Tuesday, December 18, 2007
I have what seems like thirty thousand logins, each requiring its own username and password combination. (That's not even counting PIN numbers.) Since the identity theft awareness campaigns have gained steam, some of these systems have changed their password rules to prevent anything easy to remember.
As the number of username/password combinations has metastasized, I've found exactly three ways of dealing with the information cascade, none satisfactory.
The first is to use the same combination (or one of the same two combinations) for everything. It's relatively easy to remember, which is no small thing, but it isn't terribly secure. Someone who could hack into one account could hack into many, many others without any effort. The problem with trying to do the electronic equivalent of the James Spader character in Sex, Lies, and Videotape ("I only want one key") is that once that one key is lost, all is lost.
(I've seen programs that remember your passwords for you. This strikes me as an accident waiting to happen. It's literally the one key that rules them all.)
The second is to write them all down, and keep the list handy by the computer. Leaving aside my, um, distinctive handwriting, it raises a fairly obvious security issue. It also raises an issue with updating. Passwords expire at different times, but too many cross-outs make the list useless, and too-intensive updating means I just won't do it.
The third is simply to accept that, at any given moment, a disconcerting amount of my personal information is inaccessible to me. Besides, system admins love nothing better than frantic calls from users who can't remember their passwords. They live for that stuff.
I've done passwords in series -- all the characters from a particular show, important historical dates, hurtful childhood nicknames, that sort of thing. I've taken lines from Great Works of Western Thought and used them as series. (My fave: at Proprietary U, the ERP system made us change passwords every 30 days, and would remember a year-long cycle, so you couldn't re-use any of your previous eleven passwords. Towards the end, I started a series: "Workers" "World" "Unite" "Nothing" "Lose" "Chains." It was good for a chuckle.) But it's embarrassing when your system hiccups, and you get the tech guru in there with wing of bat and eye of newt, and he asks you your password, and it's something like "Winona8675309" or "Scalia666." It's important to maintain some basic level of surface banality.
I've heard talk of 'biometrics,' where you have to get a retinal scan or a fingerprint reading instead of entering a password. It may very well be more accurate and secure, but the 'creepy' factor is pretty high. It's also incredibly vulnerable, in the sense that once somebody figures out how to pirate a retinal scan, you're done. If someone steals my password, I can change it. If someone steals my retinal scan or fingerprint, I'm pretty much out of luck.
Is there a better way? Am I missing the obvious? The number of logins I have to remember at any given time just keeps growing, and there are other things on my mind.
But as you said it's the "One key to rule them all" type of thing.
One solution I've found useful is to determine which passwords protect things I actually care about protecting. If my Facebook or spam mail account are compromised, I'll live. My bank account is a different matter. Then I use the same password for everything unimportant, and step it up for those things that really matter.
There is no holy grail, but in the end, hackers are much more likely to socially engineer their way into a system than crack the password anyway. That's the dirty little secret.
I had to invent a fake wedding to be able to answer six security questions for my bank, so I know your pain.
Come to think of it, one bank hasn't let me in for about a year. Luckily I never use that credit card.
Most scams happen not by sheer hacking but by social engineering--tricking people into giving up their passwords. It's faster than hacking and more effective.
I think we all have weird ways of keeping up with passwords. Just don't write down the url for your bank, your username and password all on one sticky next to your computer. That's asking for trouble . . .
Then a couple of different passwords for private things: my *real* e-mail account, the course management software I have to use as a TA, websites that I am buying things from and which therefore know a lot of personal information. All of this type of stuff gets different passwords, but they're easy for me to remember because of a system I have.
Absolutely unique passwords for banks and credit cards, unrelated to any of the others. But I only have two or three of these.
I liked the idea of an encrypted file, though. Computer stuff is easy to edit as you need to, and doesn't leave it sitting out in the open on your desk. Something about how if the temptation isn't sitting in front of you it's easier to resist...
If you lose your wallet, you're screwed and will have to beg for sysadmin help to get back into all your stuff, but if you lose your wallet, you're screwed ANYWAY. So, why not?
I have a couple of reference books in my office. One of them has become my "password" book. I leaf through the book, pick an entry, and then tack the page number that entry is found and a random special character on the end of it.
The advantages are that (a) it's a bitch to crack from the outside since it's a mostly-random series of letters and numbers, (b) if you forget the word but remember the number, or if you forget the number but remember the word, you're fine, since you can look it up in the book, and (c) it's very portable, since the length and complexity of the password will almost certainly be good enough for most any system that needs a user-supplied password.
