Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Simple passwords not enough as perils of online world grow
HoustonChronicle.com ^ | June 1, 2004, 12:24AM | ANICK JESDANUN

Posted on 06/01/2004 6:07:26 AM PDT by rw4site

HoustonChronicle.com


HoustonChronicle.com -- http://www.HoustonChronicle.com | Section: Business


June 1, 2004, 12:24AM

Simple passwords not enough as perils of online world grow

By ANICK JESDANUN

Associated Press

To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password.

For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea, automatically sends a new card when she's about to run out.

As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such "passwords-plus" systems.

• • • • •

"A password is a construct of the past that has run out of steam."

Joseph Atick,
chief executive of Identix

• • • • •

Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication.

"A password is a construct of the past that has run out of steam," said Joseph Atick, chief executive of Identix, a Minnesota designer of fingerprint-based authentication. "The human mind-set is not used to dealing with so many different passwords and so many different PINs."

When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like "1234" or a nickname.

Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements.

In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life.

"This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said Hoffacker, an information technology manager in New York.

But it's difficult to remember dozens of strong passwords. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet — practices security experts also deem unsafe.

Software such as Symantec's Norton Password Manager and Apple Computer's Keychain help store passwords in secure, encrypted form. But if you compromise the master password, you're out of luck. Your entire collection is gone.

Many sites, meanwhile, will e-mail passwords insecurely — without encryption — if you forget. A site called www.BugMeNot.com even encourages users to share passwords for nonfinancial sites like newspapers.

The tools of password harvesting are many:

Keystroke recorders secretly installed at public Internet terminals can capture passwords, as can "phishing" e-mails designed to trick users into submitting sensitive data to fraudulent sites that look authentic. Computer viruses are also programmed to harvest passwords, and some software guesses passwords by running through words in dictionaries.

Although analysts have no hard figures on password-specific fraud, they blame insecure passwords for unauthorized financial transfers, privacy breaches and even the hacking of corporate networks.

With two-factor authentication, a password alone is useless.

"We will never play the fear factor here, but still it stays a fact that with our products, phishing is no longer an issue," said Jochem Binst of Vasco Data Security International.

The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit's unique characteristics. That's the code you type into the Web site.

Someone who steals your device won't have your password; someone who steals your password won't have your device.

MasterCard International has been testing similar systems in Britain, Germany and Brazil. Swipe a credit card with a smart chip into a special reader, enter your PIN and obtain a password good only once at Office Max, British Airways and a dozen other merchants.

In the United States, use of two-factor authentication remains limited. RSA Security has several products, including RSA SecurID, but they are primarily issued to employees for remote network access and to customers with high-value portfolios.

"There's a delicate balance between maintaining security but also providing customers with ease of use," said Doug Johnson, senior policy analyst at the American Bankers Association.


Amazing Siding
 


 


 


 


HoustonChronicle.com -- http://www.HoustonChronicle.com | Section: Business


This article is: http://www.chron.com/cs/CDA/ssistory.mpl/business/2601983



TOPICS:
KEYWORDS: disruptor
www.BugMeNot.com will allow disruptors to share accounts and passwords. Bookmark it and check it often for entries to FreeRepublic.

It turned up this post for me this morning. Shipping the liberals elsewhere?

1 posted on 06/01/2004 6:07:27 AM PDT by rw4site
[ Post Reply | Private Reply | View Replies]

To: rw4site

BTTT


2 posted on 06/01/2004 6:19:59 AM PDT by rw4site (Little men want Big Government! This little old man just wants a bigger computer!! ;-))
[ Post Reply | Private Reply | To 1 | View Replies]

To: rw4site

It is intended as a site to allow users to share passwords to read online newspapers. Any other use, such as sharing passwords to posting sites or pay sites, is against their TOS.


3 posted on 06/01/2004 6:36:46 AM PDT by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user
Re: "is against their TOS"

Their "TOS" does not seem to be working.

4 posted on 06/01/2004 7:01:53 AM PDT by rw4site (Little men want Big Government! This little old man just wants a bigger computer!! ;-))
[ Post Reply | Private Reply | To 3 | View Replies]

To: rw4site; Jim Robinson

Is there a way that one screename can log on at any one time? I was recently at my brothers house and could sign in to FReerepublic even though I was signed in at home. Not a big deal but with the elections coming up there may be some hacking activity starting.


5 posted on 06/01/2004 7:17:19 AM PDT by eastforker (The color of justice is green,just ask Johny Cochran!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rw4site
I would strongly advise installing a program like Password Safe to help you keep track of website passwords. This program makes it easy for you go have good, strong passwords for each site. All you have to remember is your password to the program. I use a variant of this for Linux (gpasman) to keep track of such things. This leaves me with one password to remember. Since the password to this program is protecting significant data, I use a pretty long one of more than 20 characters.
6 posted on 06/01/2004 7:25:31 AM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #7 Removed by Moderator

To: eastforker

Try clicking the FR login link. You will be given a choice of login types, one of which will log you out everywhere else. This is good if you use work or public computers.


8 posted on 06/01/2004 7:38:35 AM PDT by js1138 (In a minute there is time, for decisions and revisions which a minute will reverse. J Forbes Kerry)
[ Post Reply | Private Reply | To 5 | View Replies]

To: eastforker
I think so. On a single computer, I must log on for each browser I use and I have been logged on using three different browsers at the same time. Depending my browser settings (cookies), I can remained logged on until I dump the cookies or log out.

I can also be logged on from two different computers from the same location, at the same time. I feel sure you could be logged on from more than one location at the same time.

9 posted on 06/01/2004 8:11:10 AM PDT by rw4site (Little men want Big Government! This little old man just wants a bigger computer!! ;-))
[ Post Reply | Private Reply | To 5 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson