Don't you just love how computer security is portrayed on TV and in movies? A former hacker, now turned good guy consultant to a police department, uses his bag of tech tricks to break into a bad guy's computer. Or, someone who has incriminating evidence hidden on his or her PC rushes to a wall safe to retrieve a little black book that contains access codes and passwords.
When it comes to communication, network, PC, and Internet security, nasty things can and do happen. Security is a growing concern and spending for computer protection is on the rise. And considering the insurance industry's interest in terrorism-related issues, computer security is something that should not be overlooked.
It starts with a password
Computer users everywhere know that entering a password is what provides access. Depending on what the user needs access to, a dozen or more passwords might be necessary. It's no wonder, then, that users want to keep things simple. But that's where the problem starts. Birthdays, name of a pet, names of kids, and a host of other personal information are easy to remember. But from a hacker's point of view, that's an obvious place to begin. Finding a piece of personal information leads to another piece of personal information, and so on.
When choosing a password, the trick is to create a password that is highly un-guessable. But even that is not a guarantee. Hackers use all sorts of programming to unscramble what appears to be a randomly generated series of numbers and letters. Remember, everything a computer does has to do with generating, sorting, and retrieving strings of numbers. It's just a matter of time. For serious hackers who want something badly enough, time is on their side.
Then, too, normally prudent computer users go to the trouble of choosing a good password, but sometimes (many times actually) fail to protect it. Witness the post-it notes attached to their computer monitor, or the small booklet next to their telephone, or the folded piece of paper sticking out of their rolodex.
How easily can hackers break in?
Rob Lemos, a staff writer for CNET News.com says that hackers can crack most passwords in under a minute. That's scary, especially in view of the preponderance of poorly chosen and easily decipherable three and four-character passwords.
Lemos dramatizes the ease of breaking into an organization's computers by citing a security audit performed for a regional health care company. Once the security firm retrieved the password file, the company then used a password finder program called "John the Ripper." In about an hour the program spat out 30 percent of the passwords for the nearly 10,000 accounts listed.
Building a better password
Security experts generally agree on the same dos and don'ts for creating good passwords (see box). The basic idea is to create something un-guessable, at least eight characters long, but easily remembered by the user. That could be a tall order, especially when one study found that nearly 32 percent of passwords are four characters or fewer.
Why an eight-character password? According to Lemos, "There are more than 6.6 quadrillion different eight-character passwords using the 95 printable ASCII characters. Though some password-cracking programs can test nearly 8 million combinations every second on the latest Pentium 4 processor, breaking an eight-character password would still take more than 13 years on average."
Better passwords can be built by including both upper and lower-case letters and symbols, such as E7%2h9b$5, though that probably wouldn't be easily remembered unless it was significant for a particular individual.
One suggestion might be to alter the combination of letters and number of something familiar, such as an address. Let's use Denver 80120. One possibility might be r0E2v1N0e8D. It appears random enough. It's more than eight characters (11-characters) long. If you detected the pattern (Denver spelled backward; the ZIP backward; alternating between upper and lower-case letters), that could be something easy to remember.
But while the rationale for this fictitious password seems plausible enough, it might take some time to commit it to memory. Some experts also recommend choosing a password that can be easily typed without having to look at the keyboard. That sounds good, but many people aren't totally error-free when it comes to keyboarding. Also, most respond to positive visual feedback, but when entering passwords, you only see ••••••••, which isn't very helpful.
So, when developing good passwords, take some time. It's worth it. The references listed below offer ideas and insight.
Passwords and security a management issue
In today's automated agency there may be dozens or hundreds of passwords in use, most of which are unknown. That's the way it should be. But because they are unknown, you also have no way of knowing how good or bad they are and how vulnerable you might be.
Because of the potential compromise or loss of important electronically handled and stored information, agencies need to be concerned with security. That's everybody's responsibility, of course, but it starts with management and filters through the entire organization. Security experts seem to agree that passwords, or lack of good ones, are the Achilles Heel in most technology dependent organizations.
Consider developing password procedures as part of an overall technology security plan. Take time to become familiar with security issues. Become generally familiar with what your systems administrator does and what security procedures are already in place. Insist on specific password development how-tos, frequency of password changes, and individual passwords for each access.
Considering the potential threats to your vital technology resources, security
is an issue that cannot be ignored.
Resources
news.com
zdnet
microsoft
alw.nih.gov
© Copyright 2003 by Sound Internet Strategy. All rights reserved
When choosing a password, the trick is to create a password that is highly un-guessable. But even that is not a guarantee.