The Problem with Passwords
These days, it seems like just about everything requires a password. Online banking, email, internet forums, newsgroups and even renting movies at some stores now require you to cough up a password in order to verify who you are. The problem is that there are just too many ways in which a password can be compromised. They can be guessed, cracked, and stolen using a variety of techniques. Additionally, once one password is defeated, the others can fall like a house of cards.
Common ways in which passwords are compromised:
- Shoulder surfing: This is done simply by watching over someone’s shoulder while they type. Not only can this attack be used to garner passwords, but can also be used to read whatever is on your screen. This is admittedly a low-tech option, but it works. People at the highest risk for this type of attack are business travelers who often avail themselves of free wireless hotspots at cafes, airports and airplanes. Some companies have gone so far as to expressly prohibit employees from working on their computers on airplanes due to the risks associated with shoulder surfing.
- Poor password choices: Most passwords are too short and are easily guessable. Or they contain words that can be found in any dictionary. There are numerous tools available on the internet that can attack weak passwords either by brute-force (attempting every combination of letters and numbers until a match is found), or by dictionary attack (these tools come with enormous lists of common passwords and dictionary words in various languages). A dictionary attack can run and obtain a password in a matter of seconds or minutes. A brute force attack could take a couple of days, but it will eventually find the match.
- Password resets: As Sarah Palin found out during her campaign, armed only with personal information obtained via the Wikipedia entry, a teenage boy was able to reset the password to Gov Palin's personal Yahoo Mail account (think mother's maiden name and date of birth). Armed with a modicum of personal information about a target, guessing their passwords is unnecessary if it can just be reset.
- Key logging software: The world of internet virus's has changed in recent years. Virus developers are no longer interested in infecting your machine, doing damage, and getting noticed. Instead, the focus is on stealth and avoiding detection. They want their program to hide on your system and look for usernames and passwords and will surreptitiously send them back to the creator.
So are passwords broken? Well, passwords themselves still work for the majority of our daily security needs, however we often do not put enough thought into making them. The problem lies in how we select them. We often choose passwords that are either all too simple to guess or, if they are more complicated, we end up writing them down somewhere.
In the next post, I’ll outline a technique for choosing strong passwords that are easy to remember, yet difficult to crack. In the coming week, we’ll also review more advanced authentication options such as multi-factor authentication and biometrics.
Comments (3)
All comments are subject to the site Terms of Use. For a full commenting tutorial click here.
Our editorial team relies on filtering technology and our visitor community to identify inappropriate comments. In the event that a site user has submitted offensive content that has evaded our filter, please select the option to Flag As Inappropriate presented within the comment. Thank you for helping to keep this site clean.
Well said, Ian. Some employers require their staff to change their passwords monthly, so I'll be looking forward to your next blog on choosing strong passwords that are easy to remember.
In the meantime, I just created an account (with a new password) to post this comment. Think you can crack it? :)
Some companies have such draconian password policies that they actually thwart their intended goals. Especially if the frequency is too high and the restrictions are too strict (ex: cannot reuse last 6 passwords, must be 8 characters, numbers and symbols, etc). This effectively encourages user behaviour of reusing a password with just enough variance to comply with the rules, which, effectively makes them weaker. (Ex: MyJanuaryPassword becomes MyFebruaryPassword). Or, they'll simply write down their current password and stick it to their monitor so they don't forget (ack!).