 |
| Password protection is a priority. |
Today
advanced hardware makes it easy to crack passwords. In such a scenario,
what should users do to prevent hackers? Geeta Padmanabhan has the
lowdown
If you thought your clever password was something no one could hack,
well, you are in denial. Consultancy firm Deloitte reports that 90 per
cent of user-generated passwords are vulnerable to hacking. What, even
my traditional (clever) combo of eight characters complicated by
numbers, letters and symbols? Yes.
Last year, Zappos.com lost names, email-IDs, phone numbers and partial
credit card numbers of 24 million customers. LinkedIn admitted its user
passwords were “compromised”. Some 400,000 Yahoo email-ID passwords were
hacked last July. In 2011, 77 million passwords were stolen from Sony’s
PlayStation Network. GoDaddy's passwords were breached. FBI, NBC-sites,
112 Indian government sites found their “secure” passwords “exposed”.
If it's any consolation, Taliban sites were successfully attacked too.
Just check out what services like “iFramers” do to hacked websites.
RE-USING PASSWORDS
How did our passwords get so susceptible? Longer passwords infused with
@, *, % symbols are difficult to remember, so we pick a small subset
from them — and they get cracked. We slip-up by re-using passwords.
Credit-checking firm Experian found that the average user has 26
password-protected online accounts but uses only five different
passwords. Deloitte says 10,000 most common passwords access 98 per cent
of all accounts. When you key in the same password for online banking
and Warhammer, a security breach at the gaming site compromises the bank
account password.
Even long passwords aren't safe, says Ashwini Rao, researcher at
Carnegie Mellon University. Sentence-like/phrase-like passwords such as
“abiggerbetterpassword” and “thecommunistfairy”, postal addresses, email
IDs and URLs also make for less secure passwords now, she says.
Blame it on advances in password-cracking hardware. “It's called a
brute-force attack,” says techie Mahesh, explaining its nuances.
“Powerful computers/laptops try every possible permutation-combination
to find the “right” one, no intelligence involved.” Creep! Our
eight-character password, created from the 94-character keyboard is one
of 6.1 quadrillion possible combinations. “A dedicated password-cracking
machine employing virtualisation software and high-powered
graphics-processing units can crack any eight-character password in 5.5
hours,” the Deloitte report said. Nefarious, says Mahesh. “A computer
working alone may not be able to dig, say, military networks. So a
zombie machine, could be yours, is roped in for the hack job. It's a
small percentage of your CPU; you pay for unlimited time, so how will
you know? Hey! “Wait,” he says. “There is also crowd hacking, where
hackers share the power of thousands of machines to infiltrate the
target. At no cost.”
Help! Twitter and Adobe re-set thousands of passwords after
“embarrassing” goof-ups. Google alerts you on unusual mob-phone
activity. It also wants you to insert Yubikey, a smart-chip embedded
tiny key that goes into the USB drive, unlocks and automatically logs
onto all your accounts without asking for a password. Yubikey works on
Windows/Mac/Linux/iPad/Firefox/Chrome, and is waterproof, crush-safe,
needs no battery or clients software/drivers. With a simple touch the
YubiKey sends a one-time-password (OTP) as if typed. The unique passcode
is verified by a YubiKey compliant app. Fine. “Things like YubiKey are
definitely more secure as they support random passwords and provide
two-factor authentication,” says Mahesh. “Corporates use them on a
day-to-day basis because they are mandatory, but you will use it a lot
less since it's optional.” You could lose it, you need to insert it, and
always type in a master password to access websites. Too much!
“Multi-layer authentication” is possible. You log onto your credit card
issuer’s site, type in your username/password, send another
code/password to smartphone, and go online. Not terribly convenient!
Password vaults or password safes (paid tools) offer you a central place
to store all your passwords, encrypted and protected by — you guessed
it — a password or token. These, presumably, are not easily cracked.
Firefox can save user names and passwords for online services like
banking.
Go for poor grammar and spelling, says Ashwini Rao. Hurray! Since
“brute” searches for proper combo-words and grammar, you hoodwink it by
staying outside the dictionary. She suggests phrases such as
“Pineapplesi$nise”, “Exitingplan$isafoot”, that is, if you can memorise
the deliberate mistakes. Try “eat cake at 8!” or “car_park_city?”
(Idontnohowtospal.com). The high-tech crowd touts a biometric solution,
but it has its hiccups. Smartphones ask you to connect nine dots — easy,
many combos, visual/tactile (touch to remember). Connecting fewer dots
generates more combinations.
FOLLOW GOOD PASSWORD PRACTICES
Never share your password. Avoid using non-secure networks at public
places to send private information. Change password after using a
non-secure network, change it frequently. Never store your password in a
program. “I use Lastpass — a password manager and form-filler,” says
Mahesh. “and a secure operating system like Linux. All codes are out in
the open, so it is easier to review.” Mmmm... will you consider becoming
a hacktivist? If you do, let me know.
