in Futurist, Media, Musings, Reviews, X-Geek

N&O spreads flawed password advice

Courtesy Davide Restivo

Courtesy Davide Restivo


In today’s Connect section of the News and Observer, reporter John Bordsen asked a panel of technology experts about how to protect oneself from online hackers. I have a few beefs with this article which I’ll describe here.

The first is from Dr. Magdy Attia, dean of the College of STEM at Charlotte’s Johnson C. Smith University:

Change your passwords and make them long. “Your password should be changed every month or every two months – and make it hard to guess,” Attia said. “Some people use kids’ names, birthdates or whatever. But there are software packages that can scan a large number of passwords to find out what can work. A hacker can use these tools to scan for possibilities.”


Um, no. If you are telling your users to frequently change their passwords, what you’ll get is users who will consistently choose passwords that are easy-to-remember. This makes the hacker’s job much easier as these types of passwords almost never hold up in a dictionary attack. Much better advice is to tell users to pick long passwords interspersed with punctuation (spaces and symbols). And certainly, let them keep this password for a while. Yes, keylogging is a threat, but it’s not nearly as likely as a brute-force attack on a network service. It’s better to have a password that is strong rather than have one that changes frequently. A bad password left in place for a whole month is almost certain to be compromised.

As an IT manager, I’m fine with users writing their passwords down. In fact, I encourage it! Most passwords that can be easily remembered can also be easily cracked. I’m not too bent out of shape if a user leaves the written password in his or her desk, either. If a would-be hacker can gain physical access to an office, he or she can already gain access to the network. Unless you’re working with state secrets, this should not be a concern.

Next up is Will Enck, assistant professor of computer science at N.C. State:

Keep your system updated. Programs like Acrobat PDF reader, Microsoft and Java are heavily abused by hackers, and patches and new releases often contain upgrades that close avenues hackers use. Keeping these programs up to date is smart, Enck said.

Last I checked, Microsoft is a software company and not a “program.” Not sure if this is Enck’s fault or the reporter’s.

Enck again:

Be wary of software downloads. “If you are getting software at a discount or for free online, remember that there’s no such thing as a free lunch.” Enck said. “There’s lots of pirated software out there, and there’s the increased likelihood there’s some sort of malware in it.”

Actually, no. The most secure software you can get is available for free. It’s called open source, and this software lays bare all of its code for everyone to see. With open source software, hackers have a much harder time hiding their dirty tricks. What’s more, open source developers have a much harder time hiding their mistakes, leading to improved security through peer-reviewed code.

Enck seems to throw Android under the bus with his closing statements:

“The number of platforms (like Windows, Apple, Android) with app stores is increasing, Enck said. “There are some bad alternative app stores for Android out there. Users should stick with the official one for their platform.”

And Enck has a tip for some mobile users: “If you have Android, don’t go get software just because it’s free. Use the Google Play store for apps. And if you can on your device, never click the box in ‘settings’ that allows the installation of settings from unknown sources.”

Why not mention Apple’s app store? Or that a monumentally-stupid flaw was just found in Apple’s iOS and Mac code? These things are much more likely in closed-source software like Apple’s and relatively easy to discover if they appeared in open-source software like Android. That’s not to say that all Android apps are safe, of course, but if you’re worried about the security of your software, open source is definitely the way to go.

Now, speaking of password security, recognized security expert Bruce Schneier wrote a very informative blog post today about choosing proper passwords. If you take this advice and begin to use a password safe, I can’t guarantee you’ll be hack-proof but you’ll definitely be safer than 99% of online users.