Security Advisor

Security Myths Exposed

Joern demystifies common misconceptions about SSL and complex passwords.

• By Joern Wettern
• 07/01/2006

It's good that users are more aware of security issues these days, and that most are adopting more secure computing behaviors. Unfortunately, some of those behaviors are based on less than a full understanding of security technologies. We'll explore two of the most common security myths and how to avoid falling for them.

Myth No. 1: SSL Is Secure
Anyone shopping on the Web is always told to look for the little SSL security icon in their browser to make sure the site is secure. Few people would even consider entering a credit card number on an online form if it wasn't a secure connection, but that's only part of the equation.

SSL actually does what it was designed to do namely secure data as it is transmitted over a network. The problem is that many people don't realize its limitations. The icon in the browser only indicates that you are indeed connecting to the server you intended to and that data is encrypted while it's being sent and received. That is the extent of the protection afforded by an SSL-certified site. Many people incorrectly assume they're invulnerable to all attacks once they establish an SSL connection.

While a password may be securely transmitted, it could also be captured before it was even sent. Keystroke loggers capture a password or PIN as it's entered on something like an online banking form, even if it's subsequently transmitted over an SSL-secured connection. The keystroke data is sent to an attacker, who can then use that information to clean out the victim's bank account.

To defeat keystroke loggers, some banks have implemented new authentication methods like on-screen keyboards that require you to enter your PIN with mouse clicks instead of keystrokes. In response to this, criminals have developed programs that take screen shots of mouse clicks and send those back to the attacker.

Making things worse, there are now programs that change online transactions as they're happening. You may enter instructions to transfer $20 from your savings account to your checking account, but the bank's Web site could receive an instruction to transfer most of your balance to an account in a country with lax banking laws.

While banks could increase monitoring to prevent these types of attacks, they don't seem to be in any hurry to do so because they fear it would lead to a loss of business. Customers might get annoyed, for example, if the bank called them to confirm each suspicious transaction. Instead of trusting banks to change their ways, you can increase security yourself by paying more attention to your computer.

The only way criminals can take advantage of SSL's limitations is by installing an unauthorized program on the potential victim's computer. To prevent this, you must run up-to-date anti-spyware tools.

Your users also need to know they should say "no" if there's an unexpected prompt to install a new program, and they should not perform normal computing tasks while logged on with an administrative account. Also, it's important to never enter confidential information at a computer you can't trust, like one in an Internet café. Relying entirely on SSL when it only secures one part of your online behavior can be a dangerous mistake.

Myth No. 2: Complex Passwords Enhance Security
Your company probably has a policy that mandates complex passwords. For example, they may require a combination of uppercase and lowercase letters, numbers and special symbols. Windows even includes a Group Policy setting to enforce complex passwords.

To understand why this doesn't enhance security and can even lower it, you have to look at what makes a good password in the first place. Any password requirement should ensure that an attacker can't crack it before it becomes invalid or out of date. For example, if you require users to change their passwords every 90 days, it should be extremely unlikely that anyone could succeed at cracking a password within that time.

Many old computers allowed passwords made up of only letters, didn't differentiate between lowercase and uppercase letters and limited passwords to just a few characters. Using the 26 characters of the alphabet and allowing for six-letter passwords, there are 300 million possible passwords. This provided adequate security on systems that required manual log-on because it would take an attacker too long to enter enough combinations to find the correct password.

Increasing password length to eight characters increases the number of possible combinations to more than 200 billion. Even this has proved inadequate against automated attacks, however, especially offline brute-force attacks that calculate hash values from all possible combinations and compare the results with a captured hash of the target password. These types of attacks quickly crack any password with single-case characters.

The only way to truly prevent someone from guessing or cracking your password is to increase the number of different characters within a password--distinguishing between uppercase and lowercase, allowing numbers and special characters. This increases the number of available characters from 26 to roughly 80. Combining eight of these characters creates more than 4 quadrillion combinations, and greatly increases the time required to crack a password. The problem with using excessively complex passwords is that users may be more tempted to write them down, which completely defeats the purpose, no matter how stringent your password requirements.

Windows also lets you use longer passwords that may contain spaces and other punctuation characters. This allows for the use of pass phrases, which are "passwords" made up of multiple words. Typing a phrase when logging on may require a few extra keystrokes, but it may actually take less time than locating some special characters on the keyboard.

By combining pass phrases with punctuation marks, or small changes to words, you can create even more complexity. Even better, pass phrases are easier to remember and so are more easily accepted by users. They are also less likely to be written down. Unfortunately, not all systems allow for pass phrases. If password length restrictions don't prevent the use of pass phrases, you should consider transitioning to them soon. Doing this not only increases security but makes your users happier with the password guidelines.

There are more security myths making the rounds that you'll read about in future Security Advisor columns. For now, I hope that debunking two of the most popular myths will help you increase your password security and not fall victim to inappropriate trust in SSL.