Entries Tagged "passwords"

Page 15 of 28

What Happens When the Court Demands You Decrypt a Document and You Forget the Key?

Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she’s forgotten the key.

What happens now? It seems as if this excuse would always be available to someone who doesn’t want the police to decrypt her files. On the other hand, it might be hard to realistically forget a key. It’s less credible for someone to say “I have no idea what my password is,” and more likely to say something like “it was the word ‘telephone’ with a zero for the o and then some number following—four digits, with a six in it—and then a punctuation mark like a period.” And then a brute-force password search could be targeted. I suppose someone could say “it was a random alphanumeric password created by an automatic program; I really have no idea,” but I’m not sure a judge would believe it.

Posted on February 13, 2012 at 5:20 AMView Comments

Password Sharing Among American Teenagers

Interesting article from the New York Times on password sharing as a show of affection.

“It’s a sign of trust,” Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. “I have nothing to hide from him, and he has nothing to hide from me.”

“That is so cute,” said Cherry Ng, 16, listening in to her friend’s comments to a reporter outside school. “They really trust each other.”

We do, said Ms. Carandang, 17. “I know he’d never do anything to hurt my reputation,” she added.

It doesn’t always end so well, of course. Changing a password is simple, but students, counselors and parents say that damage is often done before a password is changed, or that the sharing of online lives can be the reason a relationship falters.

Ethnologist danah boyd discusses what’s happening:

For Meixing, sharing her password with her boyfriend is a way of being connected. But it’s precisely these kinds of narratives that have prompted all sorts of horror by adults over the last week since that NYTimes article came out. I can’t count the number of people who have gasped “How could they!?!” at me. For this reason, I feel the need to pick up on an issue that the NYTimes let out.

The idea of teens sharing passwords didn’t come out of thin air. In fact, it was normalized by adults. And not just any adult. This practice is the product of parental online safety norms. In most households, it’s quite common for young children to give their parents their passwords. With elementary and middle school youth, this is often a practical matter: children lose their passwords pretty quickly. Furthermore, most parents reasonably believe that young children should be supervised online. As tweens turn into teens, the narrative shifts. Some parents continue to require passwords be forked over, using explanations like “because I’m your mother.” But many parents use the language of “trust” to explain why teens should share their passwords with them.

Much more in her post.

Related: a profile of danah boyd.

Posted on January 27, 2012 at 6:39 AMView Comments

Improving the Security of Four-Digit PINs on Cell Phones

The author of this article notices that it’s often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits.

Then he points out that if your PIN has only three different digits—1231, for example—the PIN can be one of 36 different possibilities.

So it’s more security, although not much more secure.

Posted on January 6, 2012 at 6:30 AMView Comments

Random Passwords in the Wild

Interesting analysis:

the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.

Posted on October 20, 2011 at 6:25 AMView Comments

New Lows in Secret Questions

I’ve already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here’s a new one, courtesy of the National Archives: “What is your preferred internet password?” I have been told that Priceline has the same one, which implies that this is some third-party login service or toolkit.

Posted on September 8, 2011 at 6:14 AMView Comments

Unredacted U.S. Diplomatic WikiLeaks Cables Published

It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don’t expect.

Near as I can tell, this is what happened:

  1. In order to send the Guardian the cables, WikiLeaks encrypted them and put them on its website at a hidden URL.
  2. WikiLeaks sent the Guardian the URL.
  3. WikiLeaks sent the Guardian the encryption key.
  4. The Guardian downloaded and decrypted the file.
  5. WikiLeaks removed the file from their server.
  6. Somehow, the encrypted file ends up on BitTorrent. Perhaps someone found the hidden URL, downloaded the file, and then uploaded it to BitTorrent. Perhaps it is the “insurance file.” I don’t know.
  7. The Guardian published a book about WikiLeaks. Thinking the decryption key had no value, it published the key in the book.
  8. A reader used the key from the book to decrypt the archive from BitTorrent, and published the decrypted version: all the U.S. diplomatic cables in unredacted form.

Memo to the Guardian: Publishing encryption keys is almost always a bad idea. Memo to WikiLeaks: Using the same key for the Guardian and for the insurance file—if that’s what you did—was a bad idea.

EDITED TO ADD (9/1): From pp 138-9 of WikiLeaks:

Assange wrote down on a scrap of paper: ACollectionOfHistorySince_1966_ToThe_PresentDay#. “That’s the password,” he said. “But you have to add one extra word when you type it in. You have to put in the word ‘Diplomatic’ before the word ‘History’. Can you remember that?”

I think we can all agree that that’s a secure encryption key.

EDITED TO ADD (9/1): WikiLeaks says that the Guardian file and the insurance file are not encrypted with the same key. Which brings us back to the question: how did the encrypted Guardian file get loose?

EDITED TO ADD (9/1): Spiegel has the detailed story.

Posted on September 1, 2011 at 12:56 PMView Comments

1 13 14 15 16 17 28

Sidebar photo of Bruce Schneier by Joe MacInnis.