If you have ever used a computer, chances are you have used a password.Chances are that the password was your spouse's name, your child's name orthat of a much-loved pet. Chances are that password could be cracked inabout one second flat. Chances are you use the same password to access allyour other online accounts, including your bank, your medical records, etc. Chances are you don't like the way this is going. Am I right? I don't wantto alarm you, but passwords are at the heart of computer security and theyare the weakest link. Most people use passwords they can easily remember.This makes it increasingly easy for ne'er-do-wells to get a hold of thembecause as computers get faster, and more people use them, the toolsavailable to crack passwords improve. Now, with small programs you candownload from the Internet, cracking a password is child's play.
Opening a Microsoft document, for example, is relatively easy. A programsuch as MoneyKey from Passware (www.lostpassword.com), will decipher thepassword for a Money file instantly. A file from its main rival, IntuitInc.'s Quicken, can be opened by constructing a fake password. Improvedmeasures in Microsoft Office, according to LastBit Software's VitasRamanchauskas, make it harder to crack longer passwords but his softwarestill guarantees eventual success.
Here is the problem. In the real world, we limit access to our property withkeys. In the computer world we have to use a non-physical, virtual key,which is the password. The thinking goes that as only you know the password,your online property - your data - is safe. But of course it isn't thatsimple. There are myriad ways the ne'er-do-wells - we'll call them crackers- can get their hands on your password. One is shoulder surfing, whichinvolves the highly technical process of walking past your computer when youare typing in your password. The online equivalent of this is somethingcalled "password sniffing," which entails using special software to monitornetwork activity. If the cracker knows that the first thing you do when youdial into the office is type in your username and password, it doesn't takea genius to realise that capturing and deciphering that data could provefruitful. This is one reason why many passwords are encrypted, usingsupposedly complex formulas, or algorithms.
This makes it harder, but not impossible. The password for a Microsoft Wordversion 8 file, for example, is encrypted through a multi-stage process,according to Crak Software (www.crak.com), a password-cracking site. Theencryption process uses a 128-bit binary number, or key, meaning that intheory there are 128 bits of entropy - or uncertainty - in the encryptioncode. On paper that sounds invincible: centuries should pass before someonecan decrypt your password.
Keep out!
What should you do to avoid password theft? There's no guaranteed way toprotect your data. But here are some tips:
Never use the same password twice. If someone can crack your password forone thing, they'll have access to everything else you use the same passwordfor. Use complicated passwords, including different cases, numbers and othersymbols, and make them as long as you can. Assuming a cracker can check100,000 passwords a second, it will take him a maximum of 10 minutes tocrack a five-character password that uses letters and digits; a similarattack on a case-sensitive password of eight characters would take him up to17 years. Never use words you can find in a dictionary, or proper names. Ifyou speak a second language, use it. Don't use any password that includessomething that crackers can link to you: your pet's name, a carregistration, your daughter's birthday. These are easy to find out.
(Crackers call this social engineering.) Don't assume your data's not wortha cracker's effort. If a cracker can find out your password, he may well beable to access your credit-card details, or worse. In practice there is lessto crack than meets the eye. Such high-bit encryption systems measure onlythe maximum entropy in a code. In fact, passwords are usually shorter thanthe length required to make use of all the permutations available. Thatquickly reduces the workload for a cracker. Making his job easier is thefact that most users don't want to remember a complicated password, so it isprobably a recognizable (and memorable) word that may even be guessable.
Computers, too, are getting more powerful, meaning that brute forcetechniques can be used against passwords. Helping the cracker are wordliststhat can be thrown at the password to check for possible matches: a completeEnglish wordlist might involve 150,000 guesses, which would take a fewseconds on a normal computer. Failing that, pure brute force can be applied,where every combination from `aaa to `zzzzzzzzz' can be tried. This may takesome time - say a week on a Windows NT system - but security consultantshired to test networks say they can run an attack for several days before asystems administrator might notice. L0phtcrack, a password cracking program,decoded 90 per cent of all passwords at a large high-technology company inless than 48 hours using an off-the-shelf PC. And in case you think all thisis way too theoretical, here are some recent cautionary tales. In the pastweek dozens of Web sites have been hacked into, including Intel Corp, theIdaho state government, the messaging provider ICQ, the US. FinancialInstitutions Commission, Sony Corp's Taiwan site, the New York Times, CompaqComputer Corp, Altavista, and Hewlett-Packard Corp (for a list of suchhacked sites, see www.attrition.org/mirror/attrition). Early this monthhackers broke into the World Economic Forum Web site, retrieving 800,000pages of data including e-mail addresses, credit-card numbers and passwordsof luminaries from Microsoft's Bill Gates to Palestinian leader YasserArafat. All such attacks would involve either bypassing the passwordsecurity or cracking the code. According to the Guardian, a Britishnewspaper, the Atari Web site of games manufacturer Hasbro was broken intoby hackers in late January using the default username and password `test.'Weeks later the site still displays a sign saying it is "undergoing routinemaintenance."The commercial wing of this business offers password-cracking services forfiles you can't open - no questions asked. OfficePassword, from LastBitSoftware (www.passwordtools.com), promises to recover 75 per cent of allMicrosoft Office passwords within one day. Watching such programs whirringaway on your Microsoft Word file is a sobering experience: your computer canbe very fast when it wants to be.Of course, this all means you are going to have to be a bit more savvy aboutpasswords. One solution: keeping them on your hand-held digital assistant.There are programs to help: FortSoft's 4T Nox (www.fortsoft.com), forexample, stores passwords and user names on your Palm device. But be warned:Palm passwords can be hacked. And even FortSoft had to release an updateearlier this month when it discovered the program's own password wasn'tbeing encrypted properly.
The lesson: there is no such thing as a safe password. I warned you that youwouldn't like the way this was going. The Wall Street Journal
Copyright © 2001 Indian Express Newspapers (Bombay) Ltd.
