When it comes to hard drive encryption software like AlertBoot, passwords are like butter on bread: you just have to have it. And, as most data security professionals will tell you, the more complicated it is, the better the password. Crazy Complex Passwords Don't Necessarily Work Complex Password? Get Around It With Phishing Some Suggestions For Creating Passwords Or is it a better password? A reporter for Newsweek visited the CyLab at Carnegie Mellon University where students and researchers are looking into a field that's called "usable security," where computer science and psychology blend in (a "human factors" field for the digital era, I guess). Essentially, they're investigating how to secure stuff without using passwords, be it encryption software or just a plain old door to a room. The stuff they do sounds quite neat: ... toys that can read a person's fingerprint from across the room, reverse-engineer a 3-D model of a face from a simple 2-D snapshot, and recognize a moving iris at 13 meters. Nearly every gadget here would give a civil libertarian a stroke. All of the above, of course, would allow real-time monitoring of a person's identity, ensuring a higher level of security. For example, and this is from my own imagination, it could be used to deny entrance to a room with sensitive paper files: even if you have the key to the door, the keyhole won't appear because the door "knows" that you shouldn't have access to the room in the first place. Or, it does give you access to the keyhole, but it also calls the cops. Yep, crazy stuff that would give civil libertarians a stroke and then some. But, even more important may be their findings on what doesn't work.
When it comes to hard drive encryption software like AlertBoot, passwords are like butter on bread: you just have to have it. And, as most data security professionals will tell you, the more complicated it is, the better the password.
Or is it a better password? A reporter for Newsweek visited the CyLab at Carnegie Mellon University where students and researchers are looking into a field that's called "usable security," where computer science and psychology blend in (a "human factors" field for the digital era, I guess). Essentially, they're investigating how to secure stuff without using passwords, be it encryption software or just a plain old door to a room. The stuff they do sounds quite neat:
... toys that can read a person's fingerprint from across the room, reverse-engineer a 3-D model of a face from a simple 2-D snapshot, and recognize a moving iris at 13 meters. Nearly every gadget here would give a civil libertarian a stroke.
All of the above, of course, would allow real-time monitoring of a person's identity, ensuring a higher level of security. For example, and this is from my own imagination, it could be used to deny entrance to a room with sensitive paper files: even if you have the key to the door, the keyhole won't appear because the door "knows" that you shouldn't have access to the room in the first place. Or, it does give you access to the keyhole, but it also calls the cops.
Yep, crazy stuff that would give civil libertarians a stroke and then some. But, even more important may be their findings on what doesn't work.
One of the things the researchers at CMU know is that passwords are here to stay for the foreseeable future. While their toys include stuff like biometric scanners, these are not ready for primetime. Fingerprint scanners on laptops are "novelties," voice authentication is unreliable, and the stuff that does work, like iris scanners, are too expensive. If anything, they'd be a pain to install on laptops. Passwords, on the other hand, are simple and cheap...and, in my opinion, reliable if well-thought out. However, common rules of thumb are constantly shown to be less secure than one thinks: the use of mnemonic passwords aren't as secure as they seem to be. What's a mnemonic password? It's when you take the first letters of each word in a phrase and use the resulting word as a password: "you've been owned, sucka" would result in "ybos." (The engine behind, WWJD: What would Jesus do?) Obviously, the longer the phrase, the longer the password. Problem: hackers know some people use this to generate passwords. CyLab has looked into the issue and found that they could crack 4% of such passwords. I should note, they were only testing an instance where 100% of the passwords were generated in such a form. In the real world, where all types of passwords exist, the number would be much lower than 4%. On the other hand, successful attempts at cracking passwords in general would probably be much higher than 4%.
One of the things the researchers at CMU know is that passwords are here to stay for the foreseeable future. While their toys include stuff like biometric scanners, these are not ready for primetime. Fingerprint scanners on laptops are "novelties," voice authentication is unreliable, and the stuff that does work, like iris scanners, are too expensive. If anything, they'd be a pain to install on laptops.
Passwords, on the other hand, are simple and cheap...and, in my opinion, reliable if well-thought out. However, common rules of thumb are constantly shown to be less secure than one thinks: the use of mnemonic passwords aren't as secure as they seem to be.
