Posts Tagged ‘Stump the Geeks’

I got a question recently from Tyler Dukes at the Raleigh News & Observer related to work on the “Stump the Geeks” column. A reader had developed his own, rather elaborate scheme for assigning unique passwords for each web site (a laudable goal). Here’s what he wrote:

Q. I’ve developed a method for creating IDs and passwords so I can store them without any encryption or hacking worries. I do the following:

1. I always use a base user ID such as MYUSERIDn and password as MYPASSWORDnn.

2. I simply change the “n” to any number for the ID and the “nn” to any number for the password.

3. Now I can store a Web site ID and password as, for example, “Macy’s 522.”

Say Macy’s wants me to set up a user ID and password. I would create my ID as MYUSERID5 and my password as MYPASSWORD22. Now I can bookmark the Macy’s Web site described as “Macy’s 522.” If you don’t know my basic structure, the “522” means nothing. My actual IDs and passwords are more complex than this example, but the concept is the same.

Am I lulling myself into a false sense of security, or is this scheme a viable solution?

The short answer is “yes.” Nice try but there are some problems with this approach. 

The article in the paper summarized some of the issues but I thought I would go ahead and put out my full answer here…

The password scheme described is certainly better than using the same password for every system but not really something I would feel comfortable hanging my hat on. First of all, since only alphabetic and numeric characters are used, the number of possibilities an attacker would have to try in a brute force attack (i.e. trying all possible password combinations) is not nearly as large it would be if special characters like (e.g. *, &, !, %, $) and mixed case alphas were used. Also, the length of the password is not so long that an attack couldn’t be successfully completed in a reasonable amount of time. The key to better security with passwords is complexity. Ideally, you want randomness created by a mixture of cases, alphas, numerics and special characters. These should also change every few months and not be reused on other system. Any scheme that you reuse also runs the risk that if someone discovers your password on one system that they might be able to infer what it would be on others.


Of course, the problem with doing what I just recommended above in terms of password complexity is that, in general, making a password hard to guess, also makes it hard to remember. Rather than writing passwords down, which introduces yet further risks, it’s best to either use a password storage “vault” or, better still, a single sign-on tool that combines the vault with a capability to automatically enter the password for you. With this sort of software all you need to do is keep up with one complex password (rather than many) and then the program does the heavy lifting of generating strong, unique, random passwords that you never even have to know.

Finally, for even better security, a second mechanism can be added to the password (“something you know”). In this case you would also be challenged to prove that you have some unique device in your possession (“something you have”) or some physical characteristic unique to you (“something you are”). The latter involves biometrics such as fingerprints, retinal scans, voice recognition and the like. The former is perhaps more practical in many cases if the thing you “have” is something you are likely to keep with you most of the time anyway, such as a cell phone. This sort of two-factor authentication would involve logging in with your userid and password as always and then you might face a second challenge such as entering a one time PIN that has been sent as a text message to your phone or entering a temporary password that his been generated by an app on the phone. Google, Facebook and others offer this sort of scheme. Twitter, at this point, does not, although there are reports that this capability will be coming in the not too distant future. When it does, I would recommend that this option be considered since it could have prevented the sort of situation that has been see with a number of high profile Twitter feeds.

Since the time I wrote that Twitter has, indeed, come out with a two-factor authentication scheme — a welcome and long overdue enhancement. It’s not perfect but it is an improvement. If you use Twitter, you might want to take a look.

Here’s a link to a Raleigh News & Observer Stump the Geeks column where I was asked to comment on a user’s recurring nightmare with pop-up ads.

For the most part, pop-ups of the sort described be the unlucky soul submitting this question are the result of downloading stuff you shouldn’t. A search bar, a freeware tool, an email attachment of dubious origins — any of these could result in a surreptitious placement of parasites on your computer that will nag you incessantly to visit some web site whose claims are best categorized with the 2:00 am infomercial ilk.

Ironically, many of these ads promise to speed up a lagging computer that is infested with spyware — the very stuff that likely caused the barrage of pop-ups in the first place. Best not to go down that rabbit hole …

In keeping with the theme of the previous post, I was recently asked by Tyler Dukes of The News & Observer, who writes the biweekly “Stump the Geeks” column, to comment on issues with choosing good passwords. Here’s a link to the article  below:

http://www.newsobserver.com/2012/03/19/1935703/passwords-are-still-securitys.html#storylink=misearch

Due to space considerations, a lot of what I wrote didn’t make it past the editor’s knife so I’m posting here my larger response so you can see what didn’t make the paper and, hopefully, get a better sense of my thinking in this area…

Ideally you would want each password to be chosen randomly and comprised of a mixture of upper and lower case characters along with a few numbers and special characters like *!%$ thrown in for good measure. Also it is best not to also use same password on any other system so that if it does become compromised, the damage is limited. Finally, it should be changed at regular intervals such as every 90, 180 or 365 days, depending upon the risk involved with the information being protected.

All this is to make the password hard to guess. The problem is that things that are hard to guess often tend to be hard to remember, which is people naturally bristle at such guidance.

I think the best compromise is to use password storage or single sign-on software. These tools can generate strong, random passwords that are unique for each system they will be used to log into and only require the user to remember a single password to unlock the password storage “vault.” I have literally hundreds of passwords — all unique and none that I actually know, but with tools like these I only need to keep up with the one password that unlocks the tool and it keeps up with the rest.

IBM sells a product called Tivoli Access Manager for Enterprise Single Sign-On that I work with that is designed to do this for an entire organization’s user population. There are consumer products as well that are both free and fee-based. One nice freebie that I have used is Password Safe, which is an open source tool available from SourceForge.net. Still other tools offer to save your passwords on a shared system (i.e. in the cloud), which is convenient if you need them to be available across multiple systems. Just bear in mind that when you store your passwords on someone else’s system then you are totally at the mercy of how good a job they do with their security and, in most cases, there is no way for you to verify if their claims of using strong encryption and the like are valid or not.

As with all such decisions, there’s a trade-off between security and convenience and the answer will be different for different people depending upon their tolerance for risk and their understanding (or lack thereof) of that risk.