn their passwords into a wry joke. Liz, who works in a coffee shop in Fort Worth, makes a point to use ones such as "imbroke" and "gotnone" when signing on to sites where she pays her bill. "I think it's funny when I'm paying my student loans in small increments that my password is something like 'moneygone,' " she said. Janet, of Weatherford, uses her children's names and adds a number. The real trick to a secure password is making it seem like more of a random mix of characters, including numbers and symbols, Fleming said. That should increase the time it takes to crack a password. But, given enough time and resources, hackers can crack anything. That's why security experts stress the importance of changing your password often. But that brings the problem back full circle. "The more frequently you change your password [or] the more complex you make your password, the more likely you are to forget it," Fleming said. One way to remember a new, but effective, password is to pick a memorable phrase and make your password the first letter of each word. Another method is to insert symbols that resemble letters into an old password, such as turning "dallascowboys" into "da11a$c0wb0y$." Security advances Someday, passwords could go the way of the floppy disk and eight-track tapes. Researchers are working on more secure alternatives, such as systems that use visual passwords. Users are shown a series of pictures or abstract images and are asked to pick several that seem familiar to them. Those images become their password. To sign on, users pick their pictures from a group of random images. What makes a graphical password system so attractive is that it's difficult to tell anyone else your password or to write it down. Another avenue is biometric devices such as facial scanners. They make it impossible for anyone but the user to sign on to a given system. Microsoft founder Bill Gates has suggested that biometrics are the future of computer security, and Microsoft has introduced a keyboard with a fingerprint reader. "All the James Bond stuff we've seen over the years may someday be our reality," Fleming said. IN THE KNOW What makes a good password? * It should be at least six characters long with upper and lowercase letters, plus symbols and numbers if the site or program allows it. * Avoid names, birthdays, telephone numbers or Social Security numbers. * Devise an acronym using a nonsense phrase or a sequence you can remember, like a line from a song or the initials and ages of several friends. * Vary your passwords often. You should change them at least every two months for sites or programs containing sensitive information. SOURCES: Mike Stute of Global DataGuard in Dallas and Rick Fleming of Digital Defense, a San Antonio-based network security firm _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Dec 09 2004 - 02:02:43 PST