Security Advisor

Security Myths Exposed

Joern demystifies common misconceptions about SSL and complex passwords.

It's good that users are more aware of security issues these days, and that most are adopting more secure computing behaviors. Unfortunately, some of those behaviors are based on less than a full understanding of security technologies. We'll explore two of the most common security myths and how to avoid falling for them.

Myth No. 1: SSL Is Secure
Anyone shopping on the Web is always told to look for the little SSL security icon in their browser to make sure the site is secure. Few people would even consider entering a credit card number on an online form if it wasn't a secure connection, but that's only part of the equation.

SSL actually does what it was designed to do namely secure data as it is transmitted over a network. The problem is that many people don't realize its limitations. The icon in the browser only indicates that you are indeed connecting to the server you intended to and that data is encrypted while it's being sent and received. That is the extent of the protection afforded by an SSL-certified site. Many people incorrectly assume they're invulnerable to all attacks once they establish an SSL connection.

While a password may be securely transmitted, it could also be captured before it was even sent. Keystroke loggers capture a password or PIN as it's entered on something like an online banking form, even if it's subsequently transmitted over an SSL-secured connection. The keystroke data is sent to an attacker, who can then use that information to clean out the victim's bank account.

To defeat keystroke loggers, some banks have implemented new authentication methods like on-screen keyboards that require you to enter your PIN with mouse clicks instead of keystrokes. In response to this, criminals have developed programs that take screen shots of mouse clicks and send those back to the attacker.

Making things worse, there are now programs that change online transactions as they're happening. You may enter instructions to transfer $20 from your savings account to your checking account, but the bank's Web site could receive an instruction to transfer most of your balance to an account in a country with lax banking laws.

While banks could increase monitoring to prevent these types of attacks, they don't seem to be in any hurry to do so because they fear it would lead to a loss of business. Customers might get annoyed, for example, if the bank called them to confirm each suspicious transaction. Instead of trusting banks to change their ways, you can increase security yourself by paying more attention to your computer.

The only way criminals can take advantage of SSL's limitations is by installing an unauthorized program on the potential victim's computer. To prevent this, you must run up-to-date anti-spyware tools.

Your users also need to know they should say "no" if there's an unexpected prompt to install a new program, and they should not perform normal computing tasks while logged on with an administrative account. Also, it's important to never enter confidential information at a computer you can't trust, like one in an Internet café. Relying entirely on SSL when it only secures one part of your online behavior can be a dangerous mistake.

Myth No. 2: Complex Passwords Enhance Security
Your company probably has a policy that mandates complex passwords. For example, they may require a combination of uppercase and lowercase letters, numbers and special symbols. Windows even includes a Group Policy setting to enforce complex passwords.

To understand why this doesn't enhance security and can even lower it, you have to look at what makes a good password in the first place. Any password requirement should ensure that an attacker can't crack it before it becomes invalid or out of date. For example, if you require users to change their passwords every 90 days, it should be extremely unlikely that anyone could succeed at cracking a password within that time.

Many old computers allowed passwords made up of only letters, didn't differentiate between lowercase and uppercase letters and limited passwords to just a few characters. Using the 26 characters of the alphabet and allowing for six-letter passwords, there are 300 million possible passwords. This provided adequate security on systems that required manual log-on because it would take an attacker too long to enter enough combinations to find the correct password.

Increasing password length to eight characters increases the number of possible combinations to more than 200 billion. Even this has proved inadequate against automated attacks, however, especially offline brute-force attacks that calculate hash values from all possible combinations and compare the results with a captured hash of the target password. These types of attacks quickly crack any password with single-case characters.

The only way to truly prevent someone from guessing or cracking your password is to increase the number of different characters within a password--distinguishing between uppercase and lowercase, allowing numbers and special characters. This increases the number of available characters from 26 to roughly 80. Combining eight of these characters creates more than 4 quadrillion combinations, and greatly increases the time required to crack a password. The problem with using excessively complex passwords is that users may be more tempted to write them down, which completely defeats the purpose, no matter how stringent your password requirements.

Windows also lets you use longer passwords that may contain spaces and other punctuation characters. This allows for the use of pass phrases, which are "passwords" made up of multiple words. Typing a phrase when logging on may require a few extra keystrokes, but it may actually take less time than locating some special characters on the keyboard.

