Joined: 18 Apr 2002
Location: Kuala Lumpur, Malaysia
|Posted: Mon May 13, 2002 4:36 pm Post subject: The BBC's Take on Password Security
A few valid points and good tips.
|BBC Sci-Tech wrote:
In order to access computer networks, online bank or e-mail accounts, we need a wide range of usernames and passwords.
Constant attention is required to track what our name is in each virtual environment, and what password is needed at that moment to access personal information.
This means that using the internet requires us to constantly create and manage multiple identities.
The complaint that the internet enables people all too freely to impersonate alternate identities often overlooks a fundamental point: online, we are all required to assume multiple personae.
Friends and family
Ensuring our various accounts are secure means constantly creating and updating a range of passwords.
While the content they protect may be financially and personally sensitive and specific, the majority of passwords people use adopt generic, often easy to detect patterns.
Is your password too easy to discover?
Knowing a bit of detail about someone, such as names of family and friends, favourite books and films, and where the individual lives, can often offer enough clues to successfully guess someone's password.
Checking for Post-It notes on someone's monitor is another quick way to find this sensitive information.
And one of the most common passwords of all is password. Words like secret, system and banana are also pretty popular.
While there are a number of software applications on the market promising password protection, attaining simple to use, guaranteed security seems to remain elusive.
To manufacture a more secure, less breakable password, online security expert Dave Perry from TrendMicro gives the following advice.
Use a full sentence and put some symbols and numbers at the end of it. If you can touch-type quickly enough, the password should be secure and not visually detectable.
Alternatively, experts say you should pick a cycle of words that mean something to you from your past.
Change one of the letters to a number, like an E to a 3, and then rotate through them for your various passwords.
So alongside managing multiple identities, we now need to practically assume the vigilance, even the paranoia, of a Cold War spy to ensure our online security.
Unsurprisingly, the majority of online users find these techniques impractical, opting instead for easy to remember, and perhaps easy to crack, passwords.
This might undermine our security, but we do it because it's the most efficient way for us to use what the net has to offer.
Some good points from readers aswell:
Substituting letters for numbers (for instance, 'e' to three or 'l' to one) is not such a great idea. Most decent password crackers will take a list of known possible words and permutate them, this will involve substituting letters for numbers, adding numbers after the word and other common changes people make to normal worlds. Look at how password crackers work at trying to guess your password then choose your password accordingly. Weak passwords are the number one vulnerability in computer systems world wide, has always been that way and will continue to be that way for some time to come.
A long time ago, someone told me that he had devised a very clever system of ensuring that his password could never be guessed or easily copied. He was working on a Unix system and always tried to ensure that his password was as close to the maximum number of characters allowed as possible. He simple used titles of songs or books or sentences or phrases from articles that he came across. He one had a password that was 64 characters long! I have since adopted the same principle: I choose titles of songs or books, but I choose a mix of both capital and common letters and numbers as well as the spacebar and underscore if those are allowed. When people try to see what my password (I also type very fast) they get tired after the first 10 strokes since they get caught up wondering what on earth I could be typing so long!
For insecure sites, like just a simple message board, I use a generic simple one. For more secure things like on-line banking or a website that stores my credit card information, this is the easiest way to create a secure password, let's take a Hotmail account as example: Pick a sentence that is easily remembered in the context, like: "My e-mail should only be accessible to me", you create the password by taking the first letters of each word, replacing certain characters: "Me50ba2m". Now guess that!
Pick a sentence and use the first character from each work, substituting some letters for 'equivalent' numbers. For example: "The quick brown fox jumped over the lazy dog" can become "tqbfj0tld". Easy to recall, difficult to crack.
Choose a word at random - say "Elephant" then change the ending to generate a word not extant in the dictionary - say "Elephantusi." Try and make it something silly so it stick in your mind. Finally, switch some letters for numbers that resemble them and add caps in places you'll remember: say "el3ph4ntusI." This generates a very secure password that can't be cracked by brute force but is easy to remember.
Trusted SF Member
Joined: 11 May 2002
Location: Las Palmas de Gran Canaria
|Posted: Sun Jun 02, 2002 7:52 pm Post subject:
Of course, most hacks don't involve bruting.
'Dont accept exe's, Choose good passwords, don't allow others to see your password, get FW, update AV' ...was the advice doled out by 4 online banks in response to my showing BBC's Susan Nelson (Sci-Tech correspondent) live - how to compromise an online banking clients and transfer funds illegaly without requiring any file acceptance (Newsnight, BBC news24, CNN)
If you follow all this advice and still get screwed over you will be accused of revealing your password (They say these passwords cannot be cracked) and be held soley liable for any personal loss.
As an encore I went on to show how CHAPS (Clearing House Automatic Payments System) could be cracked wide open in another televised demonstration DESPITE their professional setup, 512bit encryption, 16+ character random alphanumeric passwords, etc... ie: despite All THEIR advice to US.
I think discussions on how to generate secure passwords are useful - but hardly the most serious issue affecting network users and admins.
I'm aware that I'm starting to soiund like a cynic - probably because I AM a cynic ... but as an accomplished grey-hat hacker I feel my cynicism is more than justified by personal and group experience.