Language Selection

English French German Italian Portuguese Spanish

Voluntary Disclosure Is the Threat to Password Security

Filed under

Computers can remember complex bits of data effortlessly, but people routinely fumble that task. Naturally, one of the big trends in computing security is making users memorize complex passwords -- then regularly wipe those from their memory in favor of equally obscure replacements.

To judge from the stern advice handed out by banks, Internet providers and information technology departments -- often, I suspect, after prodding by accounting departments and liability lawyers who don't want to be blamed for a security breach -- computer security hinges almost entirely on you choosing a string of letters, numbers and symbols in an order that has no correlation to any word or phrase that has ever been spoken or written in English or any other language.

That's fiction. First, while avoiding obvious passwords still constitutes a common-sense defense, that won't stop most password theft attempts these days. Second, forcing people to choose the most obscure passwords possible, then choose new ones every few months, is more likely to grease the skids for a successful compromise of those users' accounts.

This is because passwords aren't stolen in ways you might expect; a bad guy doesn't sit down in front of your computer and start typing in guess after guess until he succeeds. In the real world, accounts are usually cracked in two ways -- only one of which can be slowed or stopped by the use of a sufficiently inscrutable password.

One is to get access to the computer that stores users' login info. If the master password file stored on that machine is encrypted -- it should be, but sometimes is not -- the attacker then runs a password-cracking program to break that encoding. Otherwise, he or she can read the file as-is.

The other method relies on someone surrendering a password voluntarily. For example, an attacker can hide a program on a victim's computer to record each tap of the keyboard -- often by exploiting an old, long-since-patched vulnerability in Windows or by hiding the "keystroke logger" in a tempting download.

Or the attacker can just ask nicely for the password -- what's called "social engineering." The victims can be technical staff at a bank or an Internet provider who get a call from somebody claiming to be a colleague elsewhere in the company. Or the victims can be individual users who receive "phishing" e-mails imploring them to verify their account information by clicking on a link to a phony Web site done up to appear like that of a trusted institution.

The quality of a password matters only against the first type of attack -- the brute-force, code-breaking assault, which will hit pay dirt more quickly if stored passwords appear in dictionaries.

That's why security experts tell password creators to avoid using real words or names, even when altered by substituting letters with similar-looking numbers or symbols (for example, replacing "i" with "!" or "1"). One common suggestion is to use words only as ingredients -- say, by combining the first letters of names of friends or titles of favorite books.
But if an attacker employs keystroke logging or social engineering, it doesn't matter whether your password is "password" or "92nkkcx-j1!" Even the most inscrutable login offers no defense against those tactics -- which are what most attackers seem to employ these days.

"If you go back 10 years ago, password cracking was the way to do things," said Marty Lindner, a senior member of the technical staff at the CERT Coordination Center, the network-security center founded at Carnegie Mellon University in 1988. Now, however, he said that phishing and other social engineering attacks are "far more prevalent, far more devastating than anything else."

Granted, getting actual numbers on how people's accounts were broken into is difficult -- few institutions want to discuss how some teenage hacker managed to own them. But there's no arguing that phishing and spyware attacks are only getting worse, and understandably so; why should an Internet con artist waste time mastering password-cracking routines when there are smoother roads into the bank vault?

And yet too many companies seem content to rely on password Puritanism as their response. Sometimes it's just silly -- for example, when some newspaper sites force readers to choose passwords with at least one number.

But more often, it's self-defeating. When users are pushed to remember too-obscure passwords, they'll start writing them down on Post-It notes stuck to a monitor or (worse yet) start reusing passwords among multiple high-value accounts. Worst of all is the policy of some companies and financial institutions to require users to change passwords every 30 or 90 days.

Not only do those periods still offer more than enough time for a minimally competent hacker to swipe an account login, the regular changing of passwords can easily soften up people for social engineering attacks.

Think of what happens every time a user must change a password -- or inevitably forgets the login of the month or the quarter: They'll have to go to a Web page or call up a help desk to get the password reset. That interaction represents a regularly scheduled opportunity for an attacker to try to step in and impersonate either party.

A few weeks ago, confronted by an obscure Web-mail login subject to one of these inane password-expiration rules, I called the support number listed on that site to have my password reset. (No, I won't name the firm involved). I expected to have the new login e-mailed to me -- but instead the helpful fellow on the other end of the line just read it to me over the phone, making no attempt to verify my identity.

