Living
Email
Print
Play It Safe: Hackers use the back door to get into your computer; a strong, well-chosen password is your front-door lock
Journal Illustration by Jeremy Boyd
ADVERTISEMENT
Published: August 18, 2008
SAN ANTONIO -- Password security is a big deal, and if you don't think it is, then someone might be hacking into your computer even as you read this.
A strong password isn't foolproof, but it proves that you're no fool. And it might protect you from compromised data, a broken computer or identity theft.
Your bank account, your personal e-mails and lots of other stuff are at risk with weak passwords.
A trip to a small town on a newspaper assignment years ago brought this message home. I needed Web access and found a coffeehouse with Wi-Fi. But there was a blocked port and it was impossible to access the coffeehouse's network.
For nongeeks, this is like looking at a five-star meal through a plate glass window. It's there, but you can't eat it.
The baristas didn't know what to do, and I was getting close to deadline, so I did something very, very bad.
Instead of staring at the five-star meal, I broke the glass.
From the signal data, I recognized the manufacturer of the router, which is the device used to dole out Internet access. I had the same brand at home, and I knew the default password (i.e., the one it shipped with). I gambled that the cafe's owners hadn't changed it. My bet paid off. Within minutes, I was able to access the Web and send the data. I then closed the port, returning the network to its original state, and left.
Translation: I hacked into the router using the default password, changed the settings, opened the necessary port, sent my story, plugged the hole back up and left.
Lots of people are doing that, say computer security experts, and they may be doing it to your computer or network without your knowledge. And their intentions aren't necessarily as benign as mine were.
A discussion of password security isn't intended to get the attention of bad guys. They already know this stuff. The idea is to get the attention of computer users who are vulnerable to this form of attack. A few minutes spent strengthening a password will thwart most attacks.
"A good password is the most important part of Internet security," said Robert Pacheco, the owner of Computer Techs of San Antonio. "It's the beginning and end of the issue. You can't stop it (hacking). You do what you can do to prevent it. You just try to stop most of it."
A strong firewall, as well as spyware -- and virus-detection software -- protect a computer's so-called "back door," Pacheco said, where a hacker can gain access through various cyber threats. Those threats include infected e-mail attachments; phishing Web pages that exploit browser flaws; downloaded songs or pictures with hidden trojans; or plain ol' poking-and-prodding of a computer's shields.
But passwords protect information from a frontal assault by way of the computer's keyboard.
From his mom-and-pop computer repair store, Pacheco sees so many password-related problems that he printed up instructions imparting his wisdom on flummoxed customers.
Pacheco sees good passwords at work only when thieves come in off the street, wielding a laptop and a sob story about forgetting the password. His store policy demands a driver's license to establish identity and a receipt to prove computer ownership before he'll crack a password.
Cracking a bad password, said Larry Rogers, isn't that hard.
The type of hardware being used can be a clue, said Rogers, a senior technical staffer in the CERT Program, a Web security research center in Carnegie-Mellon University's software engineering institute. It's easy to find a default password, typically in the user's manual on a manufacturer's Web site. If the user hasn't changed the default, that's an easy break-in.
That's what I did in Smalltown, Texas; the router password hadn't been changed.
Other people use easy-to-remember passwords. Trouble is, Rogers said, they're easy-to-guess passwords, too. Good examples of bad passwords are your name, your family's names, your pet's name, the name of your favorite team, your favorite athlete or your favorite anything.
Get to know the person -- a technique that geeks refer to as "social engineering" -- and the password is easy to guess. There are message-board stalkers who can guess passwords in a half-dozen tries.
Hackers rely on a lot of methods. Some, Rogers said, employ "shoulder surfing." That means what it sounds like -- looking over someone's shoulder as that person is typing in a password. Seriously. It has worked, Rogers said.
Software works here, too.
"There are programs that do brute-force attacks with dictionary words and approach it from every angle," Roger said. "It's based on what people have been known to do."
Most of the password hacking activity these days goes on at homes, in school or in public settings. These days, many workplaces mandate how a password is picked.
The idea is to choose a password that contains at least one uppercase letter, one numeral and at least eight total characters. Symbols are good to throw in the mix, too. Many companies also require that passwords be changed regularly and that pieces of older ones can't be re-used for months. And user names cannot be part of the password. Examples: Eggplant99, 99eggpLanT, --eggp--99Lant. For the next quarter, the password might change to variations on "strawberry."
For the home user, however, password safety requires more than on-the-fly thinking. Pacheco suggests a system built around a main word for all instances. The distinction is that the name of the site is added somewhere. For example, if the main word is "eggplant," the password might be "eggyyplant" Yahoo, "eggplantgg" for Google or "wleggplant" for Windows Live. He suggests listing the variations in an Excel spreadsheet.
To throw off shoulder surfers, Rogers suggests picking words with letters from different sides of the keyboard. "Freeze" is a bad main word choice since all the letters come from the left side of the keyboard. "Apostrophe," on the other hand, mixes up letters from both sides.
Microsoft offers an online tool to gauge password security. Located at http://www.microsoft.com/protect/yourself/password..., it will rate the relative strength of a password. Users can tweak and hone a password to get a good one.
Of course, password security won't mean much if a user leaves a machine open to cyber-attack, Rogers said. A hacker can plant software that records all keystrokes and that will surrender passwords, even if they're changed.
But assuming that the back door is safe, the front door can be locked securely, too.
Email
Print
