You are the owner of this page.
Opinion
Lorrie Cranor: Choose better passwords with help of science
 
 09.14.17

For years, computer users have been told they should have complicated passwords, including numbers, punctuation marks and other symbols, and upper- and lowercase letters. Despite those being hard to remember, people were told not to write their passwords down, and forced to make up new ones quite frequently. Users dutifully complied – by capitalizing the first letter of their passwords, adding a “1” or their birth year, or perhaps ending their password with an exclamation point.

Most people couldn’t actually remember lots of passwords without writing them down, so instead they reused a small number of passwords over and over again. And when they were required to change their passwords, they incremented that “1” to a “2” or added another exclamation point. These simple steps to deal with complicated passwords are so common that they actually make it easier for attackers.

As researchers into password security, we’ve known for years that most password advice was not actually based on scientific knowledge. To address this, we have been conducting experiments about the effects of password requirements on security and usability. The federal government recently changed its password recommendations in ways that echo some of our research findings.

Defending passwords from computers

We spent years modeling how different password-cracking approaches work to better understand how attackers guess passwords and to develop an accurate measure of password strength. People who are trying to break into online accounts don’t just sit down at a computer and make a few guesses. Many attackers have been able to steal the entire database of passwords from large companies – for example, this has happened to Yahoo, LinkedIn, Adobe, Ashley Madison and many others. The passwords are scrambled for security, so attackers have to make lots of guesses to unscramble them. But computer programs let them make millions or billions of guesses in just a few hours.

They may start by guessing all the most popular passwords and words in the dictionary, then adding “1” to each of these, and then again with every other digit and symbol, and then with the first letter capitalized, and so on. The end result is that all the complicated password policies don’t prevent – or even really slow down – cracking of many users’ passwords.

Even worse, once an attacker guesses a user’s password for one account, he will often try using that same password on the user’s other accounts. Since users tend to reuse passwords, this can be very successful. An attacker who cracks the password for some website you registered with eight years ago and forgot about may now be able to access your email, your social network account and your bank account.

All this computing power being applied to cracking passwords means users need to go beyond choosing passwords that are hard for a human to guess: Passwords need to be difficult for a computer to figure out.

Testing perceptions of password strength

Our research has informed efforts to teach people how to use this new understanding of password security. More than 50,000 people participated in our online experiments, each creating a password that complied with randomly assigned requirements: for example, “minimum of 12 characters long” or “must include lowercase and uppercase letters, digits and symbols.” We measured the actual strength of the password, a participant’s ability to remember a password a few days later and other metrics. We also analyzed real passwords created by students, faculty and staff at our university.

Our data have shown us that people hold many misconceptions about passwords, such as believing that adding a digit or exclamation point to the end of their password will make it much stronger. This problem is widespread enough that we created an online quiz game to help dispel some of these misconceptions.

In addition, our data have shown us that it is more important to encourage longer passwords (at least 12 characters) than complicated passwords. At the same time, we’ve learned that some users create long passwords that are still predictable – like “passwordpassword” or “xxxxxxxxxxxx.”

We also learned that giving people feedback at the moment they’re creating new passwords can help. Most often this takes the form of what are called “password meters” – color-coded signals that indicate whether a person has chosen a weak password or one that’s very strong.

While most password meters on the internet provide inaccurate scores and sometimes questionable advice, we developed a password meter that uses an artificial neural network to compute the strength of those passwords based on an analysis of millions of other passwords. In addition, when it identifies a weak password, our meter provides immediate advice on what would make it stronger. For example, if a person puts all the digits at the end of a password, our system might suggest moving them to the middle.

Creating strong passwords

Our research has led us to develop some specific recommendations for choosing passwords that provide good protection for online accounts and the data they contain. A crucial aid in this process is to use a password manager to generate long, random passwords – and remember them for you.

If you’re making your own passwords:

- Make your password at least 12 characters, and mix it up with at least two or three different types of characters (lowercase letters, uppercase letters, digits and symbols), put in unpredictable places. Don’t put your capital letters at the beginning or your digits or symbols at the end.

