Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.herald.com/archive/cyber/techdocs/040080.htm
The best password is more than a word
By SARA ROBINSON
The Dallas Morning News
Most people wouldn't leave their passport lying on a park bench or shout
their Social Security number across a crowded room. But choosing a bad
password or even logging into your computer while on vacation can amount
to the same thing.
In a password-based computer system, your password is your identification
card, how your computer knows it's OK to let you in the front door.
But in cyberland, interior doors aren't securely locked and elevators stop
at every floor. Someone with your password and some hacking skills can
obtain access to everything on your network.
``The security of the system is the security of the weakest password,''
says Bruce Schneier, author of Applied Cryptography and president of
Counterpane Systems, a computer security firm.
Large-scale threat
CERT Coordination Center, an organization based at Carnegie Mellon
University that collects reports on computer security problems, gets many
reports of password-based attacks, says spokesman Shawn Hernan. He cites
an incident reported to CERT in July when an intruder was detected with a
list of 186,000 passwords collected from businesses and universities all
over the world.
In a joint survey by the FBI and the Computer Security Institute of San
Francisco, 64 percent of 520 organizations, Fortune 500 companies,
government organizations and financial institutions reported computer
security breaches over a 12-month period.
Some of the blame rests on users who pick bad passwords. And it only takes
one such password on a network to make it vulnerable to intruders.
In a typical system, users each have one fixed password until they decide
to change it. When the password is typed in, the computer encrypts it,
translates it into a string of gibberish and then checks it against the
long list of encrypted passwords in a password file stored in the
computer. If it finds an identical string of gibberish paired with your
log-in, it allows you to enter the system. How hackers do it
Hackers attempting to break into a system typically go after the password
file, says David Wagner, a graduate student at the University of
California at Berkeley, specializing in computer security.If they have
achieved a high level of access, they can take a copy of the file with
them and run a password-cracking program on the file.
A cracking program encrypts a long list of character strings, such as all
words in a dictionary, and checks it against the encrypted file of
passwords. If it finds even one match, the intruder has access to the
system.
This sort of attack doesn't require a high degree of skill on the part of
the hacker. All sorts of password-cracking programs are available on the
Internet, many from security Web sites promoting regular password checks
by system administrators.
Some systems can defend against cracking programs by keeping the password
file under tight security. The bigger problem, Wagner says, is sniffers.
Sniffers are programs that unobtrusively monitor network traffic on a
computer, picking out whatever type of data they're programmed to
intercept, such as any chunk containing the word password. Sending data
over a network is ``like shouting in a crowded room,'' Wagner says.
``Everyone can hear what everyone else says,'' but computers are supposed
to only listen to the one shouting at it. Internet danger
The problem becomes worse for data sent over the Internet. When you log
in to your account from a remote location, unless you take special
precautions, your password is sent, unprotected, through perhaps hundreds
of computers. Routers are big computers that act as traffic cops,
directing the flow of traffic from one crowded room to another.
A sniffer installed on a router has the potential to pick off thousands of
passwords. And, like password-cracking programs, sniffers are everywhere.
Doug Tygar, a computer scientist at Carnegie Mellon, says system
administrators pull sniffers off their network about once a week.
``At any given time there's probably a sniffer running on our system,'' he
says.
Password problems cannot be addressed only by users, however. Experts
cite the widespread use of insecure computer systems as the bigger
problem, but good security costs money.
And there are other methods of securing access to your computer system:
through fingerprint or eye scans, for instance.
For logging in remotely, tokens provide the best security, experts say. A
token is a little card, about the size of your credit card, that generates
a password valid for a brief period each time you enter a personal
identification number.
But at $30 to $50 per card, tokens require a greater investment in
security than most organizations will make.
PASSWORD TIPS
The Dallas Morning News
When creating a password:
+ Don't use names or numbers associated with you in any form, i.e. your
user name, your wife's name, your dog's name spelled backward, your
telephone number transposed, your middle name in French, etc. Hackers are
educated enough to make an educated guess.
+ Don't use names or dictionary words, including several words strung
together, in any language.
+ Use both upper- and lower-case letters as well as punctuation symbols or
numbers.
+ Use different passwords for different accounts. An intruder who cracks
your password on one network can use it to jump to other networks.
Once your password is created:
+ Change it frequently, at least every four to six months. If you need to
use the same basic word as your password, vary it with unexpected numbers
or symbols or misspellings. Sniffer programs that intercept passwords are
quite common, and changing your password offers at least some protection.
+ Don't e-mail your password to anyone.
+ Don't tell anyone your password. If someone calls you claiming to need
your password, don't give it. Any legitimate technician would already be
authorized to enter a system.
+ If, for any reason, you must share your password, change it as soon as
possible.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat Nov 21 11:38:45 1998