User Login and Passwords
The greatest threat to security is almost always people. In a highly publicised incident, former US President Bill Clinton was deemed to have given an improper example when he signed the Electronic Signatures in Global and National Commerce Act in June 2000. The password he had chosen when signing the bill? He picked ‘Buddy’, the name of the White House dog.
If you are using the name of your pet, partner, birthday, Beckham or Ferrari as your password, you are not alone. A survey by credit card company Visa revealed that 67% of passwords chosen are easily-guessed names or numbers, the majority being date of birth, nickname or favourite sports team. As a form of authentication, a password does not go far in providing adequate security.
How It Works
Authentication of an individual depends on how that person proves he is who he is. It can either be by proving what he knows (password or PIN code), what he possesses (smartcard, token or digital certificates), or what he is (biometric recognition such as fingerprint or retinal vascular pattern).
The use of username and password as a form of authentication has been the basis of computer security for years. Today it has become a necessary, if at times inconvenient, part of our everyday lives. Some experts refer to password-based authentication as a two-factor approach, since it is based on who you are (your username or digital identity is issued by a party who acknowledges you) and what you secretly know (your password).
When you type your username and password, say from a web browser when performing Internet banking, a central server will first try to determine your credentials. Once they are verified, the server initiates what is called a secure session. During this ‘protected’ time window, all transactions between the browser and the server are encrypted and can be attributed to you.
The session ends when you click on the sign out button or when the stipulated time expires. Protocols such as SSL (Secure Socket Layer), denoted by the padlock icon at the bottom of the browser, may be used to secure such sessions.
Sitting On Quicksand
If your organisation relies heavily on password-based authentication as the first line of defence, your security policy is said to be built on quicksand. Password and user account exploitation is one of the largest issues in network security. Such systems are open to attacks, especially on the Internet, and can be easily compromised by natural human frailties.
You don’t have to be a computer genius to break passwords. Even people with basic computer knowledge can easily get their hands on password hacking tools. Keystrokes capturing programs for instance, which log keystrokes, user names, passwords, path names and access times without the user’s knowledge, are readily available over the Internet.
Some tools will attempt every alphanumeric combination possible to crack passwords. On the Internet, this can be achieved in a matter of minutes. Meanwhile, information and data shared across the Internet is susceptible sniffing tools, which can capture and read data being transmitted – unless they are encrypted by a reliable digital certificate, of course.
Hard Habit To Break
A seemingly small but actually crucial weakness of passwords lies not with technology but deep within us. Humans are creatures of habit: we are lazy and careless. From a US study, up to 10 per cent of all calls and e-mails to customer service units relates to forgotten passwords and usernames reported Jupiter Media, a business intelligence specialist.
Half of the computer users surveyed by Visa on the other hand admits to using the same password to access more than one application while 51 per cent uses the same word to access three or more applications.
Faced with a myriad of services and equipment which requires username and password, people usually resort to simple and easy-to-remember combinations. Simple passwords however are susceptible to ‘dictionary’ attacks, whereby a text file full of dictionary words is loaded into a cracking application and run against hacked user accounts. The smallest dictionary in a password cracker is said to have more than 200,000 words, including the names of places and famous people.
Faced with the task of remembering, people tend to carelessly leave a password trail around them: sticky notes on the monitor, picture of their loved ones or posters of their favourite football team. Understanding a person’s psyche is occasionally enough to infer that person’s password. But sometimes, all that is needed is a long neck. a peek over the shoulder of someone logging into a network!
So when the Internet is involved, it is wise to forget password and rely on digital certificate. Strong Public Key Infrastructure (PKI) or digital certificate which are impossible to guess and hard to crack are the only option.
It’s Not Enough
An evil hacker with a password list from a server will likely gain access to other computers in a network and wreak substantial damage. Well-documented cases include the password pirating done by an employee of Sabre Holding Corporations, the company providing the reservation system for American Airlines and its competitor Legend Air. The hacking was deemed responsible for unfair competition, allowing American to prevent, delay and hinder Legend from flying out of Dallas Love Field airport.
If your credit card gets stolen, you are conscious of the loss and will report it to the issuer, who will bar ensuing transactions and replace the card with a new one. But password thefts are always done in stealth. Passwords can be easily stolen or copied without the user or organisation ever knowing it.
The use of passwords also cannot ensure either the identity of the signer (is it really Bill Clinton who signed the e-bill or was it an impersonator?). Neither can it guarantee the integrity of the associated transaction or document (how would you know the credit card details you just updated were not intercepted and altered in transit?).
If it is meant to protect sensitive personal and financial information, it’s absolutely necessary for any organisation not to rely on a pure password-authentication scheme. They should instead implement stronger and more robust PKI-based security measures. PKI verifies and authenticates the validity of parties involved in an Internet transaction, and is accepted by the court of law as undisputed hard evidence in commercial transaction disputes.
PIN and passwords are not enough to provide security on the Internet. Digital Certificate is absolutely necessary. However, if you must create passwords, below are some tips:Avoid dictionary wordsAvoid using personal informationUse long passwords if your memory permitsUse numbers, symbols, punctuations and random capitalisationSwap or remove words and letters.Use sentences that you can easily remember and manipulate them. ‘Crouching Tiger Hidden Dragon’ might become ‘c71g3RhD!’
Article contributed by MSCTrustgate.com