The June 2024 issue of IEEE Spectrum is here!

Close bar

This Week in Cybercrime: Are Strong Passwords Only for Your Important Accounts?

Plus: Eavesdrop-ready Internet is a disaster waiting to happen

3 min read

This Week in Cybercrime: Are Strong Passwords Only for Your Important Accounts?

Strong Passwords: Only For Your “Important” Accounts?

How strong are your computer passwords? What influences whether you “secure” an account with a password such as “123456” or never even bother to change it from a default such as “Welcome1” after you’ve registered at a website? A team of researchers from University of California at Berkeley, the University of British Columbia, and Microsoft wanted to know whether the password strength meters more frequently seen on registration pages make a difference in what alphanumeric combinations registrants decide to use. In a paper (pdf) released this week, the researchers report the results of experiments designed to reveal the circumstances under which strong or weak passwords are used. The team wrote that, “meters result in stronger passwords when users are forced to change existing passwords on important accounts and that individual meter design decisions likely have a marginal impact.” But the flip side of that coin, unfortunately, is that when it comes to sites that users view as unimportant (when there is no sensitive information, like their bank balances, to keep hidden), they tend not to make the effort. In those instances, say the researchers, users all too frequently reused passwords from other accounts. What they fail to take heed to, say the researchers, is that regardless of a password’s relative strength, if it is used across several sites, all of a user’s accounts are at risk if a hacker breaks into one site’s poorly guarded password database. The problems with passwords are mostly attributable to “poor policies and…the frequencies we see of databases getting disclosed,” Serge Egelman, a UC Berkeley researcher who was a member of the research team, told Kaspersky Lab’s Threatpost. “If more work was done to secure stored encrypted passwords, less effort would need to be done on the users’ end.”

Making Online Communications Eavesdrop-Ready Is a Bad Idea

According to a new report (pdf) being released today by the Center for Democracy and Technology, an advocacy group in Washington, D.C., the U.S. government is asking for trouble with its push to force Internet companies to structure online communications so that law enforcement agencies can “wiretap” e-mail and Skype calls the way they do with traditional wireline phone calls. The report, written by highly regarded computer scientists, says that once companies like Microsoft and Google reengineer the software underlying these services—or the hardware that uses them—in order to build in eavesdropping capabilities, it will no doubt extend that ability to governments looking to repress their citizens and to cybercriminals out to steal and destroy. Edward W. Felten, a computer science professor at Princeton who is one of the authors of the report, told the New York Times that the government is looking for “a single point in the system through which all of the content can be collected…” Felten, who until recently was a technologist with the U.S. Federal Trade Commission, says, “That’s a security vulnerability waiting to happen, as if we needed more.” Felten’s coauthors include cryptographer Bruce Schneier and Phil Zimmermann, creator of Pretty Good Privacy, the most widely used software for keeping e-mails private. A NYT article notes that the “report comes as federal officials say they are close to reaching consensus on the F.B.I.’s longstanding demand to be able to intercept Internet communications.”

Desi Despoilment

Pakistan has been the target of a malware campaign over the past couple of months. Its point of origin? Somewhere inside Pakistan’s fraternal twin, India. Jean-Ian Boutin, A malware researcher at security firm Eset, put up a blog post laying out the results of his investigation into how the attacks have occurred. Boutin says the malware propagation has exploited a counterfeit certificate. The blog post, at, delivers a richly detailed history of the campaign, including the types of malicious code sprung on unsuspecting Pakistanis because of a bogus, digitally signed certificate from an Indian company called Technical and Commercial Consulting Pvt. Ltd. The certificate was originally issued in 2011 but revoked in March 2012. But that didn’t stop the authorization of more than 70 different malicious binaries with the certificate between then and September of that year. It’s those fraudulently signed binaries that are bedeviling Pakistanis now. A graph accompanying Boutin’s blog post indicates that although other nations are being hit by the campaign, 79 percent of the infiltrated machines—from which data including screenshots, keystrokes, and even documents in the trash, has been stolen and sent to the attackers’ servers—are in Pakistan.

And in Other Cybercrime News…

There’s an interesting article on the Kaspersky Lab Threatpost about the controversy over how security researchers should proceed after discovering exploits that take advantage of vulnerabilities on networks or single machines. Should they turn that information over to the affected companies free of charge or be compensated? Should they publicly reveal what they’ve found? Is it okay to sell the information to highest bidder?

Microsoft has issued a warning about a new Trojan hijacking Facebook accounts of users in Brazil after masquerading as a legitimate Google Chrome extension and Firefox add-on.

Photo: Savushkin/Getty Images

The Conversation (0)