What's a mnemonic password? It's when you take the first letters of each word in a phrase and use the resulting word as a password: "you've been owned, sucka" would result in "ybos." (The engine behind, WWJD: What would Jesus do?) Obviously, the longer the phrase, the longer the password.
Problem: hackers know some people use this to generate passwords. CyLab has looked into the issue and found that they could crack 4% of such passwords. I should note, they were only testing an instance where 100% of the passwords were generated in such a form. In the real world, where all types of passwords exist, the number would be much lower than 4%. On the other hand, successful attempts at cracking passwords in general would probably be much higher than 4%.
The length, complexity, and other aspects of password security, however, are now a moot point. Why? Phishing. People constantly fall for phishing scams, where a user's true password is revealed inadvertently. Also following in its steps, I'm sure, is the use of trojans that install malware such as keystroke loggers. How much more security is afforded by an incredibly long and complex password if most passwords are illegally acquired in ways that require guessing? The answer is none. And yet, if you want to appear as being security minded, you keep asking for those complex passwords. Which brings up the point of those "security questions" for resetting passwords. Companies like Google--which have hundreds of millions of users, and couldn't possibly field all requests for resetting forgotten passwords (you know, because they're so complex)--have decided to use security questions to verify that you are the owner of an account before resetting passwords. You know what the problem with that is? People can successfully guess at these answers, even more so than passwords. In other words, you just made the overall system less secure (the weakest link is what's used to verify a chain's strength, right?) True story: I found out that I can't gain access to a Yahoo! Mail account because I don't remember the password. I can answer the challenge questions but, alas!, they're requiring that I gain access to an old e-mail account (not Yahoo!'s) that I used to initially register with Yahoo! Mail. The ISP with that old e-mail account went kaput.
The length, complexity, and other aspects of password security, however, are now a moot point. Why? Phishing. People constantly fall for phishing scams, where a user's true password is revealed inadvertently. Also following in its steps, I'm sure, is the use of trojans that install malware such as keystroke loggers.
How much more security is afforded by an incredibly long and complex password if most passwords are illegally acquired in ways that require guessing? The answer is none.
And yet, if you want to appear as being security minded, you keep asking for those complex passwords. Which brings up the point of those "security questions" for resetting passwords.
Companies like Google--which have hundreds of millions of users, and couldn't possibly field all requests for resetting forgotten passwords (you know, because they're so complex)--have decided to use security questions to verify that you are the owner of an account before resetting passwords. You know what the problem with that is?
There are many ways of creating relatively secure passwords that won't lead to your pulling your hair out. The mnemonic password described above works well if you combine it with something else. Other methods: If you're a touch-typist, shifting the keys by one row or column works wonders. "iloveyou" becomes "o;pbrupi," for example. Take two words and add them together but place numbers and special characters in between. Spell one of the two words backwards. Or go with three or more words, with numbers and special characters between each word. Misspell a phrase. It's the reason why so many hackers of yore went around typing "HaX0rz r k3w1" (Hackers are cool). It wasn't so much to hide what they were doing. Rather, the purpose was to beat government computers that were programmed to track on-line correspondence with certain key words. The list of methods and theories behind creating secure passwords is a long and varied one. The key principles, though, are pretty similar: don't make it simple (doesn't mean it has to be crazy complex...but it shouldn't be "password" or "dog," either), don't make it short, and don't make it personal. Make it yours, but don't use personal information as part of the password. If you follow the above rules, you should have a pretty good password for your encrypted files. Especially if the encryption program has restricted how many times you can type in the wrong password (i.e., guesses by unauthorized people).
There are many ways of creating relatively secure passwords that won't lead to your pulling your hair out. The mnemonic password described above works well if you combine it with something else. Other methods:
The list of methods and theories behind creating secure passwords is a long and varied one. The key principles, though, are pretty similar: don't make it simple (doesn't mean it has to be crazy complex...but it shouldn't be "password" or "dog," either), don't make it short, and don't make it personal. Make it yours, but don't use personal information as part of the password.
If you follow the above rules, you should have a pretty good password for your encrypted files. Especially if the encryption program has restricted how many times you can type in the wrong password (i.e., guesses by unauthorized people).
Related Articles and Sites:http://www.newsweek.com/id/217014