OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] Most play poorly at the password game

From: InfoSec News (alertsinfosecnews.org)
Date: Tue Dec 12 2006 - 00:37:18 CST

http://seattlepi.nwsource.com/business/295495_password11ww.html

By CINDY SUTTER
SCRIPPS HOWARD NEWS SERVICE
December 11, 2006

YRUdoingthis2me?!

It's a tempting way to respond to the zillionth prompt to change your
password or enter a new one.

Call it password fatigue. A recent survey of business professionals by
security consulting firm RSA Security Inc. found that more than a third
of those surveyed managed six to 15 passwords at work.

Yet security can be surprisingly lax. Colorado venture capitalist Brad
Feld recently wrote a blog entry entitled "What is the Password that
Everyone Knows?"

"Almost everyone has one," he says.

A 2001 British survey of 1,200 office workers found that passwords were
a sort of psychological test for workers. Nearly half of the workers
fell into the family group, using their own name, nickname or the names
of partners, children or pets. A third used the celebrity names, while
11 percent used words they apparently believed described themselves,
such as "sexy," "stud," or "goddess."

Despite more stringent workplace requirements, password sophistication
has not increased much, says John Black, assistant professor of Computer
Science at the University of Colorado.

"Historically, people used guessable things like the name of a pet,
their own name or things that are familiar like their birthday," he
says. "(Now) they're picking a little better. However, (passwords) still
remain one of the weakest aspects of computer security. They'll put two
words together, add an exclamation point, add a digit. A lot of programs
force you to do that ... They'll still do something like johnblack1!
That's not that much harder to guess than the original would be."

Still, the best password -- a totally random combination of numbers,
letters in different cases and punctuation -- is extremely difficult to
remember, especially if it must be changed frequently. And it doesn't
allow the user to amuse himself with a comment on life, work or a
reminder of a loved one.

One Boulder resident, now retired, recalls that both he and his wife
used unusual vegetables combined with personally significant numbers to
make a satisfying computer entree.

"I was very fond of rutabaga and kumquat," he says. "The other ones we
used were both root vegetables paired in soups, parsnip and turnip."

Another Boulder resident developed his password technique after he broke
his wrist rollerblading.

"(I) started using passwords I could type with one hand," he writes.
"Ever since, I still do that, and it's a fine timesaver."

A personal favorite, now retired: ytrytr5.

Another local sometimes uses the geometric pattern of numbers on the
phone touchpad. A triangle might be tri103, for example.

Others may use passwords with fictional character names or try to
satisfy the requirement for numbers by substituting a 3 for an e or a 0
for an o. A James Brown password riff might be If33lg00d, for example.

Brown explains that computer hackers have factored in many such
strategies.

"These days hackers have massive dictionaries, all English words and
common names. They will include popular fictional characters as well,"
he says. "The programs not only try all these passwords, they try
putting a little punctuation around it."

They also try all the common letter-number substitutions, he says.

A better approach for an easy-to-remember password is to take the first
letter from each word in an unfamiliar, but memorable, phrase.

He suggests something such as: Sewage workers don't bite their
fingernails! Or swdbtf!

Some experts suggest using a phrase with numbers, spaces and
punctuation, throwing in spelling errors such as At 3 Greta iz at socer!

It's also key to manage passwords according to security needs. Feld
suggests a two-tiered system.

"Most people have a general password for stuff they don't care that much
about, e.g. Web site logins for newspapers, magazines, other content,"
he says. "Then they have a more secure one for the important stuff."

However, Feld points out, that leads to its own set of problems.

"It's hard to remember the more secure one, especially if you have
multiple ones, so they end up written down, stored in a word processing
document on your computer or in your e-mail, fundamentally defeating the
whole notion of security."

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn