Tips on how to ease the office pain of password security

by  Alan Zisman (c) 2008 First published in Business in Vancouver November 18-25, 2008; issue 995
High Tech Office column

In the midst of the U.S. presidential campaign, the contents of vice-presidential candidate Sarah Palin’s Yahoo webmail account was posted on the web by someone using the name “rubico.”

Her e-mail was vulnerable because Yahoo Mail, like many other online services, asks users to answer one of a small number of “secret” questions as a way to verify identity in case of a forgotten password.

In this case, the question was “Where did you meet your spouse.” Her answer: “Wasilla high” was not hard to figure out. With that, “rubico” could reset Palin’s e-mail password, gaining access to her account. While there may not be a Wikipedia article about you, many of us have posted information like the name of our high school on social networking websites like Facebook.

(A side issue: we all talk about valuing our privacy then seem to go out of our way to post our personal history complete with embarrassing photos online. Am I the only one seeing a disconnect here?)

From e-mail to ATMs to network access to web-commerce sites and more, we’re being asked for a growing number of passwords. One study suggested that “heavy” online users had an average of 21 passwords. Increasingly, we’re asked for “strong” passwords, mixing upper and lower-case letters with numbers and symbols and then required to change them regularly. We’re warned not to use the same password for different accounts.

The result?

Vaclav Vincalek, president of Vancouver’s Pacific Coast Information Systems (PCIS), suggests that this escalating complexity is increasingly problematic, as security-minded IT staff make demands that users simply can’t meet. He describes one company whose IT manager was appalled at seeing password-reminder sticky notes on many users’ monitors. The company tried to ban the practice. The result? Password-reminder sticky notes hidden in desk drawers and underneath keyboards.

Recovering or resetting forgotten passwords requires about half of all help-desk time for many organizations. Some analysts suggest that each employee needs a password reset nearly twice a month at an estimated cost of $70 each (combining IT staff time with lost productivity).

“Identity and access management” cost almost $3 billion in 2006, according to an IDC study. I can believe it; my employer’s IT help line asks callers to “Press 1 for password help, press 2 for all other issues.”

PCIS sells Passpro. The hardware password management product plugs into a network, allowing users to securely manage their own passwords. By decreasing the amount of time IT support staff has to spend recovering forgotten passwords, it can help businesses increase productivity and decrease costs.

But Vincalek suggests that there are steps that users can take to make their passwords more memorable while making sure that hackers like “rubico” can’t get the answers to their secret questions.

While it’s difficult to remember typical complex passwords, we all have things, unique to each of us, that we remember vividly. Start with something that you remember but won’t be easily guessed: the name of your childhood pet, the make of your parents’ car, for example. Replace some of the characters – change the letter “O” to a zero, an “E” to a “3,” for instance. Take that, adding something for each domain name where you have an account. My father drove a Mercury. I might (but didn’t) create passwords m3rcury.google for my Gmail account, m3rcury.3bay for eBay.

Need to change the password every month? Add a two-digit number for the month.

For those “secret” verification questions, Vincalek suggests another strategy: lie. Ignore the question. Give a standard answer regardless of the question. Name of childhood pet? m3rcury. Mother’s maiden name? m3rcury. High school? m3rcury.

If Palin had done this, her Yahoo Mail wouldn’t have been spread across the web. •