Why
pesky computer passwords could be passé
by
Alan Zisman (c) 2010 First published in
Business
in Vancouver March 23 - 29, 2010 issue #1065
High Tech Office column
Is your password “123456?” How about “password?”
In December, security firm iMPERVA analyzed 32 million passwords stolen
from the RockYou service. The hackers had kindly posted a list of all
the passwords they had been able to steal. The most common? “123456,”
followed by “12345,” “123456789” and “password.” Others in the top 10
included “iloveyou,” “princess” and “abc123.” Common children’s names:
“Nicole,” “Daniel,” “Jessica,” and “Ashley” and the not very tricky
“654321” and “qwerty” were among the top 20.
If you’re using one of those or other easily guessable passwords – and
particularly if you’re using the same password for everything, you’re
setting yourself up for theft from bank accounts, identity theft or
allowing your personal computer and business network to host spambots
and phishing scams.
Vaclav Vincalek of Vancouver’s network security consultants Pacific
Coast Information Systems says only part of the problem is end-users
who feel overwhelmed with being asked to create and manage multiple
passwords. He points out that banks use simple four-digit PIN numbers,
suggesting those are the most complex that we can easily remember.
Instead, IT departments – trying to eliminate simple, easily guessed
passwords – create complex requirements: perhaps demanding a mix of
uppercase and lowercase characters plus numbers and including special
characters. And by the way, be prepared to change your password every
90 days.
No wonder many of us write our password onto a sticky note and paste it
onto our monitor.
While we too often leave our passwords in plain view, the organizations
charged with storing them too often don’t do much better. Despite
claiming “Our users” privacy and data security have always been a
priority for RockYou, the service stored users’ passwords as readable
text in a database, vulnerable to attack.
Most websites and networks let users repeatedly try to enter their
password, which encourages guessing by outsiders. And if you don’t
remember your password on a service you rarely use?
Many let you enter your e-mail address, following up with a message to
help. That’s not a bad thing if the e-mail leads you to a secure web
page that allows you to log in and then has you enter a new password.
But too often, those e-mails simply type out your password – in plain
text, easy for you to read, but also easy for anyone else to read. That
also suggests that, like RockYou, they’re storing your passwords in an
unencrypted text file, where they can be read by anyone with access –
legitimate or not – to their database.
Vincalek thinks it’s time to move beyond passwords entirely. No, not to
biometrics like fingerprint scanners.
Instead, he says that while it’s hard for most of us to remember
complex passwords, it’s easy for people to remember patterns.
Maybe, when setting up an account, we could pick something we’re
familiar with: musical instruments, sports- team logos, types of
flowers. Then pick a pattern of those objects: piano, guitar, violin,
drum, drum, clarinet. On log-in, you could be presented with a grid of
randomly-arranged pictures of those objects. Click the right ones in
the right order and you’re logged in.
Vincalek realizes that our networks won’t quickly move to anything like
this. In the meantime, he suggests making shapes with letters on your
keyboard and combining them with the domain name.
Try an inverted v-shape starting on the letter “z”. Alternate upper and
lowercase. Add “yahoo” and you’ve got a password for Yahoo Mail. Need
to change it? Move it over one character, starting with the “x.” Hard
to guess, easy to type.
No, neither of those are my passwords. But neither are “princess,”
“iloveyou” or “123456789.”
Keep ’em guessing – and don’t use sticky notes!