* via http://theMezz.com/lists

* subscribe at http://techPolice.com

 Predictable Passwords Simplify a Hacker's Task
Jennifer 8. Lee New York Times Service
Monday, December 31, 2001

Computer passwords are supposed to be personal, disposable and discreet. But people 
become sentimentally attached to them or leave them taped underneath their keyboards 
or on their monitors, to the dismay of computer-security professionals worldwide.

Even those who are vigilant about guarding passwords may be giving away more than they 
think. The problem is that computer passwords have evolved into the personality test 
of a networked society, as millions of people try to sum up their essence through a 
few taps on the keyboard. As psychologists know, people and personalities are often 
very predictable in the aggregate, and thus so are passwords - a reality that 
malevolent computer hackers often take advantage of.

"When you are thinking of something neutral to use as a password, whatever your 
obsession is will pop into your head," said Helen Petrie, a professor of human 
computer interaction at City University in London. "It's the new version of the 
inkblot or word-association test."

Psychologists say that people can store only five to nine random bits of information 
in their short-term memory. Users therefore often choose passwords with a personal 
meaning that they can associate with something in their long-term memory. A recent 
survey of 1,200 employees of British companies by CentralNic, a London-based 
domain-registration company, showed that half of them used passwords related to family 
- passwords based on names, nicknames or birthdays of partners, children or pets.

"God," "sex" and "money" are among the most popular passwords for those unschooled in 
computer security. At Bargaindog.com, a shopping site with more than 20 million users 
that is popular with middle-aged women, the leading password was "love."

Younger users tend to use self-laudatory terms. At a popular Web site that had 2.5 
million registered users with an average age of 25, popular passwords were "stud," 
"goddess," "cutiepie" and "hotbod."

"There were so many 'studs,' it wasn't even funny," said Andrew Prihodko, a former 
technologist for the site, which he requested not be identified. He said that male 
users tend to use words related to masculinity or profanity. The CentralNic survey 
found that about 10 percent of users fall into this category, which it calls 

"Even though passwords are supposed to be absolutely secret, it's almost as if people 
are trying to show off with their passwords," said Ms. Petrie of City University.

Spy or security-related terms like "secret" and "password" are quite popular as well.

Even though the soaring number of Web sites, computer applications and financial 
services has increased demand for new passwords, most people tend to use the same ones 
over and over. A typical user might have to enter a password for 10 to 100 different 
uses, said Rachna Dhamija, a graduate student of information management and systems at 
the University of California at Berkeley who has researched passwords.

This tendency to reuse passwords could be easily exploited, said Mr. Prihodko, who is 
starting a security company called Cambridge Network Security.

As part of a security assessment for organizations, Mr. Prihodko designed a test in 
which employees are sent an e-mail message asking them to log on to a sweepstakes site 
with a password. People overwhelmingly picked passwords that they also used for more 
sensitive matters like corporate e-mail. The point, he said, is that companies should 
encourage their employees to keep their work passwords and personal passwords separate.

Even high-ranking executives may act on naive impulses when it comes to choosing a 
password. Edward Skoudis, vice president for security strategy at Predictive Systems 
in Manhattan, recounted how the user account of the top executive at a large Japanese 
financial institution was cracked open during a security assessment. The automatic 
password scanner found that his password was a woman's name.

Sometimes passwords can be cracked by security consultants with what is known as a 
"brute force" program, which may try every possible six- or seven-character 
combination. But given that what emerges from the human mind is seldom truly random, 
the more efficient computer programs systematically use extended dictionaries.

At a million password attempts per second, the password scanners used by security 
companies can be very efficient. In the typical corporation with 10,000 employees 
using Microsoft Windows, 20 percent to 50 percent of the Windows passwords could be 
determined in the first 20 minutes with an extended word-list attack, and 90 percent 
on the first day by adding a brute-force attack, said Chris Wysopal, director of 
research and development for @stake, a security company based in Cambridge, 
Massachusetts, that produces a Windows password-auditing tool called LC3.

Passwords, the "open sesame" of a computerized world, are thus the sieves of computer 
security. Passwords are also the only authentication of identity within a corporate 
network to which many people may have access.

"When insiders go bad and want to steal information, a password attack is a very 
common thing," Mr. Wysopal said.

Users often think that they have nothing in their accounts that a malicious hacker 
would want to see. But hackers often look at breaking into accounts as a means to an 
end. Ryo Furue, an assistant professor at the Center for Climate System Research at 
the University of Tokyo, said that a hacker used a password-dictionary cracker called 
Crack to run rampant through the university's systems after starting from a relatively 
innocuous account at the Educational Computer Center.

"A system is more fragile if you have an attacker inside it than if the attack is from 
outside," Mr. Furue said.

Some organizations devote time to creating elaborate password policies - the Defense 
Department's guidelines are 30 pages long. Some employers require that passwords be 
frequently changed or that they include a combination of letters, numbers and special 

But such stringent regulations often backfire. Faced with remembering complex new 
passwords, some people change them back to what they were, write them down although 
others might find them - or simply forget them.

A systems administrator at a company that made employees change passwords every two 
weeks found that about 80 percent of the time, users either taped their passwords 
underneath their keyboards or used a variation on the date on which they were last 
required to change passwords.

Since passwords are meant to be private, learning someone's password can open a window 
into someone's thoughts. "When it's an opposite-sex name that is not a spouse or their 
kids, you always wonder if you've learned a little secret," Mr. Wysopal said.

At HipGuide, a New York multimedia company, employees must turn in their passwords 
when they leave. Syl Tang, the chief executive, said she was surprised by the 
passwords of a departing employee who seemed very conservative. The employee's 
passwords were all obscenities.

"It is sort of odd," Ms. Tang said. "You wonder what is going on beneath the surface."


Join Dialfreecalls.com TODAY and make all your phone calls
worldwide for FREE!! No Fees of any kind! Call from Any
Phone! No purchases and No credit cards required. Join Now.
It's Simple, Easy, and Best of All, it's FREE!

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

This email was sent to: archive@jab.org

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email to: [EMAIL PROTECTED]

T O P I C A -- Register now to manage your mail!

Reply via email to