My next Tech Beat article which should be published on Thursday in the Times-Standard is all about network insecurity. Among the issues I discuss is the poor application of passwords: Using common words or simple number strings instead of harder to crack strings of letters, numbers and punctuation. Now along comes this New York Times article that claims that the use of the password system is itself a big security hole no matter how complex the passwords are.
But the article doesn’t give really good reasons why the password login system is worthless. Of course, it can be circumvented any number of ways, but usually not without the unwitting help of the user such as succumbing to phising schemes. But being careful with passwords is all part of a comprehensive approach to network security, which I discuss. And the article doesn’t offer a good alternative except in theory.
So, practice safe Internet and use good passwords until something better comes along.
Spam, viruses, phishing attacks, denial of service attacks and other serious breaches in security are ongoing hazards of life on an open network like the public Internet. There is an ongoing battle between security professionals and the bad guys who want to breach the security. As one side improves network security, the other side finds new holes. But the truth is, no matter how secure certain levels of the Internet are made, hackers will always be able to exploit the weakest link: The end user.
Whether it’s through social engineering, brute force attacks, simple stealth programs unleashed through email, or a variety of other widely known strategies, hackers can eventually find keys to unlock computers and put them to work for their own purposes. But the naivetÃ© of a large percentage of computer users make the hacker’s task that much easier, and make the jobs of system and network managers that much more difficult.
It’s a conundrum. We want computers and the Internet to be easy to use. And we can’t expect everyone to understand the dangers of having simple passwords, or the need to maintain good virus and securty software on personal computers.But this lack of understanding is one of the factors that makes the network so vulnerable. I don’t really see a way around this short of enforcing a set of protocols that will require some basic good practices on end users, whether at the personal computer level or at the network level with hosting, email and other types of accounts. This is unlikely to happen, so the battle will go on. But i am going to encourage our hosting clients to be better stewards of their accounts so I don’t have to spend so much time rooting out hacks.