If I'd been interested in stealing access to somebody else's account, I could have had a lot of fun. Instead, I could only wonder why we keep wasting our time with these illusory measures.
There are real problems with network security these days. But treating customers as if they were reprogrammable robots won't solve any of them.

By Rob Pegoraro.

More in Tux Machines

Linux on Servers

  • The Point Of Docker Is More Than Containers
    Spending time with Docker during Cloud Field Day about a month ago opened my eyes to the larger ecosystem that Docker is building, and that others are building around it. There is so much more to Docker than just the idea of immutable containers. For a start, Docker made using containers easy. That’s no small feat for a tricky piece of technical infrastructure. Making it easy, and specifically easy for developers, to use removed a lot of friction that was no small contributor to the pain of other, earlier methods. It gave developers are really simple way to create a fully functional development environment, isolated from all other dependencies, with which to work.
  • What are the Top NFV Risks for Carriers?
    What are the risks of network functions virtualization (NFV)? As with any emerging technology, moving fast or picking the wrong components can do more harm than good. Let’s spend some time breaking down the NFV risks in building a virtual network. I have spent the few months gathering feedback from various service providers to get their view on whether NFV and its cousin software-defined networking (SDN) are ready for prime time. Even though many service providers expressed optimism that NFV technology is moving toward maturity, there are definitely cautionary tales on what to look out for. This article serves as an introduction to the challenges of NFV component selection – later articles will refer in more detail to the challenges in selecting NFV hardware and software components such as OpenStack and Open vSwitch.
  • “DevOps is a management problem”
    Improving your own organization’s performance – from where they are now to performance levels equal to the industry leaders – seems like a very long and difficult road. What is missing in most organizations? We talked to Damon Edwards, co-founder and managing partner of DTO Solutions and DevOpsCon speaker, about the challenges that accompany DevOps and how a repeatable system that empowers teams to find and fix their own problems looks like.
  • Manage disk image files wisely in the face of DevOps sprawl
    A disk image is simply a file, but that seemingly innocuous file contains a complete structure that represents applications, storage volumes and even entire disk drives.
  • TNS Guide to Serverless Technologies: The Best Frameworks, Platforms and Tools
    Even if you don’t need the servers themselves, serverless technologies could still require plenty of supporting software. Frameworks are needed to codify best practices, so that everyone is not out to reinvent the wheel, especially when it comes to interfacing with various languages such as Go, JavaScript and Python. And platforms are needed to help people avoid spending too much time on configuring the underlying infrastructure, perhaps by handing the work off to a service provider. Just in time for the Serverless conference in London, this post highlights some of the most widely used frameworks and platforms, as well as other supporting tools, that make successful serverless-based workloads happen.

