• Categories

  • Archives

    « Home

    New York Times: A Strong Password Isn’t the Strongest Security

    The New York Times takes a look at other tech vulnerabilities, besides insecure passwords:

    Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.

    Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location. […]

    Donald A. Norman, a co-founder of the Nielsen Norman Group, a design consulting firm in Fremont, Calif., makes a similar case. In “When Security Gets in the Way,” an essay published last year, he noted the password rules of Northwestern University, where he then taught. It was a daunting list of 15 requirements. He said unreasonable rules can end up rendering a system less secure: users end up writing down passwords and storing them in places that can be readily discovered. […]

    A short password wouldn’t work well if an attacker could try every possible combination in quick succession. But as [security researchers Cormac Herley and Dinei Florêncio] note, commercial sites can block “brute-force attacks” by locking an account after a given number of failed log-in attempts. “If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.” […]

    Roger A. Safian, a senior data security analyst at Northwestern, says that unlike Amazon, the university is unfortunately vulnerable to brute-force attacks in that it doesn’t lock out accounts after failed log-ins. The reason, he says, is that anyone could use a lockout policy to try logging in to a victim’s account, “knowing that you won’t succeed, but also knowing that the victim won’t be able to use the account, either.” (Such thoughts may occur to a student facing an unwelcome exam, who could block a professor from preparations.)

    One Response to “New York Times: A Strong Password Isn’t the Strongest Security”

    1. Judy Says:

      What about keystroke dynamics? Keystroke software such as Authenware protects your privacy, allows you to continue using your basic passwords and circumvents Keylogging software.

    Leave a Reply