Passwords' waning power

Security: Experts look for alternate safeguards as private accounts flourish.

January 30, 2003|By Stevenson Swanson | Stevenson Swanson,SPECIAL TO THE SUN

The online bank account. The e-mail inbox. The frequent-flier account. The Internet retailer who sells those hard-to-find exercise tapes.

All of these Web sites - and thousands more - require passwords.

And that's in addition to all the other user names, codes and personal identification numbers people need to log on to computers at work, withdraw cash from an automated teller machine, check their voice mail and disarm a home security system.

With concerns about security on the Internet and on workplace computer networks reaching new heights, passwords are proliferating to the point that they threaten to overwhelm the original computer - the human brain. In response, computer security experts are looking for new ways, including such techniques as cheap fingerprint or retina scans, for people to prove that they are who they say they are in the chaotic computerized universe.

When it comes to passwords, "There are too many of them, and it's too hard for the average person to remember them," said Matt Bishop, a computer science professor at the University of California, Davis.

Avi Rubin, a computer security expert at the Johns Hopkins University, recently counted all the access codes he has to remember, including those for his computer, for two garage doors and for the nanny to get into the house. He came up with 53.

Michael Walters, information technology manager for the New York office of Perkins and Will, a Chicago architectural firm, even has to recall discarded passwords as part of his job overseeing the office's computer network.

"I have to remember passwords [that date] back to before I came to work here," said Walters, who needs the old access codes in emergency situations when data has to be recovered.

But a recent identity-theft case on Long Island illustrates why passwords and other computer safeguards have become more important than ever. In what federal prosecutors call the largest identity-theft case on record, three people were accused in November of stealing the passwords and other personal information of more than 30,000 people, resulting in losses of at least $2.7 million.

And that was just one gang of digital ne'er-do-wells. In 2001, the Federal Trade Commission received 86,000 complaints from victims of identify theft.

"Nobody knows you're a dog on the Internet," said cyber-security expert Jerry Brady, referring to a popular New Yorker magazine cartoon that shows a computer-savvy canine surfing the Web. "But nobody knows you're an identity thief either. There are a lot of nasty people out there."

And a lot of obvious passwords. In one study by AT&T Labs, the most popular password was "mother," said Rubin, the technical director of Johns Hopkins' Information Security Institute.

Brady, the chief technology officer for Guardent, a Waltham, Mass.-based information security services provider, frequently can guess the passwords of 1 in 3 people when he demonstrates a computer network's vulnerability to a client.

"All you need is to know a bit about a person - his wife's name, pet's name, car's name," said Brady, who noted that much personal information is readily available on the Internet and in public records. "And knowing what a person cares most about - his wife, his pet or his car - you can guess."

Apart from taping a password to their computer, one of the most common mistakes people make with their digital combinations is to use a word, which most people find easier to remember than a number. Such codes are vulnerable to "dictionary attacks," a hacking tactic using a program that methodically tries thousands of words.

Another frequent error is to log on to password-protected sites at Internet cafes or hotel business centers. Such computers frequently are contaminated with programs called "keyboard sniffers," which record the order in which keys are pressed and then send surreptitious e-mails of the sequences to a waiting identity thief.

Personal identification numbers for ATM cards and calling cards are susceptible to "shoulder surfing" by sharp-eyed swindlers who watch as the unsuspecting tap in their codes.

Considering the resourcefulness of the thieves, the odds may seem heavily stacked against ordinary computer users, but security experts have some suggestions for devising passwords that are tough to crack, and ways to keep from being swamped by dozens of access codes.

Instead of using a word, Rubin suggests taking the first letters of an easily remembered phrase and then adding some numbers or, better yet, punctuation marks and capital letters. That results in a password too complex to be broken easily.

Still, because many hackers work methodically over long periods, it is becoming increasingly important to change passwords regularly, experts say.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.