When we do something more and it often becomes a habit - a model internalized we can do without thinking. Take something like tying your shoes: you were tying your shoes since you were aged 4 or 5 years - so long, you can do it with your eyes closed. It has become a habit that your fingers can do without engaging the brain too.
Habits are like that, they have a way to go on the way we do things. And it makes life easier, because of having to think the party making slows us down.
But there are times when our habits and patterns in which they are found are not a good thing. Regarding security, the models can be as dangerous crack in the armor that can be exploited by bad guys.
In the physical world, this can be the model of daily activities that you usually sleepwalking by where you walk your dog every night, patting your audience in his pocket to see if your portfolio is there, or something like leaving a key under the mat "welcome". How long attentive villain would have to look to discover a model that could be exploited to harm you or, at least, take you by surprise?
Increasingly, computer researchers found that the subconscious patterns are revealing themselves in places darnedest.
for example, the rhythm and the pace at which you type (ie the rate and force with which you hit away at the keyboard) has for several years now been studied as a possible means of access authentication . your typing style can not only be monitored and measured, but it is unique enough that can be used to identify you. (I can not help but make a free reference to the Ministry of Silly Walks Monty Python.)
What about the way you create passwords (assuming you do not the right thing and using a password generator that creates random passwords)? Is there a discernible pattern in your passwords which could make it easier for a hacker to access a and then other passwords in your private collection?
The work of the team KoreLogic reveals that we use the same models in we create passwords .
In a Bourne-survey called PathWell project (topology Password Histogram Wear-Leveling) KoreLogic analyzed data from several employee password companies and found that the passwords within tested companies tend to fall into patterns that reflect the password rules of each respective company.
The complexity rules password are the ones you're probably familiar with your work and your personal accounts on many websites. It all starts with a certain minimum length more:
- u pper cases (26 opportunities)
- t owers cases (26 possibilities)
- of igits (0-9) (10 opportunities)
- s pecial characters (,:. "and so on) ( 30 possibilities on my keyboard)
the expectation when you have many rules is that everyone stick to all the rules must have a large password - right? By forcing users to use uppercase letters, you have doubled the available options for each character position in the password and therefore significantly increased the possible permutations. And to make it even stronger, you add the use of numbers and special characters and punctuation marks. That makes a total of 92 possibilities for each position in the password. And the strength of a password rises significantly when you increase the length.
Oh my God, do not have all the ingredients of a great password !?
Well ... it's complicated.
What if some of your drawn features - basically, your habits - actually replace the safety of complexity rules
To get an idea of the models identified by KoreLogic problem, look at a simple example of 5 characters. If you do not limit yourself in one of the character positions and allow each position can be one of the possibilities 92, you get a total of 92x92x92x92x92 = 650815232, which is 6.5 billion combinations of words past. (Sounds like a lot but, as regards the power of hacking calculation, it is a very small number.)
Now let's say you're a typical human employee must recreate a new password every 30 or 45 or 60 days. It happens that many of us have habits that we unconsciously working in the password rules:
- From childhood we learned to follow certain writing syntax: a capital letter (u) goes to the beginning of a word and is followed by lower case letters (l). Punctuation (s) and number (s) go to the end.
See where this is going?
- We are in the habit of memorizing the words. And we like to think we can do for our passwords, too. This is not desirable from the point of view of security, but this does not prevent us from doing so. We can probably blame this on all these spelling tests we took in school.
- We want to make things easy on ourselves, especially the things we have to do several times. It's just human nature!
The problem is that, instead of using the full range of characters for each position, we limit ourselves with the learned syntax and our personal comfort zones. This way, instead of the 6.5 billion possible passwords we calculated above, we have narrowed the pool of passwords we actually use 26x26x26x10x30 = 5.2728 million, only 5.2 million combinations of words past.
We followed all the safety rules, but because of our habits, the resulting pattern password is 3 orders of magnitude lower !!
If you and I were the only ones to do this, it would not be a problem, because it would be a single instance. The problem is that many people are doing the same thing. The result is a "clumping" of sorts, which many people use the same grounds (topologies) for their passwords, instead of a truly random distribution in all possible combinations.
The KoreLogic study found that at a Fortune 100 company, the first two models through 263,000 connections were used by 25% of users. Think about it: every fourth person used one of two reasons
Enter the wicked
Just about the first 2 passwords models used in a business can reduce the time that it takes to hack .. 25% of employees with a very secure thousands of years down to literally hours. Wow
It is therefore not surprising that, when faced with rules for passwords, people do what people do: they fall back on habits that lead to shortcuts. These shortcuts are revealed as models that reduce the range of options for the wicked. By reducing the scope of the wicked options to worry, our habits undermine our passwords!
So the next time you are prompted to create a password in the office or at home, break your model and use a password generator. And when it is ready, ask yourself, "Bourne would be happy to use the password."
If the answer is no, try again.
About the author
Peter Lipa
@stickypassword
https: // www.facebook.com/stickypassword
Sticky password is the price -winning password manager and form filler that creates strong, random passwords of words and remembers them for you.
0 Komentar