By combining pass phrases with punctuation marks, or small changes to words, you can create even more complexity. Even better, pass phrases are easier to remember and so are more easily accepted by users. They are also less likely to be written down. Unfortunately, not all systems allow for pass phrases. If password length restrictions don't prevent the use of pass phrases, you should consider transitioning to them soon. Doing this not only increases security but makes your users happier with the password guidelines.

There are more security myths making the rounds that you'll read about in future Security Advisor columns. For now, I hope that debunking two of the most popular myths will help you increase your password security and not fall victim to inappropriate trust in SSL.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.

comments powered by Disqus

Reader Comments:

Wed, Dec 13, 2006 Anonymous Anonymous

The author contridicts himself. He states that complex passwords do not enhance security and then a couple of paragraphs later he says: "The only way to truly prevent someone from guessing or cracking your password is to increase the number of different characters within a password--distinguishing between uppercase and lowercase, allowing numbers and special characters" And later says: "By combining pass phrases with punctuation marks, or small changes to words, you can create even more complexity." I'm confused, isn't that what password complexity is? Combinations of upper and lower case, special characters and the like? It really is true, PHD="Piled High, and Deep"

Fri, Nov 17, 2006 Steams Anonymous

SSL IS secure - ok?
Your computer is NOT!
Having connected to that banking system through SSL doesn't mean that somebody cannot come to you at the same time with a gun and have you to transfer all your money to his account...
But doest it mean that SSL security is a myth? :)

Myth N2:
"Many old computers allowed passwords made up of only letters" - what-what-what?
Complex passwords DO enhance security.

The article is rather misleading...

Sat, Jul 29, 2006 Anonymous Anonymous

Im not sure why people are bashing the author. Its obvious he's not saying that keystroke loggers are a problem with SSL. hes saying that just because ur on a secure site, doesn't mean that you're financial information can't be taken. Although SSL is a secure form of communication, it doesn't mean that you can't be compromised

Sat, Jul 29, 2006 anon UK

Unfortunately James its not so rare as you may think. Many people have been victims of this sort of theft. Going to the bother to simulate the banks website is all done before the installation of the keylogger or screen capture software. I'm surprised you never heard of "spoof sites"

The article states that SSL does in fact do what it is designed to do and only states that connecting through SSL may seem secure but if your infected by the keylogger then SSL is pretty much useless while still doing it's end of the bargain. Think of bolting a stable door and the horse been craned through the roof. You can't blame the guy who fitted the bolt because the doors still secure.

I'm not sure which bank you use but if you'd like to see an example of the screen keyboard then egold use 1.

Fri, Jul 28, 2006 James California

How can you go from SSL issues to a keystroke logger? The two are completely separate issues. Any malware on someones computer is not a weakness in SSL, its a problem on the local computer. Also, I use online banking regularly, and I have yet to see an on-screen keyboard (perhaps you could provide an example), so even if there was a program installed locally that could capture mouse click images, it wouldn't be very useful; and again, nothing to do with SSL. For a program to be able to send commands to your banking website, it would have to know the current structure of that particular website, and be able to simulate it - not likely to happen, and would take a whole lot of work to implement. (No SSL issue here either.) If you're going to put on a heading of SSL, you should talk about SSL. If you want to encourage people to keep malware off their computer, then do so, but please provide more probable examples, or make it clear that your examples are only what could happen, but are very rare.

Thu, Jul 27, 2006 Anonymous Denver

Thank you, Dr. Wettern. Wonderful educational column.

Wed, Jul 26, 2006 J. Jimenez Miami, FL

Don't be so quick to dismiss it Sandeep, it's only the tip of the iceberg.

Wed, Jul 26, 2006 Alan Illinois, USA

Apparently Sandeep Dhar hasn't been keeping up to date with what is going on in the world of malware. Don't forget that malicious image files were the stuff of fantasy and hoaxes a few years ago, now they are a legitimate threat which must be accounted for.

Fri, Jul 14, 2006 Sandeep Dhar PA, USA

Wow! I am no security expert but the author's attempt at blowing away Myth 1 appear to get a bit carried away into the realm of science fiction by themselves! I mean, sending screen shots of online keyboard mouse clicks?? What did the user do? Install Remote Desktop and invite the hackers in?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.