Stump the geeks

Passwords are still security’s weakness

CORRESPONDENTMarch 19, 2012 

Last time we caught up with our team of geeks-in-residence, our discussion about wireless network security ended with an obvious step: the importance of selecting good passwords.

But despite all the preaching by information technology professionals, even power users don’t often follow habits that can help keep systems safe. According to IT firm Trustwave’s 2012 Global Security Report, released last month, weak passwords were responsible for 80 percent of the security breaches the study examined at both small and large organizations.

Bill Chu, chair of the department of software and information systems at UNC Charlotte, said the most common method for hackers to crack passwords is by using dictionary attacks, which try commonly used patterns to infiltrate a system.

Trustwave’s analysis of 2.5 million passwords showed users aren’t always making things hard to guess. “Password1” was the most common, and the word “password” and “welcome” appeared in more than 6 percent of the sample.

To avoid dictionary attacks, Chu said users should avoid common names and words and mix up a minimum eight-character password with upper- and lower-case letters, numbers and special characters.

And as common as it is, substituting numbers and special characters in place of similar letters doesn’t really count as adding complexity.

“Unfortunately substituting “3” for “e,” for example, is an old trick and it is not as effective as choosing numbers not based on that strategy,” Chu said.

Choosing complex passwords won’t necessarily stop brute-force password crackers, which try using all possible character combinations on systems that don’t limit the number of attempted log-ins. Against theses attacks, Trustwave’s report points out that length is the way to go, since adding another character exponentially increases the possible password combinations.

In cases where your system allows greater password length, Chu says pass phrases – chains of unrelated words – can be particularly effective. They’re easier to remember than a jumbled mess of characters, and the longer they are, the better.

Jeff Crume, distinguished engineer and IT security architect at IBM, also says passwords should be unique for each site and system and changed regularly, limiting any damage in case of an issue.

But keeping up with such guidelines isn’t easy. Crume has hundreds of passwords – an impossible number for many to manage.

“All this is to make the password hard to guess,” Crume said. “The problem is that things that are hard to guess often tend to be hard to remember, which is why people naturally bristle at such guidance.”

The result is that users select passwords just complex enough to slide in under an IT administrator requirements – and “P@ssw0rd” ends up in Trustwave’s top-25 list.

One solution Crume uses is password storage and single sign-on software, which helps users generate passwords and keep them locked in a vault of sorts.

“I have literally hundreds of passwords – all unique and none that I actually know. But with tools like these, I only need to keep up with the one password that unlocks the tool and it keeps up with the rest,” Crume said.

There are several options, both free and paid, but Crume’s had success with a free program called Password Safe (passwordsafe.sourceforge.net/), which is open source and available at SourceForge.net.

Your solution may vary depending on the number of systems you use and how comfortable you are with risk, but it’s important not to dismiss good password practices as arbitrary or unnecessary.

There are countless ways protecting your private information is out of your control. But by eliminating human error with a few basic steps, you can take ownership of making your data much safer.

Send technology questions to stumpthegeeks@newsobserver.com. Please include your name, city and daytime phone number. Sorry, we can’t answer every question.

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service