today's leftovers

  • Why Is The Penguin Tux Official Mascot of Linux? Because Torvalds Had Penguinitis!
    The official mascot of the Linux kernel developed by Linus Torvalds is a penguin named Tux. You might have thought about the probable reasons why a penguin has been used as the face of the Linux kernel. Some people believe that Torvalds was bitten by a penguin that’s why he chose one to represent his kernel.
  • SafeEyes – An Useful Linux Utility That Prevents Eye Strain
    Working in Computer for long hours is pain, and it will definitely affect your eyes. You must take some breaks for your eyes at regular intervals. There are numerous utilities available out there to remind you to take breaks. The one we are going to discuss now is SafeEyes. It is a free and open Source Linux alternative for EyeLeo, a MS Windows-only app. As the name suggests, SafeEyes will protect you from Eye Strain by reminding or forcing you to take breaks after a particular period of time. During the break, it will suggest you some simple exercises like walking for a while, rolling your eyes etc., to relax yourself. If you are a hardcore user who work on computers for long hours, I recommended you to use SafeEyes in your system.
  • Awwh, This Linux Wallpaper Is Adorable
    I pimped some Fedora community wallpapers yesterday, there was that (rather gorgeous) Ubuntu Timeline wallpaper a few weeks back, and the steam from hype-train that brought the “new” Ubuntu default wallpaper still lingers in the air a bit. So — honestly — I wanted so bad not to write about yet another wallpaper.
  • IBM DB2 database gets ‘significant advances’ across Windows, Linux and z/ OSs
    IBM put ‘significant advances’ into its database software DB2, helping companies lower their operating costs while bringing together transactions and analytics in the same database to increase the speed of real-time data analysis. The new DB2 will incorporate hybrid transactional analytical processing (HTAP) available for Linux, Unix, Windows, and z/OS in December
  • Spotify for Linux – In the friendzone
    Spotify is arguably the most popular music streaming service out there. Apologies to any diehard fanboys who may have been offended by this statement. With 100 million users and tight social media integration, it sure plays in the big league. You can also go premium and this will render your interface ad-free and fidelity-high. But what about Linux? As it turns out, Linux has never been high on the list of priorities for the Spotify team, and at some point, the support was discontinued, then it was revived recently, which prompted me to give it a try. Seeking originality and uniqueness in my work, I opted for Fedora, only to learn that only builds for Debian-based distributions are available. In other words, Ubuntu and friends. Very similar to my experience with Sayonara. Anyhow, let’s see what gives.
  • Benefits Of Using Lightweight Linux Distributions
    There are quite a few lightweight linux distributions around but why should you care especially when most of our PCs that are on the market boast some very fast multi-core processors, large volumes of RAM and very fast Solid State Drives. Sure they can bring new life to old machines but there are many other reasons why they could be awesome for you.Let me give you a few reasons you would so much benefit from going with a Lightweight Linux distribution.
  • Alpine Linux 3.4.5 Released with Linux Kernel 4.4.27 LTS, Latest Security Fixes
    A new maintenance update of the server-oriented Alpine Linux 3.4 operating system has been released, bringing a new Linux kernel version from the long-term supported 4.4 series and the latest security patches. According to the release notes, Alpine Linux 3.4.5 is now available as the most up-to-date version of the GNU/Linux distribution based on musl libc and BusyBox, it's powered by the Linux 4.4.27 LTS kernel, which was fully patched against the "Dirty COW" vulnerability, and includes numerous updated components and applications.
  • Upgrade OpenSUSE Leap to OpenSUSE Tumbleweed Rolling Release
  • ArchBang – Best Arch based distro for old or low-end hardware with high performance and low resource utilization
    Arch Linux is very unique, compare with other Linux distributions because it doesn’t comes with live ISO & Desktop Environment. Arch gives you the full freedom to customize the installation as you wish, When you boot up, you’ll be end up with a terminal and most of the people panic here because they don’t want to build from scratch. There are many, Actively developed Arch derived Linux distributions are available with pre-installed Desktop environment. I would advise you to go with any one distribution as you wish.
  • Red Hat Stock Sees Short Interest Make 21% Move
  • New Video Shows Changes Headed to Unity 8
    A new YouTube video claims to show an ‘quick overview of what’s to come to Unity 8’ in a future update. Uploaded by Kugi Javacookies (not sure if that’s his real name), the clip is described as offering a “quick overview of what’s to come soon to Unity 8. Since the silo has now been signed-off by QA, so it will probably land really soon.” Kugi adds that he finds it “awesome to actually follow projects even up to the small details. Codes in launchpad, actual projects in bileto and queued silos for QA testing in Trello. Really cool! :D”.
  • [Bodhi Linux] Modules and Themes in 4.0.0 Repos
    We will be stamping the 4.0.0 release as stable fairly soon and one the last pieces of that puzzle is getting all the “extras” for moksha into the repos. Users can now find the following modules and themes in the Bodhi 4.0.0 main repository for usage / testing:
  • Congatec’s first Apollo Lake COMs include SMARC 2.0 model
    Congatec announced three Linux-friendly COMs based on Intel’s new Atom E3900 SoC: a Qseven, a COM Express Compact, and one of the first SMARC 2.0 modules. Congatec is one of the first vendors to announce a major product lineup based on Intel’s newly announced, 14nm-fabricated Atom E3900 “Apollo Lake” SoCs. In addition to the Qseven form-factor Conga-QA5 and the COM Express Compact Type 6 CongaTCA5 modules, the company unveiled the Conga-SA5, which is billed as Congatec’s first SMARC 2.0 module. In fact, the Conga-SA5 appears to be the company’s first SMARC COM ever, and one of the first SMARC 2.0 models to be fully announced. (See more on SMARC 2.0 below.)
  • Intel launches 14nm Atom E3900 and spins an automotive version
    The Linux-ready Atom E3900 series, which was formally announced at the IoT Solutions World Congress in Barcelona on the same day as the start of ARM TechCon in Silicon Valley, has already started rolling out to some 30 OEM customers, some of which have already announced products (see below). The first Apollo Lake based products will ship 2Q 2017, says Intel.

today's howtos

DevOps Handbook and Course