* via http://theMezz.com/lists * subscribe at http://techPolice.com
Predictable Passwords Simplify a Hacker's Task Jennifer 8. Lee New York Times Service Monday, December 31, 2001 Computer passwords are supposed to be personal, disposable and discreet. But people become sentimentally attached to them or leave them taped underneath their keyboards or on their monitors, to the dismay of computer-security professionals worldwide. Even those who are vigilant about guarding passwords may be giving away more than they think. The problem is that computer passwords have evolved into the personality test of a networked society, as millions of people try to sum up their essence through a few taps on the keyboard. As psychologists know, people and personalities are often very predictable in the aggregate, and thus so are passwords - a reality that malevolent computer hackers often take advantage of. "When you are thinking of something neutral to use as a password, whatever your obsession is will pop into your head," said Helen Petrie, a professor of human computer interaction at City University in London. "It's the new version of the inkblot or word-association test." Psychologists say that people can store only five to nine random bits of information in their short-term memory. Users therefore often choose passwords with a personal meaning that they can associate with something in their long-term memory. A recent survey of 1,200 employees of British companies by CentralNic, a London-based domain-registration company, showed that half of them used passwords related to family - passwords based on names, nicknames or birthdays of partners, children or pets. "God," "sex" and "money" are among the most popular passwords for those unschooled in computer security. At Bargaindog.com, a shopping site with more than 20 million users that is popular with middle-aged women, the leading password was "love." Younger users tend to use self-laudatory terms. At a popular Web site that had 2.5 million registered users with an average age of 25, popular passwords were "stud," "goddess," "cutiepie" and "hotbod." "There were so many 'studs,' it wasn't even funny," said Andrew Prihodko, a former technologist for the site, which he requested not be identified. He said that male users tend to use words related to masculinity or profanity. The CentralNic survey found that about 10 percent of users fall into this category, which it calls "fantasist." "Even though passwords are supposed to be absolutely secret, it's almost as if people are trying to show off with their passwords," said Ms. Petrie of City University. Spy or security-related terms like "secret" and "password" are quite popular as well. Even though the soaring number of Web sites, computer applications and financial services has increased demand for new passwords, most people tend to use the same ones over and over. A typical user might have to enter a password for 10 to 100 different uses, said Rachna Dhamija, a graduate student of information management and systems at the University of California at Berkeley who has researched passwords. This tendency to reuse passwords could be easily exploited, said Mr. Prihodko, who is starting a security company called Cambridge Network Security. As part of a security assessment for organizations, Mr. Prihodko designed a test in which employees are sent an e-mail message asking them to log on to a sweepstakes site with a password. People overwhelmingly picked passwords that they also used for more sensitive matters like corporate e-mail. The point, he said, is that companies should encourage their employees to keep their work passwords and personal passwords separate. Even high-ranking executives may act on naive impulses when it comes to choosing a password. Edward Skoudis, vice president for security strategy at Predictive Systems in Manhattan, recounted how the user account of the top executive at a large Japanese financial institution was cracked open during a security assessment. The automatic password scanner found that his password was a woman's name. Sometimes passwords can be cracked by security consultants with what is known as a "brute force" program, which may try every possible six- or seven-character combination. But given that what emerges from the human mind is seldom truly random, the more efficient computer programs systematically use extended dictionaries. At a million password attempts per second, the password scanners used by security companies can be very efficient. In the typical corporation with 10,000 employees using Microsoft Windows, 20 percent to 50 percent of the Windows passwords could be determined in the first 20 minutes with an extended word-list attack, and 90 percent on the first day by adding a brute-force attack, said Chris Wysopal, director of research and development for @stake, a security company based in Cambridge, Massachusetts, that produces a Windows password-auditing tool called LC3. Passwords, the "open sesame" of a computerized world, are thus the sieves of computer security. Passwords are also the only authentication of identity within a corporate network to which many people may have access. "When insiders go bad and want to steal information, a password attack is a very common thing," Mr. Wysopal said. Users often think that they have nothing in their accounts that a malicious hacker would want to see. But hackers often look at breaking into accounts as a means to an end. Ryo Furue, an assistant professor at the Center for Climate System Research at the University of Tokyo, said that a hacker used a password-dictionary cracker called Crack to run rampant through the university's systems after starting from a relatively innocuous account at the Educational Computer Center. "A system is more fragile if you have an attacker inside it than if the attack is from outside," Mr. Furue said. Some organizations devote time to creating elaborate password policies - the Defense Department's guidelines are 30 pages long. Some employers require that passwords be frequently changed or that they include a combination of letters, numbers and special characters. But such stringent regulations often backfire. Faced with remembering complex new passwords, some people change them back to what they were, write them down although others might find them - or simply forget them. A systems administrator at a company that made employees change passwords every two weeks found that about 80 percent of the time, users either taped their passwords underneath their keyboards or used a variation on the date on which they were last required to change passwords. Since passwords are meant to be private, learning someone's password can open a window into someone's thoughts. "When it's an opposite-sex name that is not a spouse or their kids, you always wonder if you've learned a little secret," Mr. Wysopal said. At HipGuide, a New York multimedia company, employees must turn in their passwords when they leave. Syl Tang, the chief executive, said she was surprised by the passwords of a departing employee who seemed very conservative. The employee's passwords were all obscenities. "It is sort of odd," Ms. Tang said. "You wonder what is going on beneath the surface." http://www.iht.com/articles/43366.html ============================================================ Join Dialfreecalls.com TODAY and make all your phone calls worldwide for FREE!! No Fees of any kind! Call from Any Phone! No purchases and No credit cards required. Join Now. It's Simple, Easy, and Best of All, it's FREE! http://click.topica.com/caaafizb1dhr0b2EDp2f/Dialfreecalls.com ============================================================ --via http://techPolice.com archive: http://theMezz.com/cybercrime/archive subscribe: [EMAIL PROTECTED] --via http://theMezz.com ==^================================================================ This email was sent to: archive@jab.org EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2 Or send an email to: [EMAIL PROTECTED] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
