Tips on how to ease the office pain of password security
by
Alan Zisman (c) 2008 First published in
Business
in Vancouver November 18-25, 2008; issue 995
High Tech Office column
In
the midst of the U.S. presidential campaign, the contents of
vice-presidential candidate Sarah Palin’s Yahoo webmail account was
posted on the web by someone using the name “rubico.”
Her e-mail
was vulnerable because Yahoo Mail, like many other online services,
asks users to answer one of a small number of “secret” questions as a
way to verify identity in case of a forgotten password.
In this
case, the question was “Where did you meet your spouse.” Her answer:
“Wasilla high” was not hard to figure out. With that, “rubico” could
reset Palin’s e-mail password, gaining access to her account. While
there may not be a Wikipedia article about you, many of us have posted
information like the name of our high school on social networking
websites like Facebook.
(A side issue: we all talk about valuing
our privacy then seem to go out of our way to post our personal history
complete with embarrassing photos online. Am I the only one seeing a
disconnect here?)
From e-mail to ATMs to network access to
web-commerce sites and more, we’re being asked for a growing number of
passwords. One study suggested that “heavy” online users had an average
of 21 passwords. Increasingly, we’re asked for “strong” passwords,
mixing upper and lower-case letters with numbers and symbols and then
required to change them regularly. We’re warned not to use the same
password for different accounts.
The result?
Vaclav
Vincalek, president of Vancouver’s Pacific Coast Information Systems
(PCIS), suggests that this escalating complexity is increasingly
problematic, as security-minded IT staff make demands that users simply
can’t meet. He describes one company whose IT manager was appalled at
seeing password-reminder sticky notes on many users’ monitors. The
company tried to ban the practice. The result? Password-reminder sticky
notes hidden in desk drawers and underneath keyboards.
Recovering
or resetting forgotten passwords requires about half of all help-desk
time for many organizations. Some analysts suggest that each employee
needs a password reset nearly twice a month at an estimated cost of $70
each (combining IT staff time with lost productivity).
“Identity
and access management” cost almost $3 billion in 2006, according to an
IDC study. I can believe it; my employer’s IT help line asks callers to
“Press 1 for password help, press 2 for all other issues.”
PCIS
sells Passpro. The hardware password management product plugs into a
network, allowing users to securely manage their own passwords. By
decreasing the amount of time IT support staff has to spend recovering
forgotten passwords, it can help businesses increase productivity and
decrease costs.
But Vincalek suggests that there are steps that
users can take to make their passwords more memorable while making sure
that hackers like “rubico” can’t get the answers to their secret
questions.
While it’s difficult to remember typical complex
passwords, we all have things, unique to each of us, that we remember
vividly. Start with something that you remember but won’t be easily
guessed: the name of your childhood pet, the make of your parents’ car,
for example. Replace some of the characters – change the letter “O” to
a zero, an “E” to a “3,” for instance. Take that, adding something for
each domain name where you have an account. My father drove a Mercury.
I might (but didn’t) create passwords m3rcury.google for my Gmail
account, m3rcury.3bay for eBay.
Need to change the password every month? Add a two-digit number for the month.
For
those “secret” verification questions, Vincalek suggests another
strategy: lie. Ignore the question. Give a standard answer regardless
of the question. Name of childhood pet? m3rcury. Mother’s maiden name?
m3rcury. High school? m3rcury.
If Palin had done this, her Yahoo Mail wouldn’t have been spread across the web. •