Password ‘Explosion’

From (2-19-07):

UN warns on password ‘explosion’ The proliferation of passwords is putting privacy at risk.
Growing use of the web is stripping people of their personal privacy, warns a UN agency report.
The number of passwords and logins web users need makes it inevitable they will re-use phrases, warned the International Telecommunications Union.
Re-using these identifiers puts people at serious risk of falling victim to identity theft, said the ITU report.

Who could not agree completely with this statement? I just registered for a year of services with Consumer Reports this morning. First order of business: picking a user ID and password. Hey, it’s just an online magazine subscription, right? Wrong; it’s also my credit card data.

This rules out all my favorite standbys that I can still use for truly harmless things like a user group forum. The name of my cat, high school, or first car won’t cut it elsewhere.

Let me be the first to admit that there is no way I can mentally keep track of all my passwords, at work, or at home. I don’t even try. In fact, we can formulate this as a principle:

If you can remember your password (and the dozens of others you use daily), it’s probably insecure.

If you could tell another person what your password was, and that person could remember it without writing it down, that’s another way to tell your password is probably insecure.

Let’s face it, most of us use real dictionary words and names, or parts of them, as filler. Why? They’re memory crutches, that’s why. I can remember Monique57 better than 3cAm24Zr any day of the week. But Monique57 is really just a dictionary name plus a two-number string. Password-crunching programs just eat up this kind of password for breakfast!

As the BBC quote from the United Nations suggests, it only takes a few different random passwords of the strength 3cAm24Zr, and I’m solidly in Information Overload. I just can’t keep them all straight in my head!

You will probably have a strong master password, to log in to your OS session, for example. One or two of these is all most of us should bother to try to remember, since even these should be changed every 60-90 days.

At home I use two password utilities to help organize and enter my passwords.

  • RoboForm automatically memorizes and fills internet passwords when it sees these fields on a web page, with your approval. Data is safely encrypted for storage.
  • Password Safe is an old fasioned password vault that works whether or not you are on the internet. You can use it to look up passwords for offline applications. It does not autofill, but allows you to copy into the Windows clipboard with a single click.
  • Obviously you also want a very strong password for the vaults where your passwords are stored. You can find so many discussions of “strong” and “strong enough” on the web we are not going to explore this in any depth. A consensus would probably indicate that your secure password should consist of at least 8 characters, include numeric and alphabetic characters, and contain mixed upper and lower case letters.

    We’re also not going to go into whole data encryption here (where, even if you access the data, it won’t do you any good). All my local Quicken files and other financial data are encrypted by PGP. It would take the CIA or NASA computers quite a while to crack the level of security PGP makes available to home computing.

    But you may also do your banking online, or manage a portfolio of stocks and bonds or mutual funds, and that may include savings accounts like ING Direct.

    You cannot use a form-filler like RoboForm on a super-secure site like ING. Critical steps are done by images and pattern recognition. You may click a virtual numeric data entry pad to access your account. These measures defeat clandestine keypad loggers and packet sniffers.

    You also can’t use any of these utilities while logging into Windows, since, duh, you’re not logged into Windows. I do keep my Windows login passwords in my wallet, since I just don’t know what else to do. If you come up to me with a silenced automatic and demand my wallet, I’m going to give you my wallet anyway.

    My workplace does not allow non-authorized software on its machines, not even a password vault. Here, I created an Excel spreadsheet for all my various passwords, and password-protected the worksheet. Simple, but effective enough.

    If this were a magazine article (assuming I was also paid by word count) we could now pad the article with three strategies for you to consider: beginner’s, intermediate, and advanced.

    But that’s all fairy-tale stuff anyway. You know your own situation. You know what you want. You know what you need to do. We’ve mentioned a couple of tools to make the job easier. Once we bootstrap you past the I-can’t-remember-any-more-passwords barrier, it gets easier and easier to manage more complex passwords and more of them. If you’re losing too much computer time to pawing through stacks of post-it notes for the password to that site you visited just last year, this article might just help you retake control over the process. Less worry about identity theft. More quality surf time … a winning situation!

    120 total views, 1 views today