Chances are if yo uve go t an acco unt at a site like

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: es are yo u’re using the same passwo rd (o r easily guessed variants) in a way that means getting just o ne “key” wo uld o pen many “do o rs.” The typical Web user has 6.5 passwo rds, each o f which is used at f o ur sites, o n average.N. Summers, “Building a Better P asswo rd,” New sw eek, Octo ber 19, 2009. So me sites f o rce users to change passwo rds regularly, but this o f ten results in insecure co mpro mises. Users make o nly mino r tweaks (e.g., appending the mo nth o r year); they write passwo rds do wn (in an unlo cked drawer o r P o st-it no te attached to the mo nito r); o r they save passwo rds in perso nal e-mail acco unts o r o n unencrypted hard drives. The challenge questio ns o f f ered by many sites to auto mate passwo rd distributio n and reset are o f ten pitif ully insecure. What’s yo ur mo ther’s maiden name? What elementary scho o l did yo u attend? Where were yo u bo rn? All are pretty easy to guess. One IEEE study f o und acquaintances co uld co rrectly answer co lleagues’ secret questio ns 28 percent o f the time, and tho se who did no t kno w the perso n still guessed right at a rate o f 17 percent. P lus, within three to six mo nths, 16 percent o f study participants f o rgo t answers to their o w n security questio ns.R. Lemo s, “Are Yo ur ‘Secret Questio ns’ To o Easily Answered?” Techno lo gy Rev iew , May 18, 2009. In many cases, answers to these questio ns can be easily unco vered o nline. Chances are, if yo u’ve go t an acco unt at a site like Ancestry.co m, classmates.co m, o r Facebo o k, then so me o f yo ur secret answers have already been expo sed—by yo u! A Tennessee teen hacked into Sarah P alin’s perso nal Yaho o ! acco unt (go [email protected] o .co m) in part by co rrectly guessing where she met her husband. A similar attack hit staf f ers at Twitter, resulting in the thef t o f hundreds o f internal do cuments, including strategy memo s, e-mails, and f inancial f o recasts, many o f which ended up embarrassingly po sted o nline.N. Summers, “Building a Better P asswo rd,” New sw eek, Octo ber 19, 2009. Related to the passwo rd pro blem are issues with system setup and co nf iguratio n. Many vendo rs sell so f tware with a co mmo n def ault passwo rd. Fo r example, f o r years, leading database pro ducts came with the def ault acco unt and passwo rd co mbinatio n “sco tt/ tiger.” Any f irm no t changing def ault acco unts and passwo rds risks having an o pen do o r. Other f irms are lef t vulnerable if users set systems f o r o pen access—say turning o n f ile sharing permissio n f o r their P C. P ro grammers, take no te: well-designed pro ducts co me with secure def ault settings, require users to reset passwo rds at setup, and also o f f er stro ng warnings when security settings are made weaker. But unf o rtunately, there are a lo t o f legacy pro ducts o ut there, and no t all vendo rs have the insight to design f o r o ut-o f -the-bo x security. Building a Better Password There’s no simple answer f o r the passwo rd pro blem. Biomet rics are o f ten tho ught o f as a so lutio n, but techno lo gies that replace co nventio nally typed passwo rds with things like f ingerprint readers, f acial reco gnitio n, o r iris scans are still rarely used, and P Cs that include such techno lo gies are widely viewed as no velties. Says Carnegie Mello n University CyLab f ello w Richard P o wer, “Bio metrics never caught o n and it never will.”N. Summers, “Building a Better P asswo rd,” New sw eek, Octo ber 19, 2009. Other appro aches leverage techno lo gy that distributes single use passwo rds. These might arrive via external devices like an electro nic wallet card, key chain f o b, o r cell pho ne. Security f irm RSA has even built the techno lo gy into BlackBerrys. Enter a user name and receive a pho ne message with a tempo rary passwo rd. Even if a system was co mpro mised by keystro ke capture malware, the passwo rd is o nly go o d f o r o ne sessio n. Lo st device? A central co mmand can disable it. This may be a go o d so lutio n f o r situatio ns that demand a high level o f security, and Wells Fargo and P ayP al are amo ng the f irms o f f ering these types o f services as an o ptio n. Ho wever, f o r mo st co nsumer applicatio ns, slo wing do wn users with a two -tier authenticatio n system wo uld be an impractical mandate. While yo u await technical f ixes, yo u can at least wo rk to be part o f the so lutio n rather than part o f the pro blem. It’s unlikely yo u’ve go t the memo ry o r discipline to create separate unique passwo rds f o r all o f yo ur sites, but at least make it a prio rity to create separate, hard-to -guess passwo rds f o r each o f yo ur highest prio rity acco unts (e.g., e-mail, f inancial Web sites, co rpo rate netwo rk, and P C). Remember, the integrity o f a passwo rd shared acro ss Web sites isn’t just up to yo u. That ho t start-up Web service may no t have the security reso urces o r experience to pro tect yo ur special co de, and if that Web...
View Full Document

This document was uploaded on 01/31/2014.

Ask a homework question - tutors are online