TT Epaper
 The Telegraph
Follow Us: Facebook Twitter Feeds   Today's Edition | Monday , October 4 , 2010 |
 
IN TODAY'S PAPER
 Front Page
 Nation
 Calcutta
 Bengal
 Opinion
 International
 Business
 Sports
 At Leisure
 Entertainment
 Sudoku
 Sudoku New BETA
 Crossword
 Jumble
 Gallery
 Horse Racing
 Press Releases
 Travel
WEEKLY FEATURES
7days
Graphiti
Knowhow
Jobs
Telekids
Careergraph
Personal TT
CITIES AND REGIONS
 Metro
 North Bengal
 Northeast
 Jharkhand
 Orissa
 Bihar
ARCHIVES
Since 1st March, 1999
 
THE TELEGRAPH
- About Us
- Advertise
- Feedback
- Contact Us
 
 
CIMA Gallary
Front Page > KnowHOW > Story
Email This Page
Sham shield
A ‘strong’ password doesn’t necessarily offer the strongest security. Randall Stross tells you why

Make your password strong, with a unique jumble of letters, numbers and punctuation marks. Memorise it; never write it down. And, oh yes, change it every few months.

These instructions are supposed to protect us. But they don’t. Some computer security experts say onerous requirements for passwords have given us a false sense of protection. In fact, they say, we aren’t paying enough attention to more potent threats.

Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location.

“Keeping a keylogger off your machine is a trillion times more important than the strength of any one of your passwords,” says Cormac Herley of Microsoft Research, who specialises in security-related topics. He said antivirus software could detect and block many kinds of keyloggers, but “there’s no guarantee it gets everything.”

Herley is critical not of users but of system administrators who aren’t paying enough attention to the inconvenience of making people comply with arcane rules. “It is not users who need to be better educated on the risks of various attacks, but the security community,” he said.

One might guess that heavily trafficked websites — especially those that provide access to users’ financial data — would have requirements for strong passwords. But it turns out that the password policies of many such sites are among the most relaxed. These sites don’t publicly discuss security breaches, but Herley said it “isn’t plausible” that they would use such policies if their users weren’t adequately protected from attacks by those who do not know the password.

Herley, working with Dinei Florencio, also at Microsoft Research, looked at the password policies of 75 sites. The ones that allowed relatively weak passwords were busy commercial destinations such as PayPal and Amazon.com. The sites that insisted on complex passwords were mostly government and university sites. What accounts for the difference? They suggest that “when the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.”

Donald A. Norman, a co-founder of the Nielsen Norman Group, a design consulting firm in Fremont, California, makes a similar case. He noted the password rules of Northwestern University: a list of 15 requirements. He said unreasonable rules can end up rendering a system less secure; users end up writing down passwords and storing them in places that can be readily discovered. “These requirements keep out the good guys without deterring the bad guys,” he said.

Northwestern has reduced its password requirements to eight, but they still constitute a challenging maze. For example, a password can’t have more than four sequential characters from the previous seven passwords, and a new password is required every 120 days. By contrast, Amazon has only one requirement: that it be at least six characters. That’s it. And hold on to it as long as you like.

A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as Herley and Florencio note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”

Very short passwords, taken directly from the dictionary, would be permitted in a password system that Herley and Stuart Schechter at Microsoft Research developed with Michael Mitzenmacher at Harvard.

At a recent meet in Washington, the three suggested that websites with tens or hundreds of millions of users, could let users choose any password they liked — as long as only a tiny percentage selected the same one. That would render a list of most often used passwords useless: by limiting a single password to, say, 100 users among 10 million, the odds of an attacker getting lucky on one attempt per account are astronomically long, Herley explained.

Herley said the proposed system hadn’t been tested and that users might become frustrated in trying to select a password that was no longer available. But he said he believed an anything-is-permitted password system would be welcomed by users.

NEW YORK TIMES NEWS SERVICE
Top
Email This Page
 
 
" "
 Copyright © 2013 The Telegraph. All rights reserved. Disclaimer | Privacy Policy | Contact Us