Tuesday, December 18, 2007

 

Passwords

There has to be a better way.

I have what seems like thirty thousand logins, each requiring its own username and password combination. (That's not even counting PIN numbers.) Since the identity theft awareness campaigns have gained steam, some of these systems have changed their password rules to prevent anything easy to remember.

As the number of username/password combinations has metastasized, I've found exactly three ways of dealing with the information cascade, none satisfactory.

The first is to use the same combination (or one of the same two combinations) for everything. It's relatively easy to remember, which is no small thing, but it isn't terribly secure. Someone who could hack into one account could hack into many, many others without any effort. The problem with trying to do the electronic equivalent of the James Spader character in Sex, Lies, and Videotape ("I only want one key") is that once that one key is lost, all is lost.

(I've seen programs that remember your passwords for you. This strikes me as an accident waiting to happen. It's literally the one key that rules them all.)

The second is to write them all down, and keep the list handy by the computer. Leaving aside my, um, distinctive handwriting, it raises a fairly obvious security issue. It also raises an issue with updating. Passwords expire at different times, but too many cross-outs make the list useless, and too-intensive updating means I just won't do it.

The third is simply to accept that, at any given moment, a disconcerting amount of my personal information is inaccessible to me. Besides, system admins love nothing better than frantic calls from users who can't remember their passwords. They live for that stuff.

I've done passwords in series -- all the characters from a particular show, important historical dates, hurtful childhood nicknames, that sort of thing. I've taken lines from Great Works of Western Thought and used them as series. (My fave: at Proprietary U, the ERP system made us change passwords every 30 days, and would remember a year-long cycle, so you couldn't re-use any of your previous eleven passwords. Towards the end, I started a series: "Workers" "World" "Unite" "Nothing" "Lose" "Chains." It was good for a chuckle.) But it's embarrassing when your system hiccups, and you get the tech guru in there with wing of bat and eye of newt, and he asks you your password, and it's something like "Winona8675309" or "Scalia666." It's important to maintain some basic level of surface banality.

I've heard talk of 'biometrics,' where you have to get a retinal scan or a fingerprint reading instead of entering a password. It may very well be more accurate and secure, but the 'creepy' factor is pretty high. It's also incredibly vulnerable, in the sense that once somebody figures out how to pirate a retinal scan, you're done. If someone steals my password, I can change it. If someone steals my retinal scan or fingerprint, I'm pretty much out of luck.

Is there a better way? Am I missing the obvious? The number of logins I have to remember at any given time just keeps growing, and there are other things on my mind.

Comments:
The plan 9 operating system has a nice program called "factotum" which saves all of your passwords for you in a secure way on your home server. It's like the keychain programs Firefox and OSX have but more secure.

But as you said it's the "One key to rule them all" type of thing.
 
I will tell you it's no easier for the sysadmins - at one point I was managing several dozen passwords for the systems I ran, and I had the whole gamut - a little black book next to the desk, passwords in series, the whole thing.

One solution I've found useful is to determine which passwords protect things I actually care about protecting. If my Facebook or spam mail account are compromised, I'll live. My bank account is a different matter. Then I use the same password for everything unimportant, and step it up for those things that really matter.

There is no holy grail, but in the end, hackers are much more likely to socially engineer their way into a system than crack the password anyway. That's the dirty little secret.
 
I have about six passwords that I rotate. I also have an unlocked mini-database program (designed as a password keeper) where I keep password hints. Not the password itself, but a code that lets me know which of my six passwords I used for that particular site. It's easy to update when I have to change a password. A variation on that approach might help--I should probably use it to track more than six passwords, though.

I had to invent a fake wedding to be able to answer six security questions for my bank, so I know your pain.

Come to think of it, one bank hasn't let me in for about a year. Luckily I never use that credit card.
 
For anything less important than a bank account or credit card, I've gone with "one key to rule them all" in the form of an encrypted text file which list usernames and passwords, which currently has more than 100 entries (sigh). Like David, for most of these I figure it wouldn't be so bad if they were compromised. The really important ones I write down and file away, with the exception of certain computer accounts which I just memorize. I've actually found that usernames are at least as much of a pain to remember as passwords, especially at big sites (e.g. nytimes, gmail) where you're not going to get any of your usual choices.
 
There are ways to create a system where you have one login for everything--at least in one place. So, you could at least have a single login for everything at work. These work well, but often break down when dealing with systems that don't play nice with other systems. For social networking and other such accounts, there's OpenID that allows you to use one username and password for many accounts.

Most scams happen not by sheer hacking but by social engineering--tricking people into giving up their passwords. It's faster than hacking and more effective.

I think we all have weird ways of keeping up with passwords. Just don't write down the url for your bank, your username and password all on one sticky next to your computer. That's asking for trouble . . .
 
I have two short random numbers - I then sandwich a word in between those random numbers. The word varies for my different accounts as they have different schedules for changing my password (yet another maddening layer in this whole mess). But this allows me to write down the words (sans numbers and in pencil so I can change them) somewhere so that I don't have to remember them. If someone finds the paper, they still don't know the password as the numbers are only known to me.
 
