[iwar] [fc:Predictable.Passwords.Simplify.a.Hacker's.Task]

From: Fred Cohen (fc@all.net)
Date: 2002-01-02 07:09:19


Return-Path: <sentto-279987-4178-1009984154-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 02 Jan 2002 07:10:09 -0800 (PST)
Received: (qmail 23409 invoked by uid 510); 2 Jan 2002 15:09:38 -0000
Received: from n34.groups.yahoo.com (216.115.96.84) by all.net with SMTP; 2 Jan 2002 15:09:38 -0000
X-eGroups-Return: sentto-279987-4178-1009984154-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.164] by n34.groups.yahoo.com with NNFMP; 02 Jan 2002 15:09:16 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_1_3); 2 Jan 2002 15:09:14 -0000
Received: (qmail 92661 invoked from network); 2 Jan 2002 15:09:14 -0000
Received: from unknown (216.115.97.172) by m10.grp.snv.yahoo.com with QMQP; 2 Jan 2002 15:09:14 -0000
Received: from unknown (HELO red.all.net) (12.232.125.69) by mta2.grp.snv.yahoo.com with SMTP; 2 Jan 2002 15:09:15 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g02F9JP16844 for iwar@onelist.com; Wed, 2 Jan 2002 07:09:19 -0800
Message-Id: <200201021509.g02F9JP16844@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 2 Jan 2002 07:09:19 -0800 (PST)
Subject: [iwar] [fc:Predictable.Passwords.Simplify.a.Hacker's.Task]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Predictable Passwords Simplify a Hacker's Task  
Jennifer 8. Lee, New York Times, 1/2/2002
<a href="http://www.iht.com/articles/43366.htm">http://www.iht.com/articles/43366.htm>

Computer passwords are supposed to be personal, disposable and discreet.
But people become sentimentally attached to them or leave them taped
underneath their keyboards or on their monitors, to the dismay of
computer-security professionals worldwide.

Even those who are vigilant about guarding passwords may be giving away
more than they think. The problem is that computer passwords have
evolved into the personality test of a networked society, as millions of
people try to sum up their essence through a few taps on the keyboard.
As psychologists know, people and personalities are often very
predictable in the aggregate, and thus so are passwords - a reality that
malevolent computer hackers often take advantage of.

"When you are thinking of something neutral to use as a password,
whatever your obsession is will pop into your head," said Helen Petrie,
a professor of human computer interaction at City University in London.
"It's the new version of the inkblot or word-association test."

Psychologists say that people can store only five to nine random bits of
information in their short-term memory. Users therefore often choose
passwords with a personal meaning that they can associate with something
in their long-term memory. A recent survey of 1,200 employees of British
companies by CentralNic, a London-based domain-registration company,
showed that half of them used passwords related to family - passwords
based on names, nicknames or birthdays of partners, children or pets.

"God," "sex" and "money" are among the most popular passwords for those
unschooled in computer security. At Bargaindog.com, a shopping site with
more than 20 million users that is popular with middle-aged women, the
leading password was "love."

Younger users tend to use self-laudatory terms. At a popular Web site
that had 2.5 million registered users with an average age of 25, popular
passwords were "stud," "goddess," "cutiepie" and "hotbod."

"There were so many 'studs,' it wasn't even funny," said Andrew
Prihodko, a former technologist for the site, which he requested not be
identified. He said that male users tend to use words related to
masculinity or profanity. The CentralNic survey found that about 10
percent of users fall into this category, which it calls "fantasist."

"Even though passwords are supposed to be absolutely secret, it's almost
as if people are trying to show off with their passwords," said Ms.
Petrie of City University.

Spy or security-related terms like "secret" and "password" are quite
popular as well.

Even though the soaring number of Web sites, computer applications and
financial services has increased demand for new passwords, most people
tend to use the same ones over and over. A typical user might have to
enter a password for 10 to 100 different uses, said Rachna Dhamija, a
graduate student of information management and systems at the University
of California at Berkeley who has researched passwords.

This tendency to reuse passwords could be easily exploited, said Mr.
Prihodko, who is starting a security company called Cambridge Network
Security.

As part of a security assessment for organizations, Mr. Prihodko
designed a test in which employees are sent an e-mail message asking
them to log on to a sweepstakes site with a password. People
overwhelmingly picked passwords that they also used for more sensitive
matters like corporate e-mail. The point, he said, is that companies
should encourage their employees to keep their work passwords and
personal passwords separate.

Even high-ranking executives may act on naive impulses when it comes to
choosing a password. Edward Skoudis, vice president for security
strategy at Predictive Systems in Manhattan, recounted how the user
account of the top executive at a large Japanese financial institution
was cracked open during a security assessment. The automatic password
scanner found that his password was a woman's name.

Sometimes passwords can be cracked by security consultants with what is
known as a "brute force" program, which may try every possible six- or
seven-character combination. But given that what emerges from the human
mind is seldom truly random, the more efficient computer programs
systematically use extended dictionaries.

At a million password attempts per second, the password scanners used by
security companies can be very efficient. In the typical corporation
with 10,000 employees using Microsoft Windows, 20 percent to 50 percent
of the Windows passwords could be determined in the first 20 minutes
with an extended word-list attack, and 90 percent on the first day by
adding a brute-force attack, said Chris Wysopal, director of research
and development for @stake, a security company based in Cambridge,
Massachusetts, that produces a Windows password-auditing tool called
LC3.

Passwords, the "open sesame" of a computerized world, are thus the
sieves of computer security. Passwords are also the only authentication
of identity within a corporate network to which many people may have
access.

"When insiders go bad and want to steal information, a password attack
is a very common thing," Mr. Wysopal said.

Users often think that they have nothing in their accounts that a
malicious hacker would want to see. But hackers often look at breaking
into accounts as a means to an end. Ryo Furue, an assistant professor at
the Center for Climate System Research at the University of Tokyo, said
that a hacker used a password-dictionary cracker called Crack to run
rampant through the university's systems after starting from a
relatively innocuous account at the Educational Computer Center.

"A system is more fragile if you have an attacker inside it than if the
attack is from outside," Mr. Furue said.

Some organizations devote time to creating elaborate password policies -
the Defense Department's guidelines are 30 pages long. Some employers
require that passwords be frequently changed or that they include a
combination of letters, numbers and special characters.

But such stringent regulations often backfire. Faced with remembering
complex new passwords, some people change them back to what they were,
write them down although others might find them - or simply forget them.

A systems administrator at a company that made employees change
passwords every two weeks found that about 80 percent of the time, users
either taped their passwords underneath their keyboards or used a
variation on the date on which they were last required to change
passwords.

Since passwords are meant to be private, learning someone's password can
open a window into someone's thoughts. "When it's an opposite-sex name
that is not a spouse or their kids, you always wonder if you've learned
a little secret," Mr. Wysopal said.

At HipGuide, a New York multimedia company, employees must turn in their
passwords when they leave. Syl Tang, the chief executive, said she was
surprised by the passwords of a departing employee who seemed very
conservative. The employee's passwords were all obscenities.

"It is sort of odd," Ms. Tang said. "You wonder what is going on beneath
the surface."

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST