Home / World Business
Wed, Jun 02, 2004 - Page 12 News List

Passwords no long enough on the Internet

ONLINE SECURITY As evildoers on the Web become increasingly able to steal passwords, companies are looking for ways to make transactions more secure


To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password.

For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out.

As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such "passwords-plus" systems.

Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication.

"A password is a construct of the past that has run out of steam," said Joseph Atick, chief executive of Identix Inc, a Minnesota designer of fingerprint-based authentication. "The human mind-set is not used to dealing with so many different passwords and so many different PINs."

When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like "1234" or a nickname.

Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements.

In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life.

"This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said Hoffacker, an information technology manager in New York.

But it's difficult to remember dozens of strong passwords -- so many sites now require them. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet -- practices security experts also deem unsafe.

Software such as Symantec Corp's Norton Password Manager and Apple Computer Inc's Keychain help store passwords in secure, encrypted form. But if you compromise the master password, you're out of luck. Your entire collection is gone.

Many sites, meanwhile, will e-mail passwords insecurely -- without encryption -- if you forget. A site called BugMeNot.com even encourages users to share passwords for nonfinancial sites like newspapers.

The tools of password harvesting are many:

Keystroke recorders secretly installed at public Internet terminals can capture passwords, as can "phishing" e-mails designed to trick users into submitting sensitive data to fraudulent sites that look authentic. There are computer viruses programmed to harvest passwords as well as software that guesses passwords by running through words in dictionaries.

Though analysts have no hard figures on password-specific fraud, they blame insecure passwords for unauthorized financial transfers, privacy breaches and even the hacking of corporate networks.

With two-factor authentication, having a password alone is useless.

"We will never play the fear factor here, but still it stays a fact that with our products, phishing is no longer an issue," said Jochem Binst of Vasco Data Security International Inc.

The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit's unique characteristics. That's the code you type into the Web site.

This story has been viewed 3098 times.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top