Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.
“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”
In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.
But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.
Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.
“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”
IF YOUR WORRIED ABOUT INTERNET SECURITY OF ANY TYPE, FOLLOW THE LINKS BELOW
Given today’s networked environments, CERT recommends that sites
concerned about the security and integrity of their systems and
networks consider moving away from standard, reusable passwords. CERT
has seen many incidents involving Trojan network programs (e.g.,
telnet and rlogin) and network packet sniffing programs. These
programs capture clear-text hostname, account name, password triplets.
Intruders can use the captured information for subsequent access to
those hosts and accounts. This is possible because 1) the password is
used over and over (hence the term “reusable”), and 2) the password
passes across the network in clear text.
Several authentication techniques have been developed that address
this problem. Among these techniques are challenge-response
technologies that provide passwords that are only used once (commonly
called one-time passwords). This document provides a list of sources
for products that provide this capability. The decision to use a
product is the responsibility of each organization, and each
organization should perform its own evaluation and selection.
I. Public Domain packages
The S/KEY package is publicly available (no fee) via
anonymous FTP from:
thumper.bellcore.com /pub/nmh directory
There are three subdirectories:
skey UNIX code and documents on S/KEY.
Includes the change needed to login,
and stand-alone commands (such as “key”),
that computes the one-time password for
the user, given the secret password and
the S/KEY command.
dos DOS or DOS/WINDOWS S/KEY programs. Includes
DOS version of “key” and “termkey” which is
a TSR program.
mac One-time password calculation utility for
II. Commercial Products
Secure Net Key (SNK) (Do-it-yourself project)
Digital Pathways, Inc.
201 Ravendale Dr.
Mountainview, Ca. 94043-5216
Fax: (415) 961-7487
handheld authentication calculators (SNK004)
serial line auth interruptors (guardian)
Note: Secure Net Key (SNK) is des-based, and therefore restricted
from US export.
Secure ID (complete turnkey systems)
One Alewife Center
Cambridge, MA 02140-2312
Fax: (617) 354-8836
SecurID changing number authentication card
ACE server software
SecureID is time-synchronized using a ‘proprietary’ number
WatchWord and WatchWord II
480 Spring Park Place
Herndon, VA 22070
1-800-521-6261 ext 217
Watchword authentication calculator
Alpha-numeric keypad, digital signature capability
Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
DES Silver card authentication calculator
SafeWord Multisync card authentication calculator
Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as
other OS versions. Supports one-time passwords and super
smartcards from several vendors.