Like some of the other commenters here, I have three basic password types. The low-level simple phrase password for stuff I don't get het up about, the moderate-complexity password for stuff that matters, and the word-salad-complexity rotating passwords for sensitive work stuff. The first two are stable and easy to remember, and are used for most stuff. The word-salad passwords I keep in my wallet.
I use a little bitty notebook with one page per account, so when I've changed the PW enough times, I can just tear that page out, shred it, and start a new one.
An encrypted or password protected file containing the mass quantities of pointless passwords is the best way to limit what you actually write down.
I heartily endorse the public/private combinations mentioned here: a public part you can write down as it changes regularly (maybe a word) and a secret part you wrap around it (or apply to it).
One nice touch is an oldie but a goodie: replace a top-row letter in a word with the number above it. You can have a rule (replace vowels with numbers, replace the first top-row letter with a number, capitalize the second consonant, whatever) that you use with your public word.
Realistically, nobody is going to hack it: there are easier targets out there, and you're not NSA or anyone else worth wasting time on, so to speak.
So long as you have your system set up to prevent a keylogger form being installed (fairly easy to do) then you're safe.
And, like lots of other people who've already commented, I have one password that I use for Things That Don't Really Matter, another for financial and such, and yet another for work account(s).
One thing I'm ALWAYS careful about that hasn't been mentioned is that you should never use the same password as your email password any place that you sign up using that email at. Otherwise if, say, some cruddy message board you used once three years ago gets its database hacked such that passwords are exposed you lose not just your message board account (who cares) but also potentially your email account since they'd have both the email and the password (as well as, say, your blogger account if you'd reused that password and email combo and they tried it).
I have a system similar to this one, and have gotten into the habit of creating pw's for all Accts, whether trivial or important, using it.
However, as far as not writing them down, I had to give up the ghost on that a loooong time ago. Except for those I use fairly regularly, there's just no way I can possibly remember all of them.
Especially for those times when I experience a memory hiccup and "forget" a pw, such as with my work VM pw. If I need to access my VMbox via a different phone other than at work, the road becomes hazardous.
For example, when I try to do this from my cell phone, because the buttons are harder to push the "finger dance" is different, if that makes any sense, and I get all screwed up. Then you have to wait a period of time until the muscle memory buffer clears.
What's the worst that can happen? A hacker cracks my password and is able to screw up my effort reporting? Or reserve library materials in my name? How will civilization endure?
So they require such ridiculous measures that you end up need a spreadsheet with all your passwords, with the result that the ones that are actually important, like your bank one, are made less secure.
I've tried to make this argument with people, and the response is always this: *shrug* "It's policy."
As for me, I have something like a recipe box with the more important ones. I suppose I should lock it, but I doubt that's the most important thing I'd lose if my house were robbed.
And I really, really hate things that lock me out after I get the password wrong three times.
I have a random password, alphanumeric which I add to based on the name of the site I'm visiting.
I take the first letter of the stie name and insert it at a particular point in the standard password.
So for example for a website for the NYT I might change a password Happy123 by inserting N in the 3rd letter so the password becomes HaNpy123
I also have a password protected (unique password) word document with my log ins and passwords. It's 2 pages long now!
It's saved with an innocuous name. Although I must check to see if you can find it if you put the word "password" into the search engine.
Luckily, I don't have to update other passwords regularly.
My bank has gone onto the system where you need to know your password and enter the code off a card in your purse, so I can't do that from memory anymore.
My dad works someplace where he also needs to change his password all the time. He takes a word (one year it was "apple") and then each month puts a different letter of the alphabet in front. apple bapple capple, etc. At my work I try to change only 2 things. one letter and one number different each month.
I rather suspect Mr. Kumaran would rather have his finger than his car, especially as he lost both:
I must admit that most of my passwords are written on an old post-it that I keep in the top drawer of my desk at work. I view the main security risks as on-line hackers, so a physical page in a drawer is secure enough for me. If someone is crazy enough to go through my desk, then I'll have bigger problems (especially at home, where the bank statements are easier to find than the passwords).
I agree about using social engineering to get passwords. DD, do you remember getting into my computer account back in high school, solely by guessing what I'd use for the TWO required passwords?
I have a couple of memorized passwords for banking as well. This keeps it down to a manageable 4-5 passwords to remember.
As for there being bigger fish, it's important to remember one of the big differences between computer crime and physical crime: automation. If you can launch millions of attacks, you can still make money even if only 1% succeed and you only make a few cents from each successful attack. This is why I see password-guessing attacks against my home machine and my servers at work every day. It's true that the criminals don't care about my PC or identity in particular, but they make their living based on volume and it costs them nothing to try a few hundred common passwords against your account.