Alexander’s Blog

Microsoft offers a tool called Password Checker. The purpose of the tool is to test the strength of your password as you type. Is Password Checker a reliable tool to test the strength of your password? The answer in my opinion is NO. Microsoft correctly states “It is for personal reference only. Password Checker does not guarantee the security of the password itself. “Microsoft also says about the password that “It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols.”

Password Checker tests the strength of your password as you type and rates it as one of the following:

1. Weak
2. Medium
3. Strong
4. Best

I performed several tests and discovered that the tool is programmed to look for certain number of characters and certain combinations. It pretty much ignores the length of the password unless you add special characters or mixed-case to the password. Your pass phrase can be over hundred characters long and Microsoft’s Password Checker considers it a weak password unless you add at least one special character, which the tool considers Medium. You can use a pasword cracking tool and easily prove that Password Checker tool is incorrect in determining the actual strength of your password and therefore should not be used.

In the document Strong passwords: How to create and use them Microsoft acknowledges that “Each character that you add to your password increases the protection that it provides many times over.” Yet, the Password Checker completely ignores this fact. You can keep adding characters by the dozen and the tool will report that your password is weak. In fact, even if you type a 127-character password (the maximum allowed in Windows) in all lowercase the tool will report it as a weak password because you didn’t include an uppercase character, which makes no sense. According to the tool, adding one uppercase character to a 126-character password makes the password’s strength Medium. So the built-in logic in the tool is questionable. There are lots of other tools available that are more reliable to test your password strength.

Microsoft suggests the password should be 14 characters or longer. I suggest you use a pass phrase that is 15 characters or longer, as I explain in this article How Secure Is Your Password?. According to Microsoft security experts that I have talked to, if your password is 15 characters or longer it is not necessary to have a combination of alphanumeric, uppercase, lowercase and special characters in your password. I explain why in my article I just mentioned How Secure Is Your Password?. Of course, if you add any special characters or numbers you only strengthen your password.

If you are interested in cryptography, you might want to check out the Handbook of Applied Cryptography, by Menezes, van Oorschot, and Vanstone (CRC Press). This book is one of the recommended books for the modern cryptography course in the masters program at the University of Washington in Seattle. As of today, it is sold at Amazon.com for $83.95 but you can download it for free in PDF or Postscript format from Alfred Menezes’ Web site.

Alfred Menezes is a professor of mathematics in the Department of Combinatorics and Optimization at the University of Waterloo (Canada), where he teaches courses in cryptography, coding theory, finite fields, and discrete mathematics.

Swiss IT security company Dreamlab Technologies AG has shown that it is possible to capture and decrypt keystrokes, meaning that user names, passwords, bank details
or confidential correspondence can be very easily eavesdropped. Although the trend in wireless communication in peripheral devices such as keyboards and mice is moving
towards Bluetooth, market leaders such as Logitech and Microsoft rely on cost-efficient, tried-and-tested 27 MHz radio technology. Using just a simple radio receiver, a soundcard and suitable software, Dreamlab Technologies has managed to tap and decode the radio frequencies transmitted between the keyboard and PC/notebook computer. Although manufacturers of wireless keyboards partially prevent data from being tapped by using cryptography, unfortunately the encryption is weak and thus does not offer real protection. Max Moser from Dreamlab Technologies states: “Wireless communication is only as secure as the encryption technology used. Due to its nature, it can be tapped with little effort.”

Dreamlab Technologies tested and successfully cracked the encryption key used within Microsoft Wireless Optical Desktop 1000/2000 keyboards. As most products in Microsoft’s Wireless Desktop range are based on the same technology, Dreamlab Technologies does not consider them to be secure either. During the test, Max Moser and Phillipp Schrödel of Dreamlab Technologies succeeded in eavesdropping traffic from a distance of up to ten meters using a simple radio receiver. With the appropriate technical equipment, larger distances are possible.

For more information, you can read Dreamlab’s whitepaper and watch their video demonstration.

Mozilla has taken another security blow with the discovery that Google user accounts can be accessed through a dangerous Firefox exploit.

The vulnerability, which is still in the wild some 10 days after its discovery on gnucitizen.org, allows hackers to access Google accounts, including Gmail, with cross-site scripting attacks.

A client or server-side exploit can be inserted into .zip files via open document formats from Microsoft Office 2007 and OpenOffice, and uploaded to a server where the Firefox JAR protocol extracts the compressed data.

While Mozilla has not issued a solution to the problem, application firewalls and proxy servers can be used to block Windows Universal Resource Identifiers (URIs) that contain the JAR protocol, while Web administrators can use a reverse proxy to prevent malicious content from being uploaded.

Users can download a NoScript add-on for Firefox to block JavaScript and executable content from untrusted Web sites, and can secure their Google accounts by remaining signed out whenever possible.

Read this entire story as reported by PC World.

Here’s some useful information posted by the University of Washington regarding peer-to-peer file-sharing issues.

1. Peer-to-Peer File-Sharing: What is the risk?

Every day, millions of computer users share files online. Whether it is music, games, or software, file-sharing can give people access to a wealth of information. You simply download special software that connects your computer to an informal network of other computers running the same software. Millions of users could be connected to each other through this software at one time. The software often is free and easily accessible.

Sounds promising, right? Maybe, but make sure that you consider the trade-offs. File-sharing can have a number of risks. For example, when you are connected to file-sharing programs, you may unknowingly allow others to copy private files you never intended to share. You may download material that is protected by the copyright laws and find yourself mired in legal issues. You may download a virus or facilitate a security breach.

For a more details on securing your personal information and additional information on file-sharing software and how to remove it, see file-sharing security and software programs.

2. What is the copyright issue?
Under copyright law, it is illegal to download or share copyrighted materials such as music or movies without the permission of the copyright owner. The record and movie industry in recent years has taken an aggressive approach to stopping illegal downloading and file sharing. This has put many students at the nation’s colleges and universities at some legal risk.

Your actions when downloading or sharing files are traceable and could result in a significant financial penalty to you.

3. What is the record and music industry doing about illegal downloads?
There are many initiatives that address illegal file sharing. For instance, the Recording Industry Association of America (RIAA) is now sending colleges and universities letters pointing to specific alleged instances of illegal file sharing and requesting the university to forward the letter to the person the university identifies as being associated with the activity. The letter, called a “Pre-Settlement Letter” notifies the student that he or she has a specified number of days to settle with the RIAA by going to a designated website, entering identifying information, and paying a set amount, usually between $3,000 and $5,000, but sometimes considerably more. The letter states that, if the recipient chooses not to settle, the RIAA will file a lawsuit and the offer to settle for the amount stipulated may no longer be an option.

Click here to read the rest of the article.