Entries Tagged "passwords"

Page 16 of 28

Funniest Joke at the Edinburgh Fringe Festival

Nick Helm won an award for the funniest joke at the Edinburgh Fringe Festival:

Nick Helm: “I needed a password with eight characters so I picked Snow White and the Seven Dwarves.”

Note that two other jokes were about security:

Tim Vine: “Crime in multi-storey car parks. That is wrong on so many different levels.”

Andrew Lawrence: “I admire these phone hackers. I think they have a lot of patience. I can’t even be bothered to check my OWN voicemails.”

Posted on August 25, 2011 at 4:08 PMView Comments

Stealing ATM PINs with a Thermal Camera

It’s easy:

Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn’t work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you think about your average ATM trip, that’s a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.

Paper here. More articles.

Posted on August 24, 2011 at 7:13 AMView Comments

Tennessee Makes Password Sharing Illegal

Here’s a new law that won’t work:

State lawmakers in country music’s capital have passed a groundbreaking measure that would make it a crime to use a friend’s login—even with permission—to listen to songs or watch movies from services such as Netflix or Rhapsody.

[…]

The legislation was aimed at hackers and thieves who sell passwords in bulk, but its sponsors acknowledge it could be employed against people who use a friend’s or relative’s subscription.

While those who share their subscriptions with a spouse or other family members under the same roof almost certainly have nothing to fear, blatant offenders—say, college students who give their logins to everyone on their dormitory floor—could get in trouble.

Posted on June 7, 2011 at 5:32 AMView Comments

New French Law Reduces Website Security

I didn’t know about this:

The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

This includes users’ full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

Police, the fraud office, customs, tax and social security bodies will all have the right of access.

The social benefits of anonymity aside, we’re all more secure if these websites do not have a file of everyone’s plaintext password.

EDITED TO ADD (4/12): Seems that the BBC article misstated the law. Companies have to retain information they already collect for a year after it is no longer required. So if they’re not already storing plaintext passwords, they don’t have to start.

Posted on April 11, 2011 at 1:20 PMView Comments

Changing Passwords

How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer’s or bank’s password expiration policy: people who finally memorized their current password and are realizing they’ll have to write down their new password. How could that possibly be more secure, they want to know.

The answer depends on what the password is used for.

The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-to-remember—and easy-to-guess—passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.

The primary reason to give an authentication credential—not just a password, but any authentication credential—an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year’s worth of benefit out of it. After that, it’s useless.

This becomes less important when the credential contains a biometric—even a photograph—or is verified online. It’s much less important for a credit card or passport to have an expiration date, now that they’re not so much bearer documents as just pointers to a database. If, for example, the credit card database knows when a card is no longer valid, there’s no reason to put an expiration date on the card. But the expiration date does mean that a forgery is only good for a limited length of time.

Passwords are no different. If a hacker gets your password either by guessing or stealing it, he can access your network as long as your password is valid. If you have to update your password every quarter, that significantly limits the utility of that password to the attacker.

At least, that’s the traditional theory. It assumes a passive attacker, one who will eavesdrop over time without alerting you that he’s there. In many cases today, though, that assumption no longer holds. An attacker who gets the password to your bank account by guessing or stealing it isn’t going to eavesdrop. He’s going to transfer money out of your account—and then you’re going to notice. In this case, it doesn’t make a lot of sense to change your password regularly—but it’s vital to change it immediately after the fraud occurs.

Someone committing espionage in a private network is more likely to be stealthy. But he’s also not likely to rely on the user credential he guessed and stole; he’s going to install backdoor access or create his own account. Here again, forcing network users to regularly change their passwords is less important than forcing everyone to change their passwords immediately after the spy is detected and removed—you don’t want him getting in again.

Social networking sites are somewhere in the middle. Most of the criminal attacks against Facebook users use the accounts for fraud. “Help! I’m in London and my wallet was stolen. Please wire money to this account. Thank you.” Changing passwords periodically doesn’t help against this attack, although – of course – change your password as soon as you regain control of your account. But if your kid sister has your password—or the tabloid press, if you’re that kind of celebrity—they’re going to listen in until you change it. And you might not find out about it for months.

So in general: you don’t need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you’ve shared a computer with, change them all.

Two final points. One, this advice is for login passwords. There’s no reason to change any password that is a key to an encrypted file. Just keep the same password as long as you keep the file, unless you suspect it’s been compromised. And two, it’s far more important to choose a good password for the sites that matter—don’t worry about sites you don’t care about that nonetheless demand that you register and choose a password—in the first place than it is to change it. So if you have to worry about something, worry about that. And write your passwords down, or use a program like Password Safe.

This essay originally appeared on DarkReading.com.

EDITED TO ADD (11/14): Microsoft Research says the same thing.

The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.”

Posted on November 11, 2010 at 6:45 AMView Comments

1 14 15 16 17 18 28

Sidebar photo of Bruce Schneier by Joe MacInnis.