Protect your password
Today
advanced hardware makes it easy to crack passwords. In such a scenario, what
should users do to prevent hackers?
If you thought your clever password
was something no one could hack, well, you are in denial. Consultancy firm Deloitte
reports that 90 per cent of user-generated passwords are vulnerable to hacking.
What, even my traditional (clever) combo of eight characters complicated by
numbers, letters and symbols? Yes.
Last year, Zappos.com lost names,
email-IDs, phone numbers and partial credit card numbers of 24 million
customers. LinkedIn admitted its user passwords were “compromised”. Some
400,000 Yahoo email-ID passwords were hacked last July. In 2011, 77 million
passwords were stolen from Sony’s PlayStation Network. GoDaddy's passwords were
breached. FBI, NBC-sites, 112 Indian government sites found their “secure”
passwords “exposed”. If it's any consolation, Taliban sites were successfully
attacked too. Just check out what services like “iFramers” do to hacked websites.
Re-using
passwords
How did our passwords get so
susceptible? Longer passwords infused with @, *, % symbols are difficult to
remember, so we pick a small subset from them — and they get cracked. We
slip-up by re-using passwords. Credit-checking firm Experian found that the
average user has 26 password-protected online accounts but uses only five
different passwords. Deloitte says 10,000 most common passwords access 98 per
cent of all accounts. When you key in the same password for online banking and
Warhammer, a security breach at the gaming site compromises the bank account
password.
Even long passwords aren't safe,
says Ashwini Rao, researcher at Carnegie Mellon University.
Sentence-like/phrase-like passwords such as “abiggerbetterpassword” and
“thecommunistfairy”, postal addresses, email IDs and URLs also make for less
secure passwords now, she says.
Blame it on advances in
password-cracking hardware. “It's called a brute-force attack,” says techie
Mahesh, explaining its nuances. “Powerful computers/laptops try every possible
permutation-combination to find the “right” one, no intelligence involved.”
Creep! Our eight-character password, created from the 94-character keyboard is
one of 6.1 quadrillion possible combinations. “A dedicated password-cracking machine
employing virtualisation software and high-powered graphics-processing units
can crack any eight-character password in 5.5 hours,” the Deloitte report said.
Nefarious, says Mahesh. “A computer working alone may not be able to dig, say,
military networks. So a zombie machine, could be yours, is roped in for the
hack job. It's a small percentage of your CPU; you pay for unlimited time, so
how will you know? Hey! “Wait,” he says. “There is also crowd hacking, where
hackers share the power of thousands of machines to infiltrate the target. At
no cost.”
Help! Twitter and Adobe re-set
thousands of passwords after “embarrassing” goof-ups. Google alerts you on
unusual mob-phone activity. It also wants you to insert Yubikey, a smart-chip
embedded tiny key that goes into the USB drive, unlocks and automatically logs
onto all your accounts without asking for a password. Yubikey works on
Windows/Mac/Linux/iPad/Firefox/Chrome, and is waterproof, crush-safe, needs no
battery or clients software/drivers. With a simple touch the YubiKey sends a
one-time-password (OTP) as if typed. The unique passcode is verified by a
YubiKey compliant app. Fine. “Things like YubiKey are definitely more secure as
they support random passwords and provide two-factor authentication,” says Mahesh.
“Corporates use them on a day-to-day basis because they are mandatory, but you
will use it a lot less since it's optional.” You could lose it, you need to
insert it, and always type in a master password to access websites. Too much!
“Multi-layer authentication” is
possible. You log onto your credit card issuer’s site, type in your
username/password, send another code/password to smartphone, and go online. Not
terribly convenient! Password vaults or password safes (paid tools) offer you a
central place to store all your passwords, encrypted and protected by — you
guessed it — a password or token. These, presumably, are not easily cracked.
Firefox can save user names and passwords for online services like banking.
Go for poor grammar and spelling,
says Ashwini Rao. Hurray! Since “brute” searches for proper combo-words and
grammar, you hoodwink it by staying outside the dictionary. She suggests
phrases such as “Pineapplesi$nise”, “Exitingplan$isafoot”, that is, if you can
memorise the deliberate mistakes. Try “eat cake at 8!” or “car_park_city?”
(Idontnohowtospal.com). The high-tech crowd touts a biometric solution, but it
has its hiccups. Smartphones ask you to connect nine dots — easy, many combos,
visual/tactile (touch to remember). Connecting fewer dots generates more
combinations.
Follow
good password practices
Never share your password. Avoid
using non-secure networks at public places to send private information. Change
password after using a non-secure network, change it frequently. Never store
your password in a program. “I use Lastpass — a password manager and
form-filler,” says Mahesh. “and a secure operating system like Linux. All codes
are out in the open, so it is easier to review.” Mmmm... will you consider
becoming a hacktivist? If you do, let me know.
Geeta
Padmanabhan TH 130327
http://www.thehindu.com/sci-tech/technology/protect-your-password/article4554319.ece
No comments:
Post a Comment