- Avoid including names of people or pets, places you have lived, sports teams, stuff you like or birth dates. Avoid common phrases (especially anything related to “love” in any language) and song lyrics. Don’t use patterns (“abc,” “123”), including patterns on the keyboard (“1qazxsw2”).

- One way to make a strong password is to create a sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters.

It may be tempting to reuse your existing passwords, but don’t do it for any accounts you care about. It is better to write your passwords down in a secure place if you have more passwords than you can remember, or better yet, use a password manager.

You can also protect your account without making your password more complicated by using two-factor authentication when it is offered – it’s easier than most people think.

Passwords are an annoying part of online life, but they aren’t going away soon. While the password policies of the past decade have caused more user pain than security gain, our research is helping find ways to create passwords that actually work for regular people while keeping us more secure.


Columnists
Why does God permit natural disasters?
 
 09.13.17

Like many Americans during the past three weeks, I’ve been bombarded by news about the destructive power of Hurricane Harvey in Texas and Hurricane Irma in Florida. The stories are of misery, death and destruction.

The misery, death and destruction are acutely difficult to accept because they have been visited upon innocents. I say that knowledgeable of the ancient argument that our personal and collective sinfulness has merited our pain. Yet that raises this question: Does anyone really deserve personal ruination because of personal sin, particularly from a God whose Son said he came to call sinners and not the just?

Stated differently, why does an all-knowing, all-loving, all-powerful God permit innocents to suffer in natural disasters?

This question has occupied philosophers for millennia. The natural order of things has revealed that we all have free will, and we know from our experiences that we can easily abuse that free will. The individual will is so free that we can use it to do magnificent things or horrific things.

But a natural disaster is not the handiwork of anyone’s free will. Could it really be the handiwork of an angry God impatient with the manner in which we have abused free will? This argument is not a logical extension of Christian teaching, unless God is terribly inconsistent with His impatience over human failures and errors and has somehow overlooked and not yet grown impatient with the world’s worst monsters.

Why the natural disasters? We know from the exercise of our reason that the curvature of the Earth and its continuous movement through space set in motion a series of forces. These forces protect the Earth and its inhabitants from the harmful rays of the sun and permit the intrusion of the beneficial rays. All this comes at a price. The movement of the Earth actually produces friction, and that friction in turn ignites energy, and that energy often is drawn by the Earth’s gravity and finds an outlet in destructive forces on the planet.

Though these forces — the linchpin of which is the Earth’s gravity — can be avoided through the exercise of creative reason (we can build shelters from them), they are often, as with Harvey and Irma, beyond our ability to harness or control. All this is a thumbnail sketch of basic astrophysics, largely acquired through human reason and beyond serious dispute.

But the disputable philosophical questions remain. What force set all this in motion? What caused the big bang in the first place? What caused the Earth’s gravity? What tipped over the first domino that billions of years later triggered the explosions of energy that eventually became Harvey and Irma?

We know from reason that every effect had a cause. You plant grass seed and water it and the effect is blades of grass. The cause was the interaction of the seeds and earth and rain and sun brought together by the free will of the person who did the planting. There are infinite examples of this. Yet is there any cause that was uncaused? Yes. That is the all-knowing, all-powerful, all-loving uncaused cause, whom most of us call God the Father.

Now back to the question posed earlier. If God the Father created us and loves us, why does He permit natural forces that He set in motion to harm and even to devour us? A similar question was actually addressed by our Lord Himself when he was approached by biblical scholars who asked about a young man who was blind from birth. The question they put to Jesus was: Whose sinning caused this man to be born blind? Was it the man himself or his parents?

The question may have been an attempted trap. Yet Jesus answered by saying essentially that no one’s sins caused the blindness. Rather, he was born blind so that the works of God could be made manifest in him. In other words, he was born blind so that Jesus could cure his blindness publicly — as he did — and thereby enhance the faith and understanding of all who learned of this and believed it.

Of course, not all who learned of the cure of the blind man believed in Jesus’ divinity. Some thought he was a charlatan performing tricks, and some thought the young man was never really blind. Their skepticism and doubts caused G.K. Chesterton to remark that “the Christian ideal has not been tried and found wanting. It has been found difficult; and left untried.”

Chesterton recognized that we are free to believe or to reject belief. To those who believe in the all-loving God, we know that from time to time, He manifests Himself to give us a need to embrace Him, just as He did with the man born blind. That embrace is the test of faith. It was manifested in countless unseen acts of generosity and selflessness — from believing stranger to believing stranger — in Texas and in Florida.

I can hear the prayer of the faithful in pain. “O Lord, I prayed that the hurricane would not destroy my home, yet it did. I still love you, Lord, because my family was spared. I love you more now because I need you more now. I don’t reject the truth. I embrace it, no matter the cost — because the truth will keep my free will set upon you.”

As pope, St. John Paul II called this rational belief. It is the essence of understanding. It is faith tempered by human reason and human reason informed by faith. Faith without reason and reason without faith lead to fanaticism. Only their informed juxtaposition will guide our free wills to do the right things and to have understanding when bad things happen.


Columnists
What the USA Parkway means to Northern Nevada
 
 09.13.17

Knecht

On Friday September 8, the USA Parkway extension was opened from Storey County’s Tahoe Regional Industrial Center to Highway 50 in Silver Springs.

James Smack has taken the pleasant drive on that road that makes getting to Sparks from Silver Springs nearly equivalent in time and mileage to the drive to downtown Carson City.

First, a very positive note. Completion came three months early, and the project came in under budget. Anytime the combination of these two results happen with a transportation project, a spotlight needs to be shined demonstrating that projects of this magnitude can be completed early and for less money than anticipated. Great job by both the contractor and the Nevada Department of Transportation!

Long term, the impact also looks very positive. The new road will open up opportunities for employment at TRIC for a whole pool of workers everywhere from Silver Springs to Dayton and even Yerington. With less expensive houses and property in Lyon County, many of those working at TRIC today will consider moving out of their rentals in Reno and Sparks and buying a house in one of these communities.

New employers are coming into TRIC all the time. There is a new hotel under construction presently, along with expansion of existing businesses and new buildings under construction. There is even a proposed shopping center.

TRIC is booming right now, and this road opens up more options for future employees to find somewhere to live.

Anyone who works at TRIC now and has to commute there from Reno/Sparks has discovered the newest traffic snarls in Northern Nevada. Weekday mornings Interstate 80 traffic crawls for miles starting before the Patrick exit all the way to the USA Parkway exit, and evening traffic backs up starting around USA Parkway all the way into Reno.

Employees who are dealing with this traffic on a daily basis will likely start looking at Lyon County to relocate just to ease the morning commute. Instead of the 45 minutes it took before the highway extension to drive from Silver Springs to TRIC via Fernley, now it takes 15 minutes.

In the Nevada Appeal of May 10, 2016 Sally Roberts noted there were at that time 119 companies operating at TRIC, with 4500 full time equivalent employees. With hiring by Tesla, Panasonic and others in the past year, that number has certainly increased. Tiny Storey County issues, on average, 27 new business licenses a week.

In the same article, Roberts highlights how Storey County has been a friendly partner to the businesses wanting to locate to TRIC, making the process easier than other municipalities, including especially the very large ones. For example, “…when a potential new company asks how long it will take to build, county officials turn the table and ask when they want to be done.”

Imagine that! Government helping and not hindering business development.

Roberts also notes: “The county has a government center in TRIC for the convenience of companies looking at the center. All paperwork is online so company planners anywhere in the world can access forms and reports.”

With the additional benefit of much lower permitting costs than neighboring Washoe County, Storey County is making it easy to do business at TRIC. Now that the road is completed, the portions of TRIC in Lyon County will start being developed shortly. We hope the Lyon County government will adopt similar practices to make doing business in their county as easy as Storey.

Furthermore, the new highway provides access to the airport at Silver Springs. Conveniently, the road merges with 50 right next to the airport, with a full sized runway and plenty of room around the airport for infrastructure.

Some folks expect that companies at TRIC will use this airport to meet their air transportation needs, now that there is a highway to link this airport right to the heart of TRIC in about 15 minutes.

James thinks the next big real estate boom is coming, and it is coming to central Lyon County. In the next five years, the reader will see a much different Highway 50 corridor from Dayton through Silver Springs than what exists today.

It would be a good thing.