Keeping secrets from web spies

By Dan Simmons
Reporter, BBC Click Online

Picking a password is a tricky business. And the temptation is to go for something that is easy to remember like our partner's birthday, a pet's name, or a film star.

The trouble is, given just a few attempts it also makes it pretty easy to crack.

"Hackers today will often use a dictionary style attack. This means they can very quickly use all of the words in the dictionary as well as common celebrity or sports names," explained McAfee security analyst Greg Day.

"For example, many people still use what they think is a smart technique of switching out some of those characters for numbers, for example changing an A into a 4. But that's a very commonly known technique."

"I think what worries us more these days is we use online communities, like MySpace or Bebo, to meet and chat with other people, and people are so willing to hand over this information - favourite film star, etc. As a password stealer I only need to chat to you for a few minutes and I can probably commonly guess your password."

The ideal password is used for one site only, it uses letters in both upper and lower case, numbers, and other characters. Something like this: EAJst9s74*$D!2 - but the problem is that it is just not easy to remember.

Password storage

In fact, with the average number of passwords estimated to be around 20 per person, and that number growing at 20% each year, it is no wonder that many of us cannot keep track of the one we might need.

So if we are not to lapse into using the same password for all our accounts - we need a safe place to store them - somewhere we can access wherever we are.


You can go and use internet search tools like Google and you'll find lots of free tools that allow you to listen in to someone else's PC
Greg Day, McAfee

One answer is to lock them up online. There are many choices available but a new service from BoxKnox is specifically designed to store passwords, offering encrypted storage, at no cost, while protecting anonymity.

You do not need to leave any personal details - just set a username and password. Of course this is a password you really do not want to forget.

But complicated passwords, securely stored, do not mean you are safe.


Keylogging has been around almost as long as computer keyboards

To fully protect yourself you need to be aware of how hackers might try to gain access to your accounts.

"Nowadays it's become incredibly easy for anybody to set up and use something like a keylogger," said Mr Day.

"You can go and use internet search tools like Google and you'll find lots of free tools that allow you to listen in to someone else's PC."

Keyloggers record every keystroke we make and send it on to the hacker. And although they can be used for legitimate tracking - like checking what your children do online - they can be used to spy on anyone.

It took me five minutes to find and download one such program. I then got our security expert to see if he could find out what I'd been up to.

He very quickly established that I'd been to Hotmail, and could easily identify my username and password, date of birth, postcode.

"You'd be amazed," he said, "at what an attacker could do with that."

Criminal activity

Many keyloggers and spyware programs take screenshots of the sites you visit and can copy files from your PC.

These may include any passwords you have asked your computer to remember for you to speed up logging in. These are held as cookies on your machine.

Keyloggers are not illegal to own. It is how they are used which can be criminal.

Last month keylogging software found its way onto hundreds of PCs belonging to account holders at Sweden's largest Bank, Nordea.

In the biggest heist of customer accounts on record more than $1m (£513,000) was stolen.

The Metropolitan Police say thousands of customers in the UK have also been hit by this software.

So what can we do to protect ourselves: firstly - a well configured and up-to-date anti-virus programme should pick most of this type of spyware - especially if it is trying to use our internet connection to send out information.

There are many to choose from, some of which are free. We were using McAfee's Security Suite 2006 but it failed to pick up the keylogger while we were offline.

It is not clear why, but its labs say the software would normally warn users they are being tracked.

Of course one way to beat keyloggers is to not touch the keyboard at all when logging in.

There are several USB devices you can use to automatically log on. We used the Codemeter USB device which holds all my login names and passwords.

It automatically detects when I need them and fills in the necessary boxes for me. I do not have to remember all my passwords which are encrypted on the key.

I just need to remember one master password to make it work - and I must make sure I do not leave the USB device behind.

And the security industry is starting to look at more pre-emptive ways to protect us - before any spyware can get in.

"The security industry has turned to a proactive approach," explained Yuval Ben-Itzhak, chief technology officer at security firm Finjan.

"We no longer need to wait for anti-virus updates in order to find out if something is bad. You can actually analyse it as you run the program, see what it is about to do, and make a decision based on that."

Finjan's internet-browser tool auditions or dry-runs the pagelinks before we click on them to check for any nasty surprises.

It claims this live testing of links has never been beaten by hackers. It is making this software available to the public to download at no cost from next month.

Ditching passwords

But let us face it, most of us are simply too lazy to go the extra mile to protect ourselves, which is why some of the biggest names in banking want to ditch the traditional password altogether.

All of HSBCs customers in Hong Kong are already using a token or fob system - which offers up a constantly changing number that forms part of their online password access.

It is being trialled by some banks in the UK, but may prove too expensive to roll out millions of customers, some of whom may not want to use them.

An alternative being considered by HSBC and the Alliance and Leicester bank in the UK would have us run an application on our mobile phones generating a second pass code - again changing each time we log in.

If, we can be persuaded to use them - the ever-changing password may be the key to keeping our secrets - secret.