READING PRACTICE SECTION. AT THIS time of the year, your correspondent crosses the Pacific to Japan for a month or so

Passwords aplenty How to stay sane as well as safe while surfing the web

AT THIS time of the year, your correspondent crosses the Pacific to Japan for a month or so. He repeats the trip during the summer. He considers it crucial in order to keep abreast of all the ingenious technology which, once debugged by the worlds most acquisitive consumers, will wind up in American and European shops a year or two later.

Each time he packs his bags, though, he is embarrassed by having to include a dog-eared set of notes that really ought to be locked up in a safe. This is his list of logons and passwords for all the websites he uses for doing business and staying in touch with the rest of the world. At the last count, the inch-thick list accumulated over the past decade or soyour correspondents sole copyincludes access details for no fewer than 174 online services and computer networks.

He admits to flouting the advice of security experts: his failings include using essentially the same logon and password for many similar sites, relying on easily remembered wordsand, heaven forbid, writing them down on scraps of paper. So his new years resolution is to set up a proper software vault for the various passwords and ditch the dog-eared list.

Your correspondents one consolation is that he is not alone in using easily crackable words for most of his passwords. Indeed, the majority of online users have an understandable aversion to strong, but hard-to-remember, passwords. The most popular passwords in Britain are 123 followed by password. At least people in America have learned to combine letters and numbers. Their most popular ones are password1 followed by abc123.

Unfortunately, the easier a password is to remember, the easier it is for thieves to guess. Ironically, the oppositethe harder it is to remember, the harder it is to crackis often far from true. That is because, not being able to remember long, jumbled sets of alphanumeric characters interspersed with symbols, people resort to writing them down on Post-it notes left lying around the office or home for all and sundry to see.

Apart from stealing passwords from Post-it notes and the like, intruders basically use one of two hacks to gain access to other peoples computers or networks. If time and money is no problem, they can use brute-force methods that simply try every combination of letters, numbers and symbols until a match is found. That takes a lot of patience and computing power, and tends to be the sort of thing only intelligence agencies indulge in.

A more popular, though less effective, way is to use commercial software tools such as L0phtCrack or John the Ripper that can be found on the internet. These use dictionaries, lists of popular passwords and rainbow tables (lookup tools that turn long numbers computed from alphanumeric

characters back into their original plain text) to recover passwords.

According to Bruce Schneier, an independent security expert, todays password crackers can test tenseven hundredsof millions of passwords per second. In short, the vast majority of passwords used in the real world can be guessed in minutes. And do not think you are being smart by replacing the letters l or i in a password with the number 1; or the letter s with the number 5 or the symbol $. Cracking programs check all such alternatives, and more, as a matter of course.

What should you do to protect yourself? Choose passwords that are strong enough to make cracking them too time consuming for thieves to bother.

The strength of a password depends on its length, complexity and randomness. A good length is at least eight symbols. The complexity depends on the character set. Using numbers alone limits the choice to just ten symbols. Add upper- and lower-case letters and the complexity rises to 62. Use all the symbols on a standard ASCII keyboard and you have 95 to choose from.

The third component, randomness, is measured by a concept borrowed from thermodynamicsthe notion of entropy (the tendency for things to become disordered). In information theory, a tossed coin has an entropy of one bit (binary digit). That is because it can come down randomly in one of two equally possible binary states.

At the other extreme, when you set the encryption of a Wi-Fi link, you are usually given the choice of 64-bit or even 128-bit security. Those bit-numbers represent the entropy (or randomness) of the encryption used. A password with 64 bits of entropy is as strong as a string of data comprising 64 randomly selected binary digits. Put another way, a 64-bit password would require 2 raised to the power of 64 attempts to crack it by brute forcein short, 18 billion billion attempts. A 64-bit password was finally cracked in 2002 using brute-force methods. It took a network of volunteers nearly five years to do so.

The National Institute of Standards and Technology, the American governments standards-measuring laboratory in Gaithersburg, Maryland, recommends 80-bit passwords for state secrets and the like. Such security can be achieved using passwords with 12 symbols, drawn from the full set of 95 symbols on the standard American keyboard. For ordinary purposes, that would seem overkill. A 52-bit password based on eight symbols selected from the standard keyboard is generally adequate.

How to select the eight? Best to let a computer program generate them randomly for you. Unfortunately, the result will be something like 6sDt%k&3 that probably needs to be written down. One answer, only slightly less rigorous, is to use a mnemonic constructed from the first letters (plus contractions) of an easily remembered phrase like Murder Considered as One of the Fine Arts (MCa1otFA) or To be or not to be: that is the question (2Bo-2b:?).

Given a robust 52-bit password, you can then use a password manager to take care of the dozens of easily guessable ones used to access various web services. There are a number of perfectly adequate products for doing this. In an early attempt to fulfil his new years pledge, your correspondent has been

experimenting with LastPass, a free password manager that works as an add-on to the Firefox web browser for Windows, Linux or Macintosh. Versions also exist for Internet Explorer on Windows and Safari on the Mac.

Once installed and given a strong password of its own, plus an e-mail address, LastPass encrypts all the logons and passwords stored on your computer. So, be warned: forget your master password and you could be in troubleespecially if you have let the program delete (as it urges you to let it do) all the vulnerable logons and passwords on your own computer.

Thereafter, to visit various web services, all you have to do is log into LastPass and click the website you wish to check out. The tool then automatically logs you on securely to the selected site. It will even complete all the forms needed to buy goods online if you have stored your home address, telephone number and credit-card details in the vault as well.

Your correspondent looks forward to using the service while travelling around Japan over the next month or so. To be on the safe side, however, his dog-eared list of passwords will still go with him.

Read the comments to the article. Which comments do you agree with? Why? What would you write to comment it? Readers comments.

1. Nice article. I was really amused when i have found that people use word password as password or abc123.

2. Well I can say from my practice that even difficult passwords become easy ones when you repeat them all over and over!!! Well at least I don't have passwords for 174 web sites :))

3. You can always remember your password with password reminder. Especially when u r writing some crazy things.

4. Get a junk email address consisting of a decent handle and some numbers (we want something unique).

Use it as the username for all online accounts.

For the password, combine the end of the site's domain with a rubbish password: economist.comabc123

Voila: site unique, password checker friendly, easy to remember password.

5. Password accumulation is nearly inevitable these days. But just like keys for houses and cars, passwords can be a nuisance. And if a thief really wants to get in, he can just break a window, or hack the information. That's why people use hide-a-key boxes. A hide-a-key for passwords is a list, which can be electronic or paper-only. You can adjust your level of security by having only hard copies in code if you need lots of security, or, at the other extreme, emailing yourself password updates periodically so they are always easy to find. Or some middle ground.
What you can't do is use the internet a lot, and not have a method for storing passwords.

6. I must be missing something here. Surely if you can think of a super password to protect your password list then you might as well just use the super one for all sites, as once someone else knows it they will know all your other passwords too?!?


: 2014-11-13; : 121; !;

lektsii.com - . - 2014-2024 . (0.008 .)