The yin and yang of password security is amply illustrated in this piece at ServerWatch about an open source tool called john-the-ripper. The writer presents it as a way for IT to identify vulnerable passwords before the bad guys do. The truth of the matter is, however, that there is no reason john-the-ripper can't be used first by malicious individuals.
The Internet is rife with password security problems. For instance, Dark Reading links to a blog posting from an IBM Internet Security Systems security strategist on the vulnerability of webmail passwords. Indeed, there are hacker services that offer to break Completely Automated Public Turning Test to Tell Computers and Humans Apart (CAPTCHA) webmail authentication systems and provide the passwords that are used with them. In fact, they also promise to provide the new passwords as the target changes them on an ongoing basis. Webmail systems rarely offer encryption and are so simple that they are hard to protect. The best advice is to educate users on what information shouldn't be trusted to these convenience-first platforms.
There are a couple of basic but useful things in this posting on password security. The writer suggests being very careful about using open public Wi-Fi terminals. He also points out that it is human nature to use the same password for all online activity. This obviously is risky. A way to alleviate the problem that preserves the convenience of using the easily remembered password is to combine it with a different set of random characters, numbers and symbols for each system for which it is used.
Abe on Tech offers a more systematic listing of the dos and don'ts of password security. He starts with more than a dozen things to not do and suggestions for addressing the issues raised. He then lists eight things that should be done. The final list provides 22 things not to include in passwords. The strength of the piece is that it goes beyond the intuitive and commonly known items in each category and provides more subtle suggestions that are more likely to thwart hackers.
A big challenge -- as ably described in this MSNBC piece -- is that there is so much information available. Crackers can get data at social networking sites and online databases that may hold vital information in old resumes, job applications and elsewhere. Indeed, the story demonstrates that finding and using this information isn't even particularly difficult. This information then can be used by the hacker to get the victim's password reset.
Enterprises should not assume that password problems exist only in the consumer world. People use webmail for work -- whether or not the company knows or approves -- and in other ways play fast and loose with passwords. Smart organizations must continue to pay close attention and redouble efforts to deploy the right software and educate employees about password safety.