Debates rage over how complex a password should be, but today some are questioning if passwords themselves are obsolete. Security consultants tell us that the longer the password and more complex it is, the harder it is to compromise. This might well be true against an attacker who is trying to break a password by hand, but against technological powerhouses, keyboard-based passwords may be insufficient.
There are two considerations here that need to be addressed. The first, of course, is the password the user creates for his personal websites and files. These passwords often are designed for the user to remember and often are repurposed for multiple sites. There are myriad articles that explain password-cracking techniques, but far too often users simply pick the easiest key combinations they can remember. Worse, sometimes people use these combinations for sites that contain sensitive data, such as banks or healthcare organizations.
Today’s prevailing wisdom is to create a password that combines upper- and lower-case letters with numbers and special characters, such as ^, ?, <, or }. The challenge, however, is that some websites and applications are unable to handle special characters, so that significantly reduces the potential complexity of the passwords. Additionally, ASCII characters (created using a combination of the ALT key and a numeric code, such as the British Pound symbol £ produced by holding down the ALT key and typing 0163) also are excluded from many password applications.
The second consideration is how companies encrypt user logins and passwords. Many of today’s sophisticated password applications are capable of using the much more complex password combinations. Various algorithms (called the “hash function”) are used to encrypt data, which then creates a “digest” that represents the data being stored. If that digest is stored in a database of user credentials, it becomes a valuable commodity to an attacker. The more complex the hash function, the longer and more difficult it is to decrypt the data.
In order to demonstrate the weaknesses in existing data security techniques, Jeremi Gosney, founder and CEO of Seattle-based Stricture Consulting Group, built and demonstrated a system designed to crack any eight-character password created on a standard, US-style keyboard using any key combination, in less than six hours, using a brute force attack. Gosney demonstrated the system’s capabilities at the Passwords^12 Security Conference in Oslo in December.
Using a custom design created by Amnon Barak and Amnon Shiloh at Hebrew University, the system is based on a cluster of 25 graphics processors running Virtual OpenCL. This approach, Gosney tells Internet Evolution, makes the system relatively inexpensive to build and optimize for the task at hand. This is not a commercial computer; it is a purpose-built system designed to crack passwords as quickly as possible.
Gosney says popular Windows encryption hashes, such as Microsoft’s NT LAN Manager (NTLM), can be breached more quickly than other approaches, such as sha512crypt, an approach supported by Linux distributions. The idea here is not to pick on one vendor or another, he says, but rather to encourage all to support passwords that are more difficult to breach.
There are valid business reasons to be able to crack passwords, Gosney says. Corporations can use a system that can analyze millions of passwords quickly to audit their own users’ passwords, identifying those passwords that are easy to breach (such as 123456). Once an organization identifies easy-to-breach passwords, a company can contact those users and direct them to employ more complex passwords, which will make it harder for a less sophisticated attacker to guess the user logins to a corporate system.
Also, Gosney notes, users tend to reuse passwords for multiple sites. A user with a weak password probably uses that same password often. Identifying weak passwords should be part of every company’s security plan.
You can find details of Gosney’s presentation and a technical explanation of the system here.
— Stephen Lawton is a longtime technology journalist and industry pundit.
I find myself doing the same thing a lot lately. Either I have way too many accounts that I have to keep track of at this point, or I'm just getting old. I have since resorted to listing down passwords (which have grave consequences when I forget them) on my smartphone and save that file with a password as well. At least I just have to remember one. I know the risks involved, but it's just too hard to remember all of them at any given time!
Keeping track of passwords is a real pain, Sharon. I've tested some of the password apps -- Dashlane and LastPass -- and find that these are pretty good, if you go in and tweak the default settings a bit. I'd never remember the passwords these apps generate (I've set the default to 12 characters, although I'm thinking an odd number might be better) but even still, if for some reason the app crashes or the company goes out of business, I'm up the creek without a paddle unless I back up all of the unencrypted passwords. And if I do that, I just defeated the whole purpose of having encrypted passwords.
is, "Don't use a password you've used X times before, or in the previous X months." So I have to keep coming up with new ones, which are then harder to remember for next time, which means that, more than likely, I'll have to generate *another* new password for that site the next time I use it, which may be a month or more in the future.
I'm really trying to avoid the passwords-on-a-sticky situation, but it's getting harder and harder.
I hope that was not the one hanging on the monitor or sticked under the keyboard (as if it makes it more hidden). Picture password will hopefully help unless they take the picture of the picture password and stick it to the side of computer.
I just found out the password for something (not mine) which is supposed to be secure. You could guess it in about three tries. Passwords are increasingly about going through the motions.
Oh no, not going there, @magneticnorth. I have always had a thing about eyes! In fact, for about eight years I wanted to be a vet -- until I watched a documentary where a vet performed surgery on an alligator's eye. That did it. I knew I couldn't touch an animal's eye. So I guess I'll have to keep taking my vitamins or writing coded notes in order to try to recall old-fashioned passwords!!
I certainly find the frequency with which I am having to request a password re-set increasing.
Which is why I think, on a personal level at least, that the most important thing to secure is your email—the one you use for accounts. In that case, is it best to use one email address for correspondence and several different ones for online accounts? That might help spread the risk, though it'll be hell to manage so many mailboxes. Not that I don't already have more than 10 myself.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The practice of turning to end users not only to beta test but also to reengineer products -- something once widely criticized -- has reached historic levels in IT. The trend even has a new, far more benign name: crowdsourcing.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
