Language Selection

English French German Italian Portuguese Spanish

Voluntary Disclosure Is the Threat to Password Security

Filed under
Security

Computers can remember complex bits of data effortlessly, but people routinely fumble that task. Naturally, one of the big trends in computing security is making users memorize complex passwords -- then regularly wipe those from their memory in favor of equally obscure replacements.

To judge from the stern advice handed out by banks, Internet providers and information technology departments -- often, I suspect, after prodding by accounting departments and liability lawyers who don't want to be blamed for a security breach -- computer security hinges almost entirely on you choosing a string of letters, numbers and symbols in an order that has no correlation to any word or phrase that has ever been spoken or written in English or any other language.

That's fiction. First, while avoiding obvious passwords still constitutes a common-sense defense, that won't stop most password theft attempts these days. Second, forcing people to choose the most obscure passwords possible, then choose new ones every few months, is more likely to grease the skids for a successful compromise of those users' accounts.

This is because passwords aren't stolen in ways you might expect; a bad guy doesn't sit down in front of your computer and start typing in guess after guess until he succeeds. In the real world, accounts are usually cracked in two ways -- only one of which can be slowed or stopped by the use of a sufficiently inscrutable password.

One is to get access to the computer that stores users' login info. If the master password file stored on that machine is encrypted -- it should be, but sometimes is not -- the attacker then runs a password-cracking program to break that encoding. Otherwise, he or she can read the file as-is.

The other method relies on someone surrendering a password voluntarily. For example, an attacker can hide a program on a victim's computer to record each tap of the keyboard -- often by exploiting an old, long-since-patched vulnerability in Windows or by hiding the "keystroke logger" in a tempting download.

Or the attacker can just ask nicely for the password -- what's called "social engineering." The victims can be technical staff at a bank or an Internet provider who get a call from somebody claiming to be a colleague elsewhere in the company. Or the victims can be individual users who receive "phishing" e-mails imploring them to verify their account information by clicking on a link to a phony Web site done up to appear like that of a trusted institution.

The quality of a password matters only against the first type of attack -- the brute-force, code-breaking assault, which will hit pay dirt more quickly if stored passwords appear in dictionaries.

That's why security experts tell password creators to avoid using real words or names, even when altered by substituting letters with similar-looking numbers or symbols (for example, replacing "i" with "!" or "1"). One common suggestion is to use words only as ingredients -- say, by combining the first letters of names of friends or titles of favorite books.
But if an attacker employs keystroke logging or social engineering, it doesn't matter whether your password is "password" or "92nkkcx-j1!" Even the most inscrutable login offers no defense against those tactics -- which are what most attackers seem to employ these days.

"If you go back 10 years ago, password cracking was the way to do things," said Marty Lindner, a senior member of the technical staff at the CERT Coordination Center, the network-security center founded at Carnegie Mellon University in 1988. Now, however, he said that phishing and other social engineering attacks are "far more prevalent, far more devastating than anything else."

Granted, getting actual numbers on how people's accounts were broken into is difficult -- few institutions want to discuss how some teenage hacker managed to own them. But there's no arguing that phishing and spyware attacks are only getting worse, and understandably so; why should an Internet con artist waste time mastering password-cracking routines when there are smoother roads into the bank vault?

And yet too many companies seem content to rely on password Puritanism as their response. Sometimes it's just silly -- for example, when some newspaper sites force readers to choose passwords with at least one number.

But more often, it's self-defeating. When users are pushed to remember too-obscure passwords, they'll start writing them down on Post-It notes stuck to a monitor or (worse yet) start reusing passwords among multiple high-value accounts. Worst of all is the policy of some companies and financial institutions to require users to change passwords every 30 or 90 days.

Not only do those periods still offer more than enough time for a minimally competent hacker to swipe an account login, the regular changing of passwords can easily soften up people for social engineering attacks.

Think of what happens every time a user must change a password -- or inevitably forgets the login of the month or the quarter: They'll have to go to a Web page or call up a help desk to get the password reset. That interaction represents a regularly scheduled opportunity for an attacker to try to step in and impersonate either party.

A few weeks ago, confronted by an obscure Web-mail login subject to one of these inane password-expiration rules, I called the support number listed on that site to have my password reset. (No, I won't name the firm involved). I expected to have the new login e-mailed to me -- but instead the helpful fellow on the other end of the line just read it to me over the phone, making no attempt to verify my identity.