I agree with what someone said above about different levels of passwords. One password is good enough for all "low security" purposes: webmail, blogger, the 60 different computers I have to log onto at work, whatever.

Then a couple of different passwords for private things: my *real* e-mail account, the course management software I have to use as a TA, websites that I am buying things from and which therefore know a lot of personal information. All of this type of stuff gets different passwords, but they're easy for me to remember because of a system I have.

Absolutely unique passwords for banks and credit cards, unrelated to any of the others. But I only have two or three of these.

-Mary
 
Wow...I feel very unsecure after reading all of this. I keep my passwords in a regular excel file on my computer at work, and I've started a Google document for the ones I don't use often enough to remember for personal stuff. No bank passwords in either list, but I only have 3 bank/credit card site to log into, so I just remember those.

I liked the idea of an encrypted file, though. Computer stuff is easy to edit as you need to, and doesn't leave it sitting out in the open on your desk. Something about how if the temptation isn't sitting in front of you it's easier to resist...
 
Write the passwords down and keep them in your wallet. You already keep your wallet secure. Don't write down what they go with or anything, just in case you lose your wallet.

If you lose your wallet, you're screwed and will have to beg for sysadmin help to get back into all your stuff, but if you lose your wallet, you're screwed ANYWAY. So, why not?
 
For my work logins, I have to create big ol' passwords with numbers, letters, and "special characters" in them about every six to eight weeks. I've developed a method that works for me.

I have a couple of reference books in my office. One of them has become my "password" book. I leaf through the book, pick an entry, and then tack the page number that entry is found and a random special character on the end of it.

The advantages are that (a) it's a bitch to crack from the outside since it's a mostly-random series of letters and numbers, (b) if you forget the word but remember the number, or if you forget the number but remember the word, you're fine, since you can look it up in the book, and (c) it's very portable, since the length and complexity of the password will almost certainly be good enough for most any system that needs a user-supplied password.

Like some of the other commenters here, I have three basic password types. The low-level simple phrase password for stuff I don't get het up about, the moderate-complexity password for stuff that matters, and the word-salad-complexity rotating passwords for sensitive work stuff. The first two are stable and easy to remember, and are used for most stuff. The word-salad passwords I keep in my wallet.
 
I do what others have mentioned, low-level pw & medium-level pw that are fairly stable, and then high-level passwords that are difficult, obscure, involve lies in the security questions, abbreviations of random quotations from books nobody else has ever read, and are written in a little notebook kept locked in my desk AT HOME. Which means I can't bank at work unless I memorize the passwords, but I'm okay with that.

I use a little bitty notebook with one page per account, so when I've changed the PW enough times, I can just tear that page out, shred it, and start a new one.
 
First, your college should move toward a single sign-in approach so a single campus password opens everything. That password must be kept secure, be securely designed, and changed regularly.

An encrypted or password protected file containing the mass quantities of pointless passwords is the best way to limit what you actually write down.

I heartily endorse the public/private combinations mentioned here: a public part you can write down as it changes regularly (maybe a word) and a secret part you wrap around it (or apply to it).

One nice touch is an oldie but a goodie: replace a top-row letter in a word with the number above it. You can have a rule (replace vowels with numbers, replace the first top-row letter with a number, capitalize the second consonant, whatever) that you use with your public word.
 
For most of my miscellaneous passwords, I have a standard password (a combination of letters and numbers that's meaningful to me, but not necessarily to others), and I will add a letter or two at a particular point to vary it for each use. For example, if the password were moon769, the Citibank version would be moon769c, the Ebay version would be moon769e, etc. You can make it more complicated as needed, but it feels to me like a tolerable compromise.
 
A one-key system is really a good solution for most people, probably including you.

Realistically, nobody is going to hack it: there are easier targets out there, and you're not NSA or anyone else worth wasting time on, so to speak.

So long as you have your system set up to prevent a keylogger form being installed (fairly easy to do) then you're safe.
 
One thing that I do for my institutional account -- which has to be updated every 90 days or so -- is stick with the same password but change one or two digits by hitting the shift key for them. So shirley1234 becomes Shirley123$ and then shirley!234 and so on. That way I don't have to remember something entirely new, but it's different enough to register as a new password.

And, like lots of other people who've already commented, I have one password that I use for Things That Don't Really Matter, another for financial and such, and yet another for work account(s).
 
I do something similar with several different "levels" of passwords depending on how much it matters to me (and different sets for business/personal), but as a musician for many years I generate my passwords by picking a line of lyrics that I already have memorized and then taking the first (or last, or second, whatever) letter of each word in that line so that, say "Twinkle, twinkle little star" becomes "ttls" and then I have a few different systems for appending numbers/special characters/etc. Generally, I'll have one lyric I use for work with different "specials" added for different things (email account might have a 7 in the middle, blogger account for work might have a @ at the beginning).

