iApplianceWeb-iApplianceReview

Sponsor-Editors Sites
" iApplianceReview
" Appliance-Lab
" CyberNode Appliances
" VideoIP Services
" Energy Gateways
" Metering & Appliances
" Netcentric Community
" Techrite Associates

EETimes Sites
" EE TIMES
" EE TIMES ASIA
" EE TIMES CHINA
" EE TIMES FRANCE
" EE TIMES GERMANY
" EE TIMES KOREA
" EE TIMES TAIWAN
" EE TIMES UK

EETimes Network Sites
" CommsDesign
" iApplianceWeb.com
" Microwave Engineering
" EEdesign
" Deepchip.com
" Design & Reuse
" Embedded.com
" Embedded Edge
" Elektronik i Norden
" Planet Analog
" Silicon Strategies

" Byte
" ChannelWeb
" CMP
" CommWeb
" Com. Convergence
" CRN
" Conferences and Events
" DB2
" Dr. Dobbs Journal
" DV.Com
" EBN
" EBN China
" eeProductCenter
" Electronics Express
" Electronics Express
" Internet Week
" Network Computing
" Network Magazine
" NetSeminar Services
" QuestLink
" TechWeb
" VAR Business
" Windows Developer

Security Sentinel:

Passwords are like locks on doors...

Toni McConnel

iApplianceWeb

(11/20/05, 12:24 PM GMT)

…they are very effective at a keeping the honest people out.

But for the cyber criminal, cracking a password is sometimes the easiest way into a system. Why? Two reasons: user ignorance, and a plethora of password cracking tools available on the Internet.

To dispense with the first reason, the user needs to understand the second—how passwords are cracked.

There are two main types of password-cracking utilities: brute force and dictionary-based.

The dictionary-based password cracker depends on the fact that most users choose a password that easy to remember—that is, a word that makes sense. He may choose the name of a spouse, relative, child, favorite rock star, or pet; the name of the street where he lives; or a word he likes to associate with his personality, such as “highlife” or “hotshot”. Any name or word, unless it is a totally invented one, is 99.9% likely to appear in any standard dictionary. Ergo, dictionary-based password crackers simply try every word in the dictionary. One of them is almost sure to work. This is an automated process and a relatively fast one. The attacker can be doing something else while the utility runs, and when a match is found, he’ll get a message that the search has been successful.

Many of the purveyors of password-cracking utilities have all the trappings of legitimate businesses. They purport to serve people who have forgotten their passwords. It’s true that these people are served, but the utilities are also used by attackers. If you want to find out how secure your system is with your present password, go to www.crackpassword.com and download a trial version of one of their utilities. Be mindful that these utilities are specific to certain applications and choose one for an application you are using. If you are able to recover your password with this utility, so can anybody else.

This is why you are so often advised to choose a password that is a random mix of letters and numbers. Such a mix will not appear in a dictionary. People ignore this advice because (1) they don’t understand how passwords are cracked and (2) because they want an easy-to-remember password. How likely is it that you are going to remember that your password is iw8je0i? The solution to that problem is to use a secure password keeper such as Roboform. Every time you get to the log-in page, the password keeper will fill in the password for you; you won’t have to remember it.

This strategy does not protect you from a brute force attack, however. Brute-force password cracking utilities go far beyond trying all the words in a dictionary. They try every possible combination of letters, numbers, and symbols. Even with a supercomputer it is a long process and probably only worth doing when the stakes are high, such as getting into a corporate bank account. With enough time, they can work.

The advice usually given to protect yourself from brute-force attacks is to change your password often. But this doesn’t make sense to me, since it only gives you protection from a brute-force utility that has not yet started working on your system. If such a scan is already in progress, a new password protects you only if the utility has already tried the combination of letters, numbers, and symbols in your new password. That is, it is quite possible that when you change your password, you will choose a combination that is coming up in the next 100 or 1000 or 10,000 or 100,000 combinations tried—the blink of an eye, in computer processing terms.

In my view there is no 100% effective defense against brute force password crackers for computers that must be always on line except to utilize a password utility that will lock out a client that submits an invalid password more than three times. This defeats automated password crackers. There are ways an attacker can get a copy of the registry and/or other systems files and work on them off line; in that case you are out of luck.

The next best defense is to have multi-strategy attack protection—a combination of firewall and anti-virus, anti-spyware software.

At the very least, change all your passwords to random combinations of letters, numbers, and symbols, and get a password keeper so you won’t have to memorize them. You’ll at least be protected from the most common form of password cracking.

Toni McConnel is executive editor of iApplianceWeb. She is also a nature photographer and an award-winning fiction writer. You can reach her by email at SecuritySentinel[at]TechRite-Associates[dot]com.

For more information about topics, issues and technologies mentioned in this story go to the flashing icon in the upper left corner on this page or go to the iAppliance Web Views page and call up the associatively-linked Java/XML-based Web map of the iApplianceWeb site.

Enter the appropriate key word, product or company name to list instantly every news and product story, product review and product database entry relating to the topic since the beginning of the 2002.