The Problems with Passwords

Written by ArticSoft -

Continued from page 1

Network systems and services, andrepparttar introduction ofrepparttar 107785 PC as a networked device as well as a stand-alone computer, together createdrepparttar 107786 idea that it must be possible to have infinite retries at gettingrepparttar 107787 password right. (Inrepparttar 107788 case ofrepparttar 107789 PC, concern was focused uponrepparttar 107790 problem of having its owner get locked out with no way to recoverrepparttar 107791 situation. Therefore, some systems had physical password reset buttons to get round this problem.) The attacker was being given a massive advantage!

The Internet, built for resilience and information sharing, includedrepparttar 107792 idea of an ID/password, but did not provide encryption to protectrepparttar 107793 password and allowed infinite retries to get it right. As a result, passwords are usually transmitted unprotected, and may be sent with every page that needs access to a password protected area as well as allowingrepparttar 107794 attacker allrepparttar 107795 timerepparttar 107796 site is up to try and crack it.

Potential routes forwards

The biggest hurdle to overcome isrepparttar 107797 ability of a user to hit more than six consecutive keys reliably, given that they cannot ‘see’repparttar 107798 results of what they are doing. (Actually, this is not new. Anyone with a Remington typewriter No 3 and before would know thatrepparttar 107799 type basket on those models hitrepparttar 107800 paper directly underrepparttar 107801 roller, not onrepparttar 107802 front ofrepparttar 107803 roller, andrepparttar 107804 user had to liftrepparttar 107805 roller to see what they had typed.)

Of course a user needs a bit of practice in order to get a longer password right. Constant change makes for bad typing. Using a much longer password, say 30 or so character positions, may not be guaranteed to generate whatrepparttar 107806 cryptologists call entropy, but it has a good chance. If it is combined with using hash algorithms that generate much larger spaces (say SHA-1 512) thenrepparttar 107807 attack space will still be large compared with current results.

A long password should also be harder to crack with short dictionary attacks and more resistant to brute force attacks, becauserepparttar 107808 time to create eitherrepparttar 107809 password orrepparttar 107810 hash becomes significant. This may have a lot to recommend itself. Long passwords are also resistant to being captured by others by mere observation (except when keystroke capturing methods are in use) because there is too much now forrepparttar 107811 attacker to remember, no matter how often then observe. (Perhaps videos will become more popular in ‘public places’.

But how do you educate users into using passwords successfully?

The first thing to remember is thatrepparttar 107812 length must be proportionate torepparttar 107813 overall security requirement. If a ‘three strikes and you’re out’ system combined with a token of almost any kind is in use you can live with a 4-digit PIN. If there are multiple systems then a single long password could be used as a system enabler for all services.

Choosing long passwords is notrepparttar 107814 daunting prospect that so destroys choosing short passwords. Natural language is now to be preferred since it must be memorable. Butrepparttar 107815 expression ofrepparttar 107816 natural language must be left torepparttar 107817 capricious nature ofrepparttar 107818 user.

By way of some examples of longer passwords, one could considerrepparttar 107819 following:

“Table!house*”, “Knight(soil)” or “Dem0n**manager”. Other examples that could work include, “1066andallthat”, “Hangthe****donkey” or “Now isrepparttar 107820 time forall men”. This last one is a quotation, but it’s still hard to guess or attack, especially if you don’t know whererepparttar 107821 spaces are! These kinds of passwords are proof against any dictionary attack, and, provided they are not changed often, users are more likely to choose something difficult and unique. Another handy feature is that they are slightly harder to share with friends since there is so much more to remember.

Never forgetrepparttar 107822 real purpose

The password, as we use it today, is more often than notrepparttar 107823 ‘secret’ that unlocks systems capabilities or grants authorizations (including access control). In future services it will be used to authorize cryptographic secrets, most likely held in software, and then later in hardware. These ‘keystores’ may hold various secrets, perhaps even including other passwords that are transparent torepparttar 107824 user. Where infinite retries are possible,repparttar 107825 use of short passwords will represent a significant, and avoidable weakness which designers may one day be called to account for.

Ultimately,repparttar 107826 real purpose of a security system is to try and makerepparttar 107827 user’s life easy whilst makingrepparttar 107828 attacker’s life difficult. Systems that ignorerepparttar 107829 user are going to fail withrepparttar 107830 very community they are supposed to serve.

Whenever users cannot managerepparttar 107831 systems they are given an advantage is being given torepparttar 107832 attacker because they will exploit those aspects ofrepparttar 107833 system first. Similarly, a poorly designed system will fail and will compromiserepparttar 107834 very users it is supposed to protect. Poor design is much harder to fix than bad coding or errors in implementation.

Steve Mathews, is one of the authors of ISO/IEC 17799 (formerly BS7799) and is well recognized in the security industry. He provides security advice to the European commission, the UK Government and an impressive range of globally based Fortune 100 companies. He regularly lectures on risk management, PKI, information security management and secure e-business implementation.

Your Computer Can't Keep Time

Written by Stephen Bucaro

Continued from page 1

If your computer loses its time setting overnight,repparttar CMOS battery may not be holding a charge. The CMOS battery is located insiderepparttar 107784 case onrepparttar 107785 motherboard. Changingrepparttar 107786 battery is usually a job for a computer technician. In fact, a layman might not even be able to findrepparttar 107787 battery.

If you want to locaterepparttar 107788 CMOS battery in your computer, be aware that a static discharge from your hands can damage components insiderepparttar 107789 case. After taking proper precautions, openrepparttar 107790 case and look onrepparttar 107791 motherboard for a battery. If you have a diagram of your motherboard, locaterepparttar 107792 battery onrepparttar 107793 diagram first.

Different motherboards use different types of batteries. The battery may be shaped like a barrel or a coin. Some motherboards use a component that resembles a chip which containsrepparttar 107794 CMOS andrepparttar 107795 battery (made by DALLAS or Benchmarq). Batteries come in different voltages, so make sure you get an exact replacement.

Sometimesrepparttar 107796 battery is mounted in a holder. Sometimes it is soldered torepparttar 107797 motherboard. De-soldering and re-soldering a battery is usually a job for a computer technician. An inexperienced solderer can cause a lot of damage. If you want to try to do it yourself, first practice on an obsolete circuit board. You may change your mind.

Ifrepparttar 107798 CMOS battery has failed because it's too old, this might be an opportunity to upgrade your motherboard. When upgrading a motherboard,repparttar 107799 most important considerations are to make surerepparttar 107800 new motherboard isrepparttar 107801 correct form factor for your case, and thatrepparttar 107802 new motherboard hasrepparttar 107803 correct bus connector slots for your expansion boards.

---------------------------------------------------------- Resource Box: Copyright(C)2002 Bucaro TecHelp. To learn how to maintain your computer and use it more effectively to design a Web site and make money onrepparttar 107804 Web visit To subscribe to Bucaro TecHelp Newsletter Send a blank email to ----------------------------------------------------------


    <Back to Page 1 © 2005
Terms of Use