If I'd been interested in stealing access to somebody else's account, I could have had a lot of fun. Instead, I could only wonder why we keep wasting our time with these illusory measures.
There are real problems with network security these days. But treating customers as if they were reprogrammable robots won't solve any of them.

By Rob Pegoraro.

More in Tux Machines

Having offended everyone else in the world, Linus Torvalds calls own lawyers a 'nasty festering disease'

Coding curmudgeon Linus Torvalds has gone off on yet another rant: this time against his own lawyers and free software activist Bradley Kuhn. On a mailing list about an upcoming Linux conference, a discussion about whether to include a session on the GPL that protects the open source operating system quickly devolved in an angry rant as its founder piled in. Read more

The Battle of The Budgie Desktops – Budgie-Remix vs SolusOS!

Ladies and gentleman, it’s the moment you have all been waiting for… the main even of the evening! In this corner, wearing Budgie trunks, fighting out of Ireland, created by Ikey Doherty, the man behind Linux Mint Debian Edition — SolusOS! And in this corner, built on the defending champion, also wearing Budgie trunks, aiming to be the next flavor of Ubuntu, Budgie-Remix! Read more

Leftovers: Software

  • 5 Cool Unikernels Projects
    Unikernels are poised to become the next big thing in microservices after Docker containers. Here’s a look at some of the cool things you can do with unikernels. First, though, here’s a quick primer on what unikernels are, for the uninitiated. Unikernels are similar to containers in that they let you run an app inside a portable, software-defined environment. But they go a step further than containers by packaging all of the libraries required to run the app directly into the unikernel.
  • Cedrus Is Making Progress On Open-Source Allwinner Video Encode/Decode
    The developers within the Sunxi camp working on better Allwinner SoC support under Linux have been reverse-engineering Allwinner's "Cedar" video engine. Their project is being called Cedrus with a goal of "100% libre and open-source" video decode/encode for the relevant Cedar hardware. The developers have been making progress and yesterday they published their initial patches that add a V4L2 decoder driver for the VPU found on Allwinner's A13 SoC.
  • Phoronix Test Suite 6.6 Milestone 3 Released For Linux Benchmarking
  • Calibre 2.65.1 eBook Viewer Adds Driver for Kobo Aura One and Aura 2 Readers
    Kovid Goyal released today, August 26, 2016, a new maintenance update of his popular, cross-platform, and open-source Calibre e-book viewer, converter and library management tool. Calibre 2.65 was announced earlier, and it looks like it's both a feature and bugfix release that adds drivers for the Kobo Aura One and Kobo Aura Edition 2 ebook readers, along with a new option to the Kobo driver to allow users to ignore certain collections on their ebook reader. The list of new features continues with support for right-to-left text and tables to the DOCX Input feature, as well as the implementation of a new option to allow users to make searching case-sensitive. This option can be found and enabled in the "Searching" configuration section under Preferences.
  • Calamares 2.4 Universal Installer Framework Polishes Existing Functionality
    A new stable version of the Calamares universal installer framework used by various GNU/Linux distributions as default graphical installer has been released with various improvements and bug fixes. Calamares 2.4 is now the latest build, coming two months after the release of the previous version, Calamares 2.3, which introduced full-disk encryption support. However, Calamares 2.4 is not as big as the previous update as it only polished existing functionality and address various annoying issues reported by users.
  • RcppArmadillo 0.7.400.2.0
    Another Armadillo 7.* release -- now at 7.400. We skipped the 7.300.* serie release as it came too soon after our most recent CRAN release. Releasing RcppArmadillo 0.7.400.2.0 now keeps us at the (roughly monthly) cadence which works as a good compromise between getting updates out at Conrad's sometimes frantic pace, while keeping CRAN (and Debian) uploads to about once per month. So we may continue the pattern of helping Conrad with thorough regression tests by building against all (by now 253 (!!)) CRAN dependencies, but keeping release at the GitHub repo and only uploading to CRAN at most once a month.
  • Spotio Is A Light Skin for Spotify’s Desktop App — And Its Coming To Linux
    Spotify’s dark design is very much of its identity. No-matter the platform you use it on, the dark theme is there staring back at you. Until now. A bunch of ace websites, blogs and people I follow have spent the past 24 hours waxing lyrical over a new Spotify skin called Spotio.