PRESENT TECHNOLOGY OFFERS NO MORE EXCUSES FOR WEAK PASSWORD SCHEMES

by | Feb 1, 2006 | Ideas & Insights

Being a computer security consultant, the one question I am often plagued with the most by people using various Internet services is “How do I prevent someone from hacking my accounts?” and I think to myself, this can not be a legitimate question.

There are a number of products available (most of them you can obtain absolutely free of charge) that not only stores your password on your local machine, but has the ability to suggest a strong enough cipher to make penetrating it absolutely impossible.

Case in point, let’s assume for just a moment you are a member of the Yahoo community, and you use Yahoo Instant Messenger and Yahoo Chat on a religious basis. Yahoo, contrary to popular belief is a very security conscious service, the problem is that people cause it to be weak.

Yahoo, offers a person the ability to create up to a 26 character alphanumeric password, in addition it also allows for a person to use extended ASCII characters such as brackets, underscores and spaces. However, the human mind on an average can only recite by memory a password that is simply alphanumeric that contains up to 8 characters in length.

That’s why people should use password managers such as Keepass Password Safe, an open source project that you can obtain for Windows by visiting http://keepass.sourceforge.net. This product not only stores your chosen password with 128 bit encryption on the local computer but it has a built in password generator that also tests the strength of passwords you are wishing to utilize to secure your online accounts.

The second tier of Yahoo security (since we are using that as our example) is the ability to secure accounts using the security question feature. The problem again lies with the individuals ability to easily be social engineered into revealing information that could be used to crack a Yahoo or any number of other online accounts.

To make your accounts completely immune to brute force cracking attempts, one would only have to utilize their password manager (Password Safe as my example) to generate a random alphanumeric character string in place of the legitimate answer to the security question, for example:

Security Question: What is your mother’s maiden name?

Instead of using the legitimate last name of “Smith”, “Jones”, or whatever the answer maybe. I would instead uses something like:

Answer: 1xz9-56gy-0pgv-2rh8-i3n7-Q4w6-3fT4

That is a 34 character string, that no intruder will be able to penetrate without some sort of key logging device making cracking this account now impossible. The beauty lies in the fact that you don’t even have to remember the answer, you can simply add another entry into your password keeper (I personally prefer Password Safe because it allows me to be able to copy and paste my entries directly into my applications) and call it up when ever it’s needed.

There is no reason passwords should ever be our weakest link in computer security, not with the existing technology that lingers about that we can access and utilize with ease.

Bill Matherly is a computer security consultant who currently resides in Oklahoma, if you have any questions comments or concerns you can email him at bi**************@gm***.com