[Reader-list] Passwords

Harsh Kapoor aiindex at mnet.fr
Mon Oct 7 21:26:07 IST 2002 

Far Eastern Economic Review
Issue cover-dated October 10, 2002

LOOSE WIRE
Try Cracking This Code
By Jeremy Wagstaff

Passwords. People are always banging on at you to change them, keep 
them secret, don't put them on a sticky on the side of your screen, 
don't use your pet Komodo's name and all that, right? Jeez, would 
they just lighten up already?

Well, I hate to be a killjoy but they have a point. With more 
financial transactions being made on-line--from air miles to banking, 
to bill-paying, to book-buying--more and more of our personal data is 
at risk of being compromised. The development of the Internet relies 
on people like us feeling comfortable hanging out there. I'm not 
going on-line shopping, banking or gambling if I don't think my data, 
bank account and credit cards aren't safe. This means privacy, and 
security must be assured. And yet all this information is deeply 
compromised --not only by other people, but by ourselves.

You may not think your password protects much: Most of us believe we 
don't have that much that other people would want to expend a great 
deal of effort to try and take from us: "Who's going to go to all 
that trouble to get my e-mail password, for crying out loud?" I hear 
you cry.

The problem is that, for a ne'er-do-well, a password is a foot inside 
the door to a much larger treasure trove. If they can get your 
password, they might be able to hack into a bigger network; or, in 
your case, if they know the password to your Yahoo mail account they 
might figure--with good reason, I'd wager--that it's the same as, or 
similar to, your password to other, more lucrative on-line treasures, 
like your on-line bank account. A chink in the armour is all that is 
needed.

What to do? Passwords are very easy to crack if they're simple. The 
longer and more complex your password, the harder and longer it's 
going to take someone to crack. If the program, or Web site, you're 
signing into allows you to use 14 characters or more, use them; if it 
allows capital letters and other characters, use them. It's the 
difference between a ne'er-do-well taking about 30 seconds to crack a 
password like "johnbrown" and days, even months, if it's 
"j()7*~n_b50%N."

The trick is to make up something you can remember. A great password 
forgotten is no use. So here are some tips:

-- Base the password on mnemonics or acronyms, not words or names. 
Use your favourite song titles, movies, football teams as starters. 
It's got to be something that you know a lot about, but not something 
that other people can find out about you--such as your birthday, your 
place of birth, or your kids' names. The first letters of the movie 
The Year of Living Dangerously, for example, could be used in 
conjunction with its two main stars, Mel Gibson and Sigourney Weaver, 
to read "tyoldmgsw."

-- That's just the start. Now you have something you can remember, 
but it's still just basic letters. You need to turn some of them into 
numbers, punctuation symbols and capitals. Try turning the o into a 
similar-looking zero, the l into a one and the s into a five. That 
would give you "ty01dmg5w" which is a lot better, and still easy to 
remember, since the numbers are similar to the letters they've 
replaced.

-- This, sadly, is still not good enough. The people who write 
hacking programs are on to this kind of trick, so your password is 
still vulnerable. It needs an extra trick or two. Try capitalizing 
the family-name letters, alter the 0 to similar-looking bracket marks 
(), and move the numeric characters one key to the left on your 
keyboard.

If your passwords are as good as that, then you should be safe. But 
there's still a weakness, and it's still human. Never give your 
passwords to anyone, don't reuse them for different accounts, and 
change them every few months. Store them on your personal digital 
assistant if you like, but remember that, even if it's in a 
well-encrypted file, all your valuable info is just one password away 
from being accessed by someone. If they steal your device, chances 
are they're eager enough to try to crack the password protecting all 
your passwords. Passwords are better kept in your head, triggered by 
things you'll never forget.

Now, if you'll excuse me, since I've told you my password I've got to 
go make up a new one.

Write to me at jeremy.wagstaff at feer.com

More information about the reader-list mailing list