PRESS SURVEILLANCE -- JAMES ROSEN AFFAIR: TROUBLED HOLDER REACHED OUT TO SCHUMER, DURBIN, AND RINO LINDSEY GRAHAM?
Obama NEEDS Syrian War to Deflect and Diffuse Domestic Troubles with Benghazi, IRS, AP, and James Rosen

IS YOUR FINANCIAL INSTITUTION COMPROMISING YOUR SECURITY WITH THEIR ACCOUNT LOG-ON RULES?

If your financial institution engages in one or more of these behaviors, they are weakening your account security …

  1. Demand that you use your e-mail address as your user name. Since your e-mail address is likely to be known or even used by the financial institution to send you unprotected e-mail, already one significant part of your log-on authentication (user name) has been compromised?
  2. Demand that you restrict your password to a specific length such as 8 or 16 characters. The longer the password, the longer it may take to decode?
  3. Restrict you from using special characters (!@#$%^&*()+=) in your password, thus precluding strong passwords?
  4. Ask you easily guessed questions like your mother’s maiden name, family birthdates, etc.?
  5. Your pin is restricted to four digits.

If you want to see how secure passwords may really be … 

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")

While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn't disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them. 

To read the full story: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica

Bottom line …

The only real protection you may have is personal … your bank may reimburse any loss from your account – but only under certain conditions. It remains up to you to discover what those conditions may be … and those conditions must be in writing as employees of financial institutions are not always truthful, accurate, and cannot bind the institution to any obligation or duty relating to performance.

If your system permits it, one way to add length (and cracking time) to your password is to precede it with a long pattern of special characters. And, never use the same password for multiple accounts.

Even if you choose to avoid electronic banking, your account is still at risk.

-- steve


“Nullius in verba”-- take nobody's word for it!
"Acta non verba" -- actions not words

“Beware of false knowledge; it is more dangerous than ignorance.”-- George Bernard Shaw

“Progressive, liberal, Socialist, Marxist, Democratic Socialist -- they are all COMMUNISTS.”

“The key to fighting the craziness of the progressives is to hold them responsible for their actions, not their intentions.” – OCS

"The object in life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius

“A people that elect corrupt politicians, imposters, thieves, and traitors are not victims... but accomplices” -- George Orwell

“Fere libenter homines id quod volunt credunt." (The people gladly believe what they wish to.) ~Julius Caesar

“Describing the problem is quite different from knowing the solution. Except in politics." ~ OCS

Comments