Entries with tag passwords.

Security Researcher: Breaches Reveal People Don’t Choose Good Passwords

Analysis of stolen passwords shows people are not good at selecting their own passwords. Security researcher Per Thorsheim says decent passwords use a phrase or combination of characters with little to no connection to the person picking it; however, most individuals use words or numbers to which they are connected. This might include birthdates, street addresses, or names of children or pets. He says this is most evident in the selection of a four-digit PIN. This bias, he says, makes brute force password cracking obsolete. Yiannis Chrysanthou, a KPMG security researcher, told the BBC, “it’s not about mathematics any more because it’s people that select the passwords.” The news organization claims, “Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity.” (SlashDot)(BBC) 

US Government Demands User Passwords from Internet companies

The US government is demanding users’ stored passwords from major Web firms, according to a CNET investigation by reporter Declan McCullach. Having a password—typically encrypted and stored—could let the government log into accounts and look at communications such as e-mails, review stored information, or even pretend to be the actual user. US officials have filed requests for passwords with companies including Microsoft and Yahoo. In some instances, they asked for additional information such as the companies’ encryption algorithms. It is unclear why the government submitted these requests. (CNET)
 

Decoy Password Strategy Could Protect Users

Security researchers say mixing honeywords—decoy passwords—along with a real hashed password could prevent hackers from accessing websites and online services. Ari Juels, chief scientist at security firm RSA, and cryptographer and MIT professor Ronald Rivest say that storing multiple possible passwords on a system could not only provide security but also determine when an intrusion is occurring. Passwords are now considered a weak security strategy in part because users make poor password choices. This approach uses a honeychecker system with information about which passwords are legitimate and which are honeywords. This system stores randomly selected integers that point to the location where the password is stored to check whether a user is entering the correct password. If attackers accessed the honeychecker, they could not find the password. Their presence could be detected when they attempt to use one of the honeywords to access the system. (ZDNet)(The Honeywords Project)(MIT CSAIL)
 

UC Berkeley Unit Replaces Passwords with Passthoughts

University of California Berkeley School of Information researchers have developed a new form of user authentication that relies on brainwaves. Employing biosensor technology and a $100 wireless headset, they created a system that utilizes an individual’s unique EEG signals for computer authentication. The NeuroSky Mindset works by having a user perform a mental task they would not object to completing daily to log in, such as counting objects of a specific color or imagining singing a song. The researchers found that even simple actions—such as focusing on breathing or on a thought for ten seconds—resulted in successful authentication. The work was presented during the recent 2013 Workshop on Usable Security at the 17th International Conference on Financial Cryptography and Data Security in Okinawa, Japan. (Mashable)(NBC News)(UC Berkeley School of Information)
 

Hackers Steal Social-Networking Sites’ Passwords


LinkedIn and eHarmony were the latest targets for hackers who have recently gained access to users’ passwords. LinkedIn reported that more than 6 million passwords from its 160 million users were compromised. The attackers have posted the files on hacking sites and those individuals hoping to use the stolen data have reportedly asked for help cracking the password encryption. Computerworld claims more than 60 percent of the stolen passwords taken have been cracked, underscoring weak website security. The publication says officials have not released details about how the LinkedIn breach occurred. LinkedIn says it has implemented hashing and salting to secure its users’ passwords. Hackers also stole 1.5 million passwords from online dating site eHarmony. According to Ars Technica, eHarmony hasn’t disclosed details about the theft or whether it has fixed its vulnerability. Security experts advise users of these and other social-networking sites to change their passwords regularly and select unique passwords with eight or more characters that include upper- and lower-case letters. (The Washington Post)(ArsTechnica)(Computerworld)(LinkedIn Blog)

Showing 5 results.