Some hackers like to "shoulder surf," or steal unsuspecting PC users' passwords by looking over their shoulders at the Internet café. Others prefer to crack an account's password -- using sophisticated software programs. But new developments in network security are going to wipe out the shoulder surfers, and their cracker pals, experts tell United Press International's Networking.
Graphical passwords are emerging -- images, not words or phrases, which authenticate access to a computer or a network.
Developed by computer scientists, these new graphical passwords work by allowing the user to pick points on a picture -- say an image of the Manhattan skyline in New York City -- ad click on the pictures of buildings, in sequence. These areas of the image are called "click points," and are said to be easy for PC users to remember, but almost impossible for hackers to guess. The images are assigned alpha-numeric counterparts. The idea is that users can keep their passwords secret -- from all observers.
"We know that passwords are easy to steal, especially when we don't pick difficult ones," Ken Shaw, executive vice president of Safe Offsite, a computer data security firm, headquartered in Australia, told Networking. "Luckily, computer scientists and engineers have developed ways to protect us as hackers and phishers and the like continue to fine-tune their art of destruction. Graphical passwords enhance our computer's security."
The concept of graphical passwords was developed in academia -- at Rutgers University in New Jersey by Professor Jean-Camille Birget, a professor of computer science.
"Since the technology continues to emerge, we see it as a highly effective stand alone option," said Shaw.
There are questions about the efficacy of the technology, however, for use on dial-up Internet networks, like AOL or MSN.
"These solutions may be appropriate for your main system, but they will do little to protect you when you need to create a new password for an online service," said Shaw.
Nonetheless, these systems are being adopted by a number of different companies, and the new technology has even earned a nickname. "Inside the industry, they're called 'captcha' systems," Dave Taylor, producer of the famed blog, The Intuitive Life, intuitive.com/blog/, told Networking. "They do apparently work quite well."
There are other, emerging technology approaches for security -- competing with these new, graphical passwords.
"With more than nine million victims of identity fraud in the U.S. alone, experts agree that the traditional username/password model no longer is secure," said a spokesman for Arcot Systems, a software authentication developer.
The federal government has issued rules for banks, requiring that they have what is termed "multi-factor" authentication by the end of this year, which is stimulating interest in the development of new forms of passwords and access control for computers and networks.
One approach, taken by Arcot, is to encrypt the user name and password on a particular PC. When a hacker tries to crack the account, he receives a message containing a fake password. If he tries to continue to penetrate the system with the fake password, the company is alerted of the intrusion, and the hunt for the hacker commences.
The concerns over security aren't just limited to PCs and local networks and the Internet, these days, though, experts tell Networking. IT security professionals are increasingly concerned about hackers trying to penetrate mainframe computers too. "Enterprises recognize the need to protect data that is processed, stored and transferred by mainframe systems," said Stacey Quandt, research director, security solutions at Aberdeen Group, the research consultancy that covers the IT industry. "Encryption solutions designed specifically for mainframe platforms help businesses ensure compliance and protect their brand while safeguarding their confidential data."
Mr. Koprowski is a Lilly Endowment Award-winning columnist, who covers networking and telecommunications for United Press International. Contact: firstname.lastname@example.org