For some security pros, the asterisk issue is just a fragment of a larger problem. "My belief is that companies need to be looking at moving towards using stronger authentication, such as tokens or biometrics, in place of or in conjunction with passwords," said Vadim Lander of Computer Associates.
Think you have to compromise on security to save on costs? Think Again. Trend Micro™ Enterprise Security, powered by the Trend Micro Smart Protection Network™, can lower your content security management costs by up to 40%. Find out just how much you’ll save with our TCO Impact Calculator.
Asterisks bug Alex Konanykhin. Dots irritate him, too.
That's because he believes they're used by software makers to lull computer users into a false sense of security when they enter passwords into their computer.
Because users can't see the passwords hidden behind the asterisks, "most users believe they are secure," the CEO of the Internet marketing company KMGI.com told TechNewsWorld.
He explained that dots and asterisks seduce users into opting for the "save password" feature in Windows because it saves time. What users are often ignorant of, he continued, is that anyone that uses that computer or accesses it from the Internet can harvest those passwords.
The problem riled Konanykhin so much that he set up an organization, the Internet Security Foundation, to educate the public about it.
According to the results of a straw poll of 240 Internet users released by the foundation, 86 percent of the respondents believed that passwords hidden behind asterisks were securely protected.
Konanykhin, through his foundation, has solicited Microsoft (Nasdaq: MSFT) to alert users about security issues surrounding passwords. "We wrote to Microsoft," he said, "but Microsoft ignored all our letters."
"The responsible thing for Microsoft to do would be to issue a security patch which would make passwords secure and preclude unauthorized access to users' online accounts," he argued.
"At the very least," he said, "Microsoft should have issued a security patch which would warn Windows users that such hidden passwords are not secure. Instead, Microsoft chose to ignore the issue despite our repeated warnings."
According to a Microsoft spokesperson who asked to remain anonymous, "The asterisk mechanism for visually hiding password characters, used throughout the industry, is designed to prevent 'shoulder surfing' attacks, not to permanently encrypt and obfuscate passwords.
"The ability of a user to run a tool on an unsecured machine to see a password they just typed is not a security threat," the spokesperson told TechNewsWorld via e-mail. "Claims from third parties that such tools constitute a security threat are overstated and irresponsible in that they may raise undue fear amongst customers."
Although security experts concede there may be some confusion among users about passwords hidden behind asterisks or dots, they discount the practice as a serious security threat.
"What it comes down to is a general understanding of how machines can be compromised and how passwords and identities are stolen," Craig Schmugar, virus research manager at McAfee Security in Santa Clara, California, said. "For the most part, there's really not a good understanding of that from the general public."
"In the grand scheme of things, this is on the bottom of the list of bad things that can happen," he said of the asterisk issue.
Chris Novak, a senior security consultant with Ubizen, a New York City-based provider of managed security solutions for businesses, said that the asterisk issue has been known for years.
"Many applications, not only those by Microsoft, have been plagued by this vulnerability -- if you even want to call it a vulnerability," he said.
"For most people, not seeing is believing," he asserted. "They assume that if they can't see their password, then nobody else can see their password, so they have a false sense of security that all their passwords are safe."
If some miscreant wants to filch passwords from a computer, though, they're more likely to use a means other than poking behind asterisks, he averred.
"From what our investigators are seeing in the field, more than 60 percent of password theft issues are still the result of key loggers and line sniffers," he said.
"That's down from previous years, mostly due to phishing," he added. "Phishing has grown and taken away from the key loggers and line sniffers."
For some security pros, the asterisk issue is just a fragment of a larger
problem. "Passwords are simply becoming inadequate for most business
applications today as they are too easily stolen and reverse-engineered, and
they are also becoming very expensive for companies to manage," Vadim
Lander, chief identity architect in the Waltham, Massachusetts offices of
Computer Associates told TechNewsWorld via e-mail 
.
"My belief is that companies need to be looking at moving towards using
stronger authentication, such as tokens or biometrics, in place of or in
conjunction with passwords," he explained. "Those companies who are
concerned about assuring the security of their applications are looking at
vendors to help get biometric technology adopted as part of the desktop OS
solution."
Print Version
E-Mail Article
Reprints
More by John P. Mello Jr.
Next Article in Security
|
Trojan Mimics Controversial Lycos Europe Screensaver December 08, 2004 
According to antivirus company F-Secure, the file inside the e-mail attachment is not the Lycos "Make Love Not Spam" screensaver. It is a RAR SFX archive. The Trojan has an embedded keystroke logger, which can be used to steal personal information, such as user names and passwords.
|
Related Stories
|
Microsoft Issues Out-of-Cycle Explorer Patch December 02, 2004 
Wide adoption of the latest Explorer patch may be hindered because it requires more effort than the typical Windows update. "This one's going to take a little more effort," said Ken Dunham of iDefense. "You have to remember, there's a huge number of people who will not patch and we do expect continued iframe exploits."
|
Microsoft Drops SP5 Plan for Windows 2000 November 30, 2004 
Microsoft said it believes the fact that there have been only a few minor security flaws discovered in Windows 2000 since the last service pack was issued late in 2003 means a less extensive update will be just as effective.
|
Mobile Devices Create Security Challenge for Companies November 18, 2004 
Experts agree that no amount of mobile security will be enough without employee education. "The best thing you can do is not a technology solution, it's awareness," said Ed Moyle of Security Curve. "If employees know that keeping the client list on the PDA is not a good idea and they know why, they're less likely to do it."
|
Microsoft Tempts Novell NetWare Users November 16, 2004 
Although Novell and Microsoft last week announced an agreement in which Microsoft paid Novell $565 million to settle antitrust charges over NetWare, the NetWare migration effort from Microsoft was probably unrelated to the settlement, said Steve Kleynhans of Meta Group.
|
Solutionary's Earle Humphreys on Managed Security November 04, 2004 
Solutionary bases its managed services offering on ActiveGuard, the company's proprietary security software. The solution continuously monitors and checks networks for changes and vulnerabilities, examines messages for irregularities and implements countermeasures.
|
Related News Alerts
More by John P. Mello Jr.
|
McAfee Gives Enterprise Macs a Bodyguard November 02, 2009 
When it comes to Mac use in an enterprise environment, running third-party security software isn't just a matter of using an abundance of caution. It may also be a matter of complying with governance mandates and regulations. McAfee's new Endpoint Protection for the Mac targets enterprise systems handling large amounts of sensitive data.
|
Adobe Elements Buffs Up for Mac October 26, 2009 
For the almost-but-not-quite pro photog, Adobe Photoshop Elements offers a collection of tools that go beyond most free offerings but don't dish out the wallet-busting feature overload of full Photoshop. In the past, some Mac users have been annoyed with Adobe for having versions of Elements ready for Windows months before they were out on Mac. With version 8, both platforms get their chance at the same time.
|
GoToMyPC Gets Ready to Go to Your Mac October 19, 2009 
GoToMyPC has been a popular remote access product in Citrix's portfolio, and previous versions have allowed any Net-connected computer to remotely control a PC. A new version, soon to come out of beta and into full release, can access Macs as well. With the growth of both telecommuting and Macs in the enterprise, Citrix felt the time was right.
|
Get Business and Technology News Alerts
Most Popular | Spotlight Features | Exclusives
This Week on ECT News Network | Podcasts
WiFi Hotspot Locator 
Inside TechNewsWorld
|
Reader Services
|
Corporate
|
Headline Feeds
Talkback: 
