|
Top Security News |
EBay
Launches Web Smart Guide For Safety
According to a recent survey, a lot of Australians feel the online world is becoming a safer place to shop - 76 percent, to be exact. A significant portion - 58 percent - "did not think the industry was doing enough to educate people about security online," though.
RSS Exposes Users to Attack
ZDNet reports from the Black Hat conference in Las Vegas that security experts are increasingly concerned about the potential for malicious attacks perpetrated through web feeds.
RFID Technology Vulnerable To Malware
RFID tags may become commonplace in the future, but not a lot of people are looking forward to widespread implementation. There was already concern that these "smart barcodes" would allow consumers' habits to be more easily tracked, and that the technology...
NSA Eyes Social Networking Sites
It was revealed last month that the National Security Agency has been tracking the phone calls of millions of Americans. Now, according to Newscientist.com, it looks like the agency has plans to expand the program...
Root Kit Hunter
I had a strange problem with one of my own RedHat machines the other day. Very simply, I couldn't su to root, and I couldn't even login at the console as root.
|
|
 |
|
10.18.06
A Little Rant About Passwords
 By
Gary Hammock
Passwords are one of the most basic forms of data security.
They are the first option that comes to mind when attempting to secure a computer system, network, or even a file. But at what point do passwords become cumbersome for legitimate users, but secure enough to retain data security?
Let's face it. The most secure system is one that is un-networked, only has one legitimate user, is encrypted, is unpowered, or basically hidden in the bottom of a well--but this is impractical. In order to actually use the computer, you must make some compromises. You must give legitimate users access while maintaining the integrity of your systems. This can be done through passwords IF they are properly administered.
You always hear people recommending weird entirely random passwords such as "#G018nW@$b!". While this may be secure, you try remembering that along with the other eight passwords you use for the other systems (you do use different passwords for each system, right?) Add to that the fact that most companies, governments, organizations, etc. require password changes every 30/60/90 days, and you have a lot of frustrated legitimate users. At what point does adding more rules reach a point of diminishing returns in security? You don't want your users writing their passwords down and leaving them beneath their keyboards.
Password strength is more dependent on password length rather than range of characters (with caveats). Granted, more potential characters helps, but let's look at the mathematics.
The number of combinations of a password is given by C^n, where C is the set of characters in use and n is the length of the password. A 10 character length password using only the 26 lowercase letters has more combinations than a 9 character length password using a 32 character set. 26^10 > 32^9. This is an order of magnitude larger! As long as the 10 character password wasn't in a dictionary file (and thus subject to dictionary attacks), this would be an easy to implement password. Thus the password "iamrunning" is more secure than "*a#v!@$nb" and much easier to remember.
Let's do another one, shall we? Using that same first password (lowercase only), let's suppose a second set to be lowercase letters and numbers 0-9 while still maintaining the 9 character length. This means the second password has 36^9 possible combinations, which is still less than 26^10. Therefore that same password "iamrunning" is still more secure than "password7" by still having a higher number of potential combinations. Of course this is a simplified model and the password "iamrunning" (though complicated combinatorally) may still be susceptable to dictionary attacks.
Now we could build an uber-password that utilizes the full unicode set and really make something complicated--but let's think on this. While you can (on Windows systems I know) enter unicode characters into the password prompt, it really seems to be counterproductive. In order to input a unicode character in Windows, you hold down the "Alt" key while pressing a four digit value on the number pad, such as alt+0192. While this may extend the character set, you still have to press five additional keys. If you had instead, used an additional five alphanumeric characters from the standard set, your password would be orders of magnitude stronger than a password with an obscure character set (pending a dictionary check, password length means nothing to a dictionary attack).
Now for something scary. An ATM has a character set of 10 digits, 0-9. For a pin number of four digits, this means a possible 10,000 combinations. Suppose a laptop can try a million combinations per second. This means a laptop would be able to crack an ATM pin in 0.01 seconds. DO NOT TRY THIS. THIS IS ONLY NOTIONAL AND HYPOTHETICAL IN NATURE. What do you think could help the most, a larger character set that must constantly be changed, or a few extra digits?
Source: archonmagnus.com
About the Author:
Gary Hammock is a mechanical engineer and a computer fanatic. His regularly writes articles and tutorials on his site archonmagnus.com. If you are looking for computer help or want to learn something new, visit archonmagnus.com for information about computer programming, the Linux Operating System, building computers, etc.
|
