|
|
 |
|
Way too many passwords, not enough protection
By Stevenson Swanson
Tribune national correspondent
Published January 19, 2003
NEW YORK --
The online bank account. The e-mail inbox. The frequent-flier account. The Internet retailer who sells those hard-to-find exercise tapes.
All of these Web sites--and thousands more--require passwords.
And that's in addition to all the other user names, codes and personal identification numbers people need to log on to computers at work, withdraw cash from an automated teller machine, check their voice mail and disarm a home security system.
With concerns about security on the Internet and on workplace computer networks reaching new heights, passwords are proliferating to the point that they threaten to overwhelm the original computer--the human brain.
In response, computer security experts are looking for new ways, including such techniques as cheap fingerprint or retina scans, for people to prove that they are who they say they are in the chaotic computerized universe.
Password overload
When it comes to passwords, "there are too many of them, and it's too hard for the average person to remember them," said Matt Bishop, a computer science professor at the University of California-Davis.
Avi Rubin, a computer security expert at Johns Hopkins University, recently counted all the access codes he has to remember, including those for his computer, for two garage doors and for the nanny to get into the house. He came up with 53.
Michael Walters, information technology manager for the New York office of Perkins and Will, a Chicago architectural firm, even has to recall discarded passwords as part of his job overseeing the office's computer network.
"I have to remember passwords even going back to before I came to work here," said Walters, who needs the old access codes in emergency situations when data has to be recovered.
But a recent identity-theft case on Long Island illustrates why passwords and other computer safeguards have become more important than ever. In what federal prosecutors call the largest identity-theft case on record, three people in New York were accused in November of stealing the passwords and other personal information of more than 30,000 people, resulting in losses of at least $2.7 million.
And that was just one gang of digital ne'er-do-wells. In 2001, the Federal Trade Commission received 86,000 complaints from victims of identify theft.
"Nobody knows you're a dog on the Internet," said cyber-security expert Jerry Brady, referring to a popular New Yorker magazine cartoon that shows a computer-savvy canine surfing the Web. "But nobody knows you're an identity thief either. There are a lot of nasty people out there."
And a lot of obvious passwords.
In one study by AT&T Labs, the most popular password was "mother," said Rubin, the technical director of Johns Hopkins' Information Security Institute.
Brady, the chief technology officer for Guardent, a Waltham, Mass.-based information security services provider, frequently can guess the passwords of 1 in 3 people when he demonstrates a computer network's vulnerability to a client.
Guessing is easy
"All you need is to know a bit about a person--his wife's name, pet's name, car's name," said Brady, who noted that much personal information is readily available on the Internet and in public records. "And knowing what a person cares most about--his wife, his pet or his car--you can guess."
Apart from taping a password to their computer, one of the most common mistakes people make with their digital combinations is to use a word, which most people find easier to remember than a number. Such codes are vulnerable to "dictionary attacks," a hacking tactic using a program that methodically tries thousands of words.
Another frequent error is to log on to password-protected sites at Internet cafes or hotel business centers. Such computers frequently are contaminated with programs called "keyboard sniffers," which record the order in which keys are pressed and then send surreptitious e-mails of the sequences to a waiting identity thief.
Personal identification numbers for ATM cards and calling cards are susceptible to "shoulder surfing" by sharp-eyed swindlers who watch as the unsuspecting tap in their codes on the machine's keyboard.
Considering the resourcefulness of the thieves, the odds may seem heavily stacked against ordinary computer users, but security experts have some suggestions for devising passwords that are tough to crack, and ways to keep from being swamped by dozens of access codes.
Instead of using a word, Rubin suggests taking the first letters of an easily remembered phrase and then adding some numbers or, better yet, punctuation marks and capital letters. That results in a password too complex to be broken easily.
Still, because many hackers work methodically over long periods, it is becoming increasingly important to change passwords regularly, experts say.
For some large financial institutions, that means a new password every minute. Employees carry a "token," a small plastic device that displays a new number every 60 seconds based on the time and a complicated formula.
Using the same formula, the network computer changes its access code every minute. To make sure that not just anybody can sign on, users must enter a short personal code in addition to the password of the minute.
But such lengths are beyond the average user.
Toby Weiss, a senior vice president at Computer Associates, a provider of computer security software, recommends switching access codes once a month. Other authorities say every two or three months is sufficient.
To keep the number of passwords more manageable, the University of California's Bishop ranks the Web sites he uses on the need for high, medium or low security.
"If I go to a Web site where there's a book I want to find out about and I don't really understand why they want a password, I have a couple of canned passwords that I always use," he said.
On the horizon
Bishop thinks the number of passwords is approaching the saturation point, despite the efforts of Microsoft and the Liberty Alliance, a consortium of computer companies, to devise a single-password portal that would give users access to a variety of online shopping and banking sites.
"I don't think passwords are going to continue to be the main line of defense," Bishop said. "Passwords are intended to authenticate who you are, but there are other ways to do that."
With cheaper and more readily available scanning equipment, the wave of the future is likely biometrics, or security systems based on a person's voice, fingerprint or the pattern of blood vessels in the retina.
Even these next-generation solutions have weaknesses. A Japanese researcher hacked into a computer system that relies on fingerprint scans by fashioning a fingerprint out of gelatin.
"That would be the perfect crime," Weiss said. "After you're done, you eat the evidence."
Copyright © 2003, Chicago Tribune
|
|
|
|
|