One thing I'm ALWAYS careful about that hasn't been mentioned is that you should never use the same password as your email password any place that you sign up using that email at. Otherwise if, say, some cruddy message board you used once three years ago gets its database hacked such that passwords are exposed you lose not just your message board account (who cares) but also potentially your email account since they'd have both the email and the password (as well as, say, your blogger account if you'd reused that password and email combo and they tried it).
 
sinoonanj: I have two short random numbers - I then sandwich a word in between those random numbers.

I have a system similar to this one, and have gotten into the habit of creating pw's for all Accts, whether trivial or important, using it.

However, as far as not writing them down, I had to give up the ghost on that a loooong time ago. Except for those I use fairly regularly, there's just no way I can possibly remember all of them.

Especially for those times when I experience a memory hiccup and "forget" a pw, such as with my work VM pw. If I need to access my VMbox via a different phone other than at work, the road becomes hazardous.

For example, when I try to do this from my cell phone, because the buttons are harder to push the "finger dance" is different, if that makes any sense, and I get all screwed up. Then you have to wait a period of time until the muscle memory buffer clears.
 
I firmly believe that there is a special place in hell reserved for sysadmins that require crazy security for trivial information.

What's the worst that can happen? A hacker cracks my password and is able to screw up my effort reporting? Or reserve library materials in my name? How will civilization endure?

So they require such ridiculous measures that you end up need a spreadsheet with all your passwords, with the result that the ones that are actually important, like your bank one, are made less secure.

I've tried to make this argument with people, and the response is always this: *shrug* "It's policy."

Sigh
 
I hesitate to link various bits of my online life this way, but I wrote a short article for a newsletter at work about this very topic. :) I highly recommend the links at the end.

As for me, I have something like a recipe box with the more important ones. I suppose I should lock it, but I doubt that's the most important thing I'd lose if my house were robbed.
 
This may seem overly simple, but I keep a password-protected spreadsheet in Excel on my flashdrive. In this file, I keep all of my passwords, none of which are the same as the password for the file. It's one key holding everything, but since I don't carry my flashdrive around with me everywhere I go anymore (off the adjunct treadmill this semester, finally), I always have the information I need with me when I need it.
 
I just want to nod in agreement and say that all the damned passwords I have to remember drive me nuts.

And I really, really hate things that lock me out after I get the password wrong three times.
 
I'm with Anonymous 9.15am

I have a random password, alphanumeric which I add to based on the name of the site I'm visiting.

I take the first letter of the stie name and insert it at a particular point in the standard password.

So for example for a website for the NYT I might change a password Happy123 by inserting N in the 3rd letter so the password becomes HaNpy123

I also have a password protected (unique password) word document with my log ins and passwords. It's 2 pages long now!

It's saved with an innocuous name. Although I must check to see if you can find it if you put the word "password" into the search engine.

Luckily, I don't have to update other passwords regularly.

My bank has gone onto the system where you need to know your password and enter the code off a card in your purse, so I can't do that from memory anymore.
 
I use a password related to what I'm doing. like ticketmaster would be "tickets" or something. That helps.

My dad works someplace where he also needs to change his password all the time. He takes a word (one year it was "apple") and then each month puts a different letter of the alphabet in front. apple bapple capple, etc. At my work I try to change only 2 things. one letter and one number different each month.
 
Biometric, currently being touted by a great many car companies as security, are not necessarily a good thing.

I rather suspect Mr. Kumaran would rather have his finger than his car, especially as he lost both:

http://www.news.com.au/story/0,10117,12711274-13762,00.html
 
For my secure passwords, I like the "one letter per word" (I think Bro of DD called this "word salad".) It makes it easy to add a period, a 3 for e, 1 for L, etc. Then a password like "I read Dean Dad" can become ir3add.d. and even though it looks like a mess, I can remember it. The added bonus is that I can write "dean dad" as my reminder on a piece of paper, and that doesn't help someone else with determing the letter pattern.

I must admit that most of my passwords are written on an old post-it that I keep in the top drawer of my desk at work. I view the main security risks as on-line hackers, so a physical page in a drawer is secure enough for me. If someone is crazy enough to go through my desk, then I'll have bigger problems (especially at home, where the bank statements are easier to find than the passwords).

I agree about using social engineering to get passwords. DD, do you remember getting into my computer account back in high school, solely by guessing what I'd use for the TWO required passwords?
 
one userid/password for all trivial accounts, and the open source tool Password Safe for the rest,
http://passwordsafe.sourceforge.net/
I have a couple of memorized passwords for banking as well. This keeps it down to a manageable 4-5 passwords to remember.
 
Writing passwords down on a piece of paper isn't bad security; after all, we know how to secure small pieces of paper like money and similar objects like your driver's license and credit cards. Writing it down on a post-it stuck to your monitor is bad security of course.

As for there being bigger fish, it's important to remember one of the big differences between computer crime and physical crime: automation. If you can launch millions of attacks, you can still make money even if only 1% succeed and you only make a few cents from each successful attack. This is why I see password-guessing attacks against my home machine and my servers at work every day. It's true that the criminals don't care about my PC or identity in particular, but they make their living based on volume and it costs them nothing to try a few hundred common passwords